Retrofitting a plant for the cyber age can bring cybersecurity risks

When plant equipment lags behind digital-age tech, a retrofit may be in order – but the resulting cybersecurity risks should not be ignored, experts warn.

“When you talk about retrofitting, that usually implies that you’re going to maintain some of the existing equipment,” explains Steve Mustard, an internationally-known industrial cybersecurity expert and author of Mission Critical Operations Primer. “There are good reasons for that – usually it’s expensive and risky to swap everything out. But much of that equipment may have been designed before anyone worried about cybersecurity. You end up in a situation where you are vulnerable to a cyber incident because you’ve got holes in the system created by the legacy equipment.”

Writing for automation.com in May 2018, Robin Whitehead of Boulting Technology points to two specific areas of vulnerability: motor control centres (MCCs) and programmable logic controllers (PLCs). Many of these systems were installed at a time when plants were not connected to the outside world via the internet. Since they had no reach beyond the plant or factory, there was little reason to worry about the risk of getting hacked.

Hooking up IP-enabled devices to these systems can be a recipe for disaster if adequate protections aren’t put in place. The research agency Gartner predicts that Internet of Things (IoT) connections will account for 20% of all enterprise security attacks by 2050. “It is safe to assume that many of these attacks will use weak points such as improperly secured MCCs and PLCs to gain network access,” Whitehead writes.

The weak point isn’t just in the legacy systems. Newer, IP-enabled devices are often rushed to market without potential security vulnerabilities being addressed. Such cybersecurity risks are especially acute in the manufacturing sector, Mustard says.

“The equipment going in isn’t nearly as secure as its counterparts in IT or banking might be. A banking system is designed to protect financial transactions and make sure that people don’t get access to things they shouldn’t have access to. A lot of work goes into making these systems secure. In the production world, you’re more concerned about the availability and operation of the system.”

How should plant managers address the risk? For starters, Mustard says, cyber awareness must become more of a priority than it has been up to this point. They should push for purchasing equipment that has cybersecurity protection baked in by design, and check rigorously to make sure no vulnerabilities are created by hooking up new and legacy systems. 

“I would recommend looking at the architecture of the communications network that you have, identifying the holes that are there, and determining how to plug them,” he says. “Minimizing unnecessary connections can be important. It’s very common these days, with the rise of internet-based communications, to want everything, everywhere to be connected all the time. That’s great from one point of view: it’s useful, for instance, to be able to access data via your phone. The downside is that if the data is on your phone, it could be on someone else’s system as a result.”

It’s also crucial to keep abreast of updates and patches issued by vendors, and watch for obvious – yet still common – blunders like easy-to-guess passwords, responsible for more than one high-profile security breach.

Beyond these steps, managers should also implement active monitoring systems that will allow them to detect unusual behavior, such as people logging in from unusual locations or at unusual times. They should also have barriers in place that can minimize the impact should an attacker succeed in getting in.

“You don’t want to rely on a single barrier, like a firewall. You want to have other controls in place that are different – procedural controls, for instance. You want to have a variety of technologies that can detect, prevent or report someone getting access they aren’t supposed to,” Mustard says.

“And you can’t stop there,” he adds. “That’s the thing about security. There’s no single-bullet solution. Things change all the time, new vulnerabilities appear, and new attack methods. You have to keep adapting.”