Even before the COVID-19 pandemic started, global supply chains were experiencing growing pains as they adapted to meet the pressures of rising demand and a delivery system in need of an overhaul. Supply and demand issues during the pandemic revealed how fragile supply chains can be, particularly with the increased threat of cyberattacks.
Technologies such as embedded sensors, global positioning system (GPS) and radio frequency identification (RFID) have helped companies transform their existing traditional (a mix of paper-based and information technology [IT]-supported processes) supply chain structures into more agile, flexible, open and collaborative digital models. Digital transformation in supply chain management enables organizational flexibility, business process automation and accelerates innovation in supply chain management.
A digital supply chain provides visibility into the workings of the chain; it is the process of integrating and applying advanced digital technologies into supply chain operations from procurement data, inventory management to transportation and distribution. Companies are layering more systems into their IT networks to support remote work, enhance the user experience and generate value, all of which creates potential new vulnerabilities.
Pumps & Systems Cyberattacks
Manufacturers of operational technology and industrial systems such as pumps, turbines, pressure regulating valves and tanks are vulnerable to cyberattacks in both their supply chains and at the manufacturing plants. What happens to a manufacturing business when its production operations suddenly grind to a halt? What are the consequences of being unable to satisfy market demand? In today’s business environment of increased automation, connectivity and globalization, even the most powerful organizations in the world are vulnerable to debilitating cyberthreats.
Many existing manufacturing systems were developed at a time when security was much less of an issue. The focus of manufacturing technology has traditionally been on performance and safety, not security. This has led to major security gaps in production systems. In addition, the growing complexity of these systems has resulted in large and elaborate network infrastructures that are extremely specialized. Additionally, in many cases the systems are being operated and managed by manufacturing specialists rather than the IT function. Combined with the integration of IT and operations, these trends have created a system environment with a large attack surface that is difficult to manage and secure.
End users of connected operational devices are also exposed to cyberattack threats because IIoT-enabled technology is integrated with existing software and industrial control systems. For example, at a security conference, a presenter demonstrated one example of an attack on industrial systems meant to drive home just how surreptitious the hacking of so-called cyber-physical systems—physical systems that can be manipulated by digital means—might be. With a laptop connected to a $50,000, 610-pound industrial pump, she showed how a hacker could leverage a hidden, destructive weapon on that massive machine: bubbles. Midway through her talk, she pointed to a pump system, roughly the size of a big rig truck’s engine, in front of the crowd. To that point, it had loudly cycled water through a series of transparent pipes.
Then she cued a “hacker” in a black hoodie on stage, who typed a command that sent a thick flow of bubbles through those pipes. A sensor on the pump registered that it was subtly vibrating, reducing its efficiency and slowly damaging it. In a matter of hours, she said, the bubbles would start to wear pits in the pump’s metal surfaces, and in days would wear down the impellers that push water through it, until it is rendered useless.
More importantly, the demonstration showed that the hacker delivered the bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber.
Third-Party Dependency
As companies have accelerated their digitalization strategies to continue operating and supporting their staff remotely during the pandemic. As more equipment becomes connected, they have become more dependent on third-party software and technology. This, in turn, has increased firms’ attack surface exposure and points of vulnerability.
Supply chain attacks are when a company’s data is compromised via the hacking of a third-party supplier with legitimate access to its customers’ systems. Hackers can insert malicious code into trusted hardware or software at the source, compromising the data of its users—and their users—in an onward chain.
Remote Alarm Notification Software Offers Additional Security
The majority of vulnerabilities in technology and software can often be found in remote access to networks, insufficient security configurations, outdated firewalls, weak passwords and a lack of proper staff training. It is ironic that as manufacturing plants adopt more smart technologies to increase production and efficiencies, cyberattack risks escalate.
Coincidentally, turning to additional technology is one answer to address this challenge.
Many supervisory control and data acquisition (SCADA) systems are simply over-exposed to the internet by remote desktop applications (e.g. RDP and TeamViewer). In an attempt to offer process and asset information to operators, organizations have provided much more, ignoring the principle of least privilege (POLP) and opening their entire control systems and their hosts to remote desktop access by unnecessary parties. Such broad remote access techniques present an increased security risk for companies.
Advanced remote alarm notification software allows remote operators access to only the information they need from SCADA but not access to the SCADA itself or its operating system host. Such notification software is compatible with more secure, layered networks in which a series of firewalls provide added protection.
This is done by deploying notification solutions alongside the SCADA system at the network’s control level and using notification modalities that are not internet facing or distributing internet-facing notification processes to higher levels. For example, internal email servers, short message service (SMS) modems and voice via private branch exchange (PBX) devices allow communication with the outside world without internet exposure. Likewise, distributing the processes that interface with SCADA from those that interface with external email servers, voice over internet protocol (VoIP) solutions and cloud apps allows internet-based notifications without compromising security.
Of course, there are valid cases for desktop sharing software that do not violate POLP and go well beyond operator access to process information. For such systems, it is critical that the remote desktop solutions be implemented with sound security.
There are several steps that manufacturers should take to improve their cybersecurity:
- Update software to the latest version.
- Deploy multifactor authentication.
- Use strong passwords to protect remote desktop protocol credentials.
- Ensure antivirus systems, spam filters and firewalls are up to date, properly configured and secure.
Manufacturers should also take steps to secure any remote access software. They should not use unattended access features, and IT leaders should configure the software such that the application and associated background services are stopped when not in use. Integrating the remote alarm notification software through the SCADA system is critical to further reducing cyberattacks.
Being Prepared
Whether someone is a manufacturer of industrial systems or an end user of this equipment, supply chains’ connectivity and the threat of cyberattacks affects their business. Organizations across industries must take immediate steps to improve security and risk posture to prevent attacks on our supply chain, critical infrastructure and industrial systems.
The scope of the threat is growing, and no organization is immune. Companies must reinforce their defenses and understand the myriad technological tools that will help them combat the ever-growing cyberthreats.