Security level 1


Physical and logical password should be considered from the overall taxonomy and as part of one of the Digital Pathways, as Physical and Logical Access provisioning. Physical passwords here are types of authentication technologies and can be voice commands, fingerprints, or simple presence (by means of an electronic token that an operator carries). Logical passwords here are both pincodes, passphrases or even certificates or hash keys, that support the specific levels of security. Both are considering the mechanism of access control for security in this pathway.

Access control is a key component of security and cybersecurity to any system, being it a physical (gates, doors, equipment, ...) or logical (application, service, activity, ...) one.

Under this heading, the purpose is to clarify that access control should be mandatory for every system being operated in a manufacturing environment. Access control levels can be very low, by providing everybody access to an application on the factory floor. But at least it has considered that only people on the factory floor should be getting access. That physical constraint can be taken into account. This means that from a risk perspective, unaccompanied visitors or subcontractors without oversight could also get access to this system. 

By considering access control as a fundamental security mechanism, based upon a risk approach, controls can be further built in, relating back to the types of users, or moments of intervention. Least access principles should be applied, in order to only provide access after a specific given thought. For instance, the system can have a regular user (an operator), a floormanager or head of production (being capable to override a decision from an operator), a service engineer (maintainance) and an administrator. 

These roles should allow different levels of access to the systems and can be related to specific risks related to them, and to the overall risk consideration. Physical passwords can be considered into the application as additional means to identify the specfic roles. 

As an example, to enhance the security of an application in a manufacturing environment from Level 1 to Level 3, there will be administrator access needed to operate a specific machine or function, instead of simply pushing the button to power up a specific machine. This can be trivial, as a sawing machine that can only be used by an operator qualified to use it, up until ensuring only oversight happens when a maintenance engineer updates the machine via a usb-token and leaves additional malware on the machines. 

Malware is a broad term that describes a computer program (software) that was intentionally developed to cause damage to a computer system, mainly with the intention in financial gains - but more frequently to cause business interruptions, being held hostage or to simply steal information. 

For over two decades malwares have existed, specifically written to exploit vulnerabilities in computer systems, that can be used for personal gains. It is a form of cybercrime to use them, to break into someone else system. In most countries in the world, it is not a crime to develop malware - only to exploit it against someone else. 

Malwares exist in many different forms. What used to be viruses, that were sent generally via email in the past, have transformed into specifically engineered pieces of software for specific purposes - the most infamous one today being Stuxnet. For viruses, security software and firewalls have been equipped to detect them and quarantaine them before they can even be seen by the destination email address. But through phising attacks (emails with a malicious hyperlink - URL) or man in the middle attacks (website that have been compromised and redirect traffic) users are still being exposed to malware. 

Malware can also enter by means of USB-sticks, pieces of software that don't belong on an industrial control systems or manufacturing system (games, apps, ...) which can sometimes contain malware of pieces of them. 

Ransomware is a form of malware that typically starts encrypting data, once it has been activated. To decrypt a ransom has to be paid. Ransomware can be avoided by 1) frequently upgrading the underlying software to avoid exploitation of vulnerabilities, 2) isolating the industrial systems from office and other types of systems, 3) restricting access to the systems by means of physical and logical limitations.

APTs (Advanced Persistent Threats) usually are a combination of multiple attacks and threats, intended towards a specific target. APT's will combine the detection of vulnerabilities with the exploitation of malware and ransomware. APT's are typically being coordinated by nation state actors or organized crime. 

Digital Manufacturing Platforms should be concerned about the abuse of their platforms by malicious users, and should prevent by all means available man in the middle attacks or similar attacks where redirects of the platform end up on the download of malwares. By running the Digital Manufacturing Platforms in the cloud, additional security measures can be put in place specifically monitoring the activities of specific containers for unexpected calls or actions. Manufacturing companies should further give notice to the continuous protection of end point devices and active monitoring of network traffic on top of the detection of malicious activities. 

 

The process of recording activities happening on an IT system, including OT systems operated via IT. Monitoring and logging typically occurs on network level, where packages are being sent over TCP/IP (internet protocol) and captured at the edges, in the controlling entities (routers and gateways) or as an in-line device (such as a firewall, ids or ips). Network traffic typically records origin and destination IP address, the type of application, and contents. Some of the traffic could have been encrypted. 

Network traffic can be captured via a monitoring port on network devices. This results in the recording of all events that have been instructed to be logged. During the monitoring phase, this near real time data can be evaluated and analyzed. On the basis of the traffic patterns can be detected that allow the understanding of how applications (such as ransomware) arrives inside the organization or on how confidential data might leave the organization. 

Logging also happens on the device level, allowing to identify the activities taking place on the device (types of applications being used and identities of people accessing the devices). This allows to identify a user with a certain transaction, or allows better for the detection of data manipulation or data theft to take place. With Machine Learning techniques some behavioral actions on a network will be detected prior to the malicious action of theft or abuse taking place. On the basis of patterns and pattern recognition, actions and events which are being used by criminals can be detected and indicating that an incident is taking place. 

By utilising similar data from the outside, incidents happening in other locations, in other factories and companies can be recorded and similar patterns (signatures) can be signaled amongst trusted partners. This allows for preventative instructions inside the intrusion prevention systems, which will be able to block IP addresses, block users and applications. 

Finally the monitoring and logging is important for forensics. Once an incident has happened, the recorded sessions allow to understand what exactly happened, collect evidence and use as a means for future preventive actions. 

In Digital Manufacturing Platforms a logging facitlity should be enabled allowing to record the manipulations and transactions that have happened inside the platform itself, and recording the access and identity of the persons who have been controlling the platform itself. 

 

 

Penetration Testing (Pentesting) is a term used by Cybersecurity practitioners to describe the process of diligently assessing potential vulnerabilities in the information security infrastructure, including in the case of Manufacturing and Industrial environments also operational technology infrastructures. It typically uses a series of tools to automate the process, but will make use of the expert experiences focusing on known tricks and vulnerabilities. The goal for the pentester is to detect and report the leaks, but not to exploit them. It is also refered to as ethical hacking, in the perspective of not intentionally manipulating equipment, data, stealing data or leaving exploitable software behind. Pentesting is the ultimate means to demonstrate both the capabilities of the security infrastructure, as it is the way to identify the shortcomings upfront. A pentesting report will allow security managers to support their activities by indicating risks, threats, vulnerabilities and indicating the needs for a risk management process. Companies with a higher level of maturity will organize a systemic approach, allowing for pentesting to take place periodically, or following specific changes happening inside the infrastructure. This can also take place in the form of contests, having for instance red teams (the attackers) playing against the defenders (blue team); both utilizing their experiences of pentesting. With a Responsible Disclosure, organizatoins and individuals can call upon the community of ethical hackers (white hats) to help identifying vulnerabilities. These will be reported sometimes in return for a small bonus. Large hacking contests can be organized to test complete platforms. When vulnerabilities are found in technologies, including Platforms which are being sold, they are being reported as CVE's after a grace period of the reporting for about 3 to 6 months. For Digital Manufacturing Platforms pentesting should also take place in the platform itself, by performing software testing and testing the Platform being put into an operational environment, as it uses web and internet technologies making it susceptible for exploitation.