Nothing strikes fear into the hearts of production line managers more quickly than having a production line brought down. Except for perhaps a production line going down because of the very tools they themselves brought in to manage the production line environment in the first place.
Ever since a malicious computer worm called the Stuxnet virus targeted supervisory control and data acquisition (SCADA) systems and caused one fifth of Iran’s nuclear centrifuges to tear themselves apart by targeting the programmable logic controllers (PLCs), the industry has been on alert to the possible dangers of unsecured factory assembly lines. And for good reason.
Unfortunately, in response – and to gain a competitive edge – both original equipment manufacturers (OEMs) and customers are rushing to implement immature solutions that pose the risk of creating entry points for bad actors. A production line can be compromised in many ways, but the easiest, most direct method is by exploiting vulnerabilities in the mobile SCADA applications.
OEMs are creating mobile SCADA apps without sufficient testing, which leaves the apps vulnerable to attack. And enterprises that are eager to show their customers and competitors digital prowess in the marketplace are rushing to install these applications.
The fact that SCADA applications have their problems is not news, but it’s the ease of access that really makes the vulnerabilities so threatening. In the past, SCADA apps ran in closed systems with little-to-no access to the outside world. Now, employees and managers access their production lines via cloud-based applications running on smart phones, which makes them more vulnerable.
A recent study conducted by security companies IOActive and Embedi found 147 vulnerabilities in the 34 mobile SCADA applications they tested. The vulnerabilities were wide ranging with 94 percent of the apps vulnerable to code tampering, 59 percent vulnerable to insecure authorization, 47 percent vulnerable to insecure data storage and 38 percent vulnerable to insecure communication. In addition, only 10 percent of the applications used encrypted data in flight.
By exploiting the vulnerabilities in mobile SCADA apps, attackers can shut down or damage production lines by sending or generating erroneous data, so SCADA operators take action when no action is needed or fail to take action when it is required. When the Stuxnet virus targeted the PLCs controlling the centrifuges in Iran, for example, it changed the speed of the centrifuges to damaging levels and sent data to the operators that made it appear everything was operating correctly.
So, what can be done to protect industrial machinery while providing remote access?
First, SCADA applications should:
- be designed around security instead of retrofitted as an afterthought
- use encryption for databases and for data in transit
- use strong authentication techniques
- avoid using backdoor OEM passwords
- withstand robust penetration testing before implementing
- avoid development and release methodologies that adhere to minimum viable product principles.
Remember, these threats are real, and vulnerabilities are indeed being exploited. ISG helps manufacturing enterprises perform proper due diligence while selecting and implementing SCADA applications to protect their production lines and ensure downstream safety. Contact us to discuss how we can help you.