If you believe the headlines, it would appear that most companies have yet to do anything to prevent cyberattacks on their production equipment. When Fortune 50 companies have primary production equipment rolling over and dying, then it’s time to re-engage on the subject of cybersecurity and Industrial Controls.
The very first thing to look at is the connection to the outside world. Whatever the reason you have your XP-based manufacturing cell hooked to the internet, it isn’t good enough.
99% of the attacks on manufacturing facilities can be traced to two problems. One, the controls were etherneted out to the full internet, and/or Two, they weren’t running the current update of their operating system.
Problem One
Why is your manufacturing computer (or cell controller or ANYTHING with an ethernet port on it) hooked up to the internet? I have yet to hear of a single good reason for this.
Most of the time it is something silly, like “So the employee can check their email” or their timesheet or fill in a production report. If the operator really needs this sort of functionality at their workstation, get them another computer. Don’t use the cell computer for this.
Or hook the cell computer to an Intranet that is airgapped from the rest of the world. There is literally nothing on the internet is worth exposing your cell controller to the outside world for.
Problem Two
Most industrial systems quickly become legacy systems, and if you are running something older than Windows 7 with any sort of Ethernet connection, you have a flag up to the world saying “Pl ease hack me”. If you are airgapped, it’s not a big deal that you have XPrunning most of your systems. They work, don’t they? Any updates that you might receive (XP has been out of updates with Microsoft for years) would probably cause the system to fail anyway.
Problem 2 is more insidious.
Lets say you do have a good reason (something I haven’t run into, like all of your designs come in via email) to hook up to the internet. First of all, it’s not a good enough reason, you can validate the incoming emails on one computer and then sneakernet it to the cell computer (carry it over with a flashdrive).
But if you have the one in a million setup where you have to be connected, you MUST be using a computer with a modern operating system (Win10 by preference) and the CURRENT updates. That’s not yesterday’s updates, or last week’s, that’s TODAY’S.
Win10 has had some really horrible updates (in fairness, these all happened a while back) that broke the computer from communicating with devices. So you may wind up breaking your own control by trying to get it current and safe from hackers.
Why did you need it on the internet again?
Finally, a company wide program for data safety needs to be implemented. Backups and even Imaged backup hard drives need to be stored off site for retrieval in the event of a major hack or a physical disaster. Consider an outside firm to handle this. Most IT departments are out of the depth at this point.
But even outside consultants may not have run into large etherneted production departments. You have to be an intelligent consumer.
And really, you don’t need that control on the internet