It’s undisputed: the future of enterprise maintenance is digital. In the near future, numerous internet-connected sensors and devices will be available in industrial plants, empowering maintenance technicians, plant managers, supervisors, and even business owners with timely and accurate information about the physical world. These devices will be used to provide insights about the status of assets in various settings, including smart electrical grids, smart buildings, factories, as well as intelligent transportation systems. The data they collect will be integrated within cloud-computing infrastructures and processed, enabling novel maintenance approaches, such as predictive maintenance.
But these innovative new advances are not without risks. Transfer of data from the field to the cloud raises significant cyber-security concerns, as servers, networks and communication channels can be attacked by malicious parties.
These concerns are not theoretical. Many enterprises that rely on digital infrastructures have experienced cyber security attacks. For example, according to an official report, the number UK businesses that suffered a cyber attack doubled in 2016, with almost half of firms detecting a breach during the same year. In the case of industrial organizations, cyber security attacks can lead to expensive data breaches or even loss of Intellectual Property (IP) assets.
To make things worse, recent research studies and surveys reveal that most plant operators are not very well prepared to address cyber security risks. Hence, we’ve witnessed several large scale cyber security attacks against critical infrastructures of industrial organizations, such as the notorious cyber security attack against Saudi Arabia’s national oil company back in 2012 and the more recent watershed cyber attack against Triconex industrial safety technology that was reported by FireEye Inc. last December. In this context, developers, deployers and operators of digital systems for enterprise maintenance need to understand the risks and be aware of best practices for mitigating them.
Understanding the cyber security challenges and risks
Four of the most prominent types of cyber security attacks against elements and modules of IT-based enterprise maintenance systems are as follows:
- Hardware-based attacks: Predictive maintenance systems are based on the collection and processing of data from multiple sensors such as vibration, acoustic, ultrasonic and temperature sensors, as well as thermal imaging sensors. To support this data collection, several hardware devices are introduced in the shop floor, ranging from wireless sensor networks to edge gateways. The latter devices must be secure in order to avoid attacks against them, which could disrupt the operation of the maintenance system. In particular, a compromised device can start exhibiting abnormal behavior, which would lead to malfunctions of the data-driven maintenance system. Moreover, they have to be trustworthy in order to properly collaborate with other devices and IT applications of the predictive maintenance solution. The introduction of a malicious sensor or device in the shop floor can be the foundation of various cyber attacks.
- Software-based attacks: Software packages for asset management, data collection and data analytics can also be sources of cybersecurity vulnerabilities for predictive maintenance systems. Hacking these systems can also cause malfunctions or even break-down of maintenance processes.
- Risks of Digital Simulation and Digital Twins solutions: Several enterprises are developing digital twins solutions for maintenance. These simulate the behavior of the equipment in order to predict parameters such as a machine’s RUL (Remaining Useful Life) based on the execution of different what-if scenarios. The development of digital twins applications is based on domain knowledge about the equipment and its maintenance process. When compromised, such applications can reveal elements of Intellectual Property (IP) or Trade Secrets, including details of automation and control systems operations.
- Compromising data analytics algorithms for IP assets theft: By hacking a maintenance analytics solution, attackers may be able to access intellectual property of the plant owner and/or the plant operator, such as manufacturing process flows, production automation and control diagrams, quality controls diagrams, or even information about the lifecycle of machines, tools and their lifecycle. This includes maintenance and asset management indicators such as EoL (End-of-Life) and Mean Time Between Failure (MTBF). Stolen IP can be extremely valuable to competitors, given rise to loss of market share and customers.
Attempting to mitigate cyber security risks
Despite the technological advances and increased investments in cyber security, addressing the above-listed risks is still challenging due to the following factors:
- Co-existence of IT with OT (Operational Technology): Contrary to the majority of digital systems, IT systems for predictive maintenance are closely related to the physical world, as they interface and interact with physical devices such as machines, tools, and other field devices. Traditional cybersecurity solutions are not directly applicable to the OT world, as IT and OT have different security requirements. For example, IT focuses less on resilience than OT, yet it prioritizes security. Moreover, IT and OT departments tend to speak a different language. Hence, the convergence of IT and OT security present new challenges that are hardly addressed by state of the art cybersecurity solutions.
- Multiple Datasets: Predictive maintenance systems relies on the collection, consolidation and processing of many datasets, which reside in different systems. This fragmentation of data assets presents opportunities for compromising them and requires securing a larger number of systems and databases.
- Unstable regulatory environment: Plant operators need to adhere to standards and regulations. However, the regulatory environment is unstable, and security standards and directives continue to emerge This makes security auditing and compliance challenging, given the need to ensure compliance and reduce regulatory risk, such as the risk of compliance to the General Data Protection Regulation (GDPR) in Europe.
Cyber security best practices
To successfully cope with the above listed challenges and risks, plant operators and IT experts can consider the following guidelines:
- Design cyber security with maintenance goals in mind: Cyber security solutions should be tailored to the business goals of industrial organizations. The latter goals should drive security priorities, given that security budget is always limited. Moreover, solutions need to fit existing maintenance systems and processes (e.g., protection of specific data sets, securing data collection and analytics processes) without compromising the safety, reliability and availability of IT-based maintenance systems.
- Adopt and implement OT and IT security convergence standards: In order to alleviate the challenges where IT and OT security converge, the industrial internet consortium has recently released its Industrial Internet Security Framework (IISF). The latter can be consulted to define integrated OT/IT security policies that set priorities in-line with business needs and resolve relevant OT/IT trade-offs.
- Design effective security policies: Plant operators need to design and enforce effective security policies. The latter should cover personnel security, access control, strong passwords, remote access policies, policies for securing computer equipment and devices, as well as policies for securing software packages and the computer network. Moreover, the implementation should account for state-of-the-art solutions such as firewalls and other security devices.
- Apply a disciplined patch management process: Given the proliferation of IT systems in the plants (e.g., data storage and analytics servers) a disciplined and reliable patch management process becomes essential. Such a process should guarantee applicability and compatibility based on well documented procedures for patching, including the rejection of unapproved patches. An effective patching process is a key to ensuring the IT systems will not be easily compromised by malicious parties.
- Engage with stakeholders in solution deployment: Successful cybersecurity deployments are largely about stakeholders’ collaboration. Security experts’ efforts should be complemented by the active engagement of cleaning staff, maintenance engineers, maintenance workers and plant executives. The latter engagement is a key to prescribing the right security processes for maintenance systems within the plant and across the supply chain.
- Foster a cultural shift between stakeholders: Cybersecurity within a plant is not only a matter of technical measures such as security testing and patch management. Rather it also requires a cultural shift towards security aware behaviors. For example, maintenance employees can open backdoors through opening phishing e-mails or downloading malware from the internet. The latter backdoors can prove as catastrophic as a cyberattack against hardware devices. In order to implement this cultural shift, organizations should invest in stakeholders’ training, which is a prerequisite for engagement and security responsible behaviors.
Industrial organizations are increasingly deploying IT-based predictive maintenance solutions for their assets, as means of improving Overall Equipment Efficiency (OEE) and reducing costs. However, they often tend to overlook the importance of cybersecurity, as the latter is seen as a defensive investment rather than as a Return-On-Investment (ROI) generating one. This is a big mistake that must be avoided, as cyberattacks can lead to significant losses ranging from data breaches and stolen assets to regulatory penalties.
It’s time to start considering your cybersecurity needs and identifying the controls to be implemented to mitigate risks and prevent attacks, or at very least to detect issues and resolve them in a timely manner. I hope that these guidelines will help you start your cybersecurity projects on the right foot.