Cybersecurity attacks in the food/beverage/agricultural industry often achieve notoriety because of the large sums of monies involved—usually in the millions of dollars—resulting from large ransomware demands and payments, plus the ensuing downtime while business and supervisory systems are offline. For example, according to an Xtalks June 22, 2023 blog by Sydney Perelmutter, senior food industry journalist, five ransomware demands in 2020 and 2021 made news due to multimillion dollar ransom demands:
- Campari Group, 2020, $15 million demanded
- JBS Foods, 2021, $11 million demanded and paid
- Harvest Food Distributors and Sherwood Food Distributors, 2020, $7.5 million demanded
- NEW Cooperative, Inc., 2021, $5.9 million demanded
- Schreiber Foods, 2021, $2.5 million demanded [1]
One problem: the above examples include the attacks we know about. According to comparitech (a company specializing in cybersecurity analysis), from 2018 to May 2023, ransomware attacks hit 157 food, beverage, and agriculture organizations. The researchers estimated such attacks have cost these organizations $1.36 billion in downtime alone. [2]
Another more troubling problem: While ransomware attacks achieve the most notoriety as they are typically focused on business systems and bring the largest immediate income to malevolent actors, more pernicious attacks can occur at the device/controls level in a plant.
Moreover, keep in mind that a ransomware attack coming in at the IT system can open the door to plant-level OT systems. “Ransomware attacks can affect any type of network and the scope of the attack can reach into any network the attacker gains access to,” warns Jesse Newman, IT manager for Concept Systems Inc., a Control System Integration Association (CSIA) certified member. And state-sponsored attackers have the will, funds, support and time to reach down into control systems.
Worse yet, aging unprotected programmable controllers, SCADA and industrial computer systems represent an easy target that—when combined with an attack on a manufacturer’s business system—can seal the deal in totally disabling a facility, potentially putting a manufacturer’s business in a precarious position.
OT Systems Are a Ripe Target
Because water utilities are typically public, we tend to hear more about attacks on their control systems than in the food industry—but food and beverage is a ripe target for unprotected equipment—and again, most food companies are not willing to talk about attacks on production equipment, which could affect food quality and safety. However, a recent attack on a water utility in Western Pennsylvania brought about recommendations from CISA (Cybersecurity & Infrastructure Agency).
The recent alert from CISA released on November 28, 2023 covered exploitation of Unitronics PLCs used in water and wastewater systems, and offered several fixes to prevent the attack of these controllers—in this case, suspected Iranian actors are to blame. The first recommendation is to change the PLC’s default password of 1111 if in use; second, require multifactor ID for any remote access to the OT network plus IT and external networks; and disconnect the PLC from the open internet—if connected in such a fashion—and use firewalls/VPNs to segregate the device. The complete list of action steps goes beyond these basics. [3], [4]
“Exploitation of PLCs and similar OT systems is not new nor is it uncommon,” says Marty Edwards, Tenable deputy CTO for OT/IoT. “This set of attacks takes advantage of direct internet accessibility, a highly favorable attack method as companies have turned to making their control systems assets more remotely available. PLCs are the brains of the operation and are programmed to do all of the functions that, in this case, the water treatment plant needs to perform. A threat actor having direct access to this device is a significant and egregious risk because they can turn motors and pumps on and off, manipulate the chemical settings (compromising the safety of the water), plant logic bombs that would cause disruption at a later point in time—and potentially so much more.”
The Problems with PLCs and Other Controllers
Today, most consumer-level routers ship with a password that is also their serial number, which provides a level of security as each unit will have a unique password. PLCs, however, have had their own security problems. Thomas Ruschival, cyber security specialist for controls at Festo, points out a few of these issues:
- PLCs were developed with physical security in mind (locked in a cabinet) and were never intended for use in a network with adversaries.
- There are many PLCs with default passwords, and without password policies in the field. There is no user management; usually there is only one user account (aka, “admin”) and the password is shared among all personnel in the maintenance workshop. Only recently have customers and suppliers started to address the issues of cybersecurity.
- Industrial equipment has a long lifespan; firmware updates are not installed on a regular basis. It is cumbersome, and maintenance personnel do not have the awareness. Sometimes in certified processes (pharmaceutical) the setup must not change, otherwise re-certification is required. Therefore, lots of security issues that are already patched in the IT-world live on in embedded devices.
“PLCs were never initially engineered with security as a primary focus,” adds Jaime Melendez, senior systems engineer at Contec Americas, Inc., a CSIA partner. “Individuals equipped with the necessary skills and tools could perform actions like uploading, downloading, deleting or modifying programs without significant barriers. The perceived security, in the beginning, was largely due to their physical isolation within industrial panels. However, as PLCs became increasingly interconnected and the era of Industry 4.0 ushered in a multitude of IoT devices, assumptions about their security persisted, resulting in insufficient efforts to educate developers and engineers on these critical security concerns.”
“Even when hacking and computer security issues were first becoming obvious, the OT environment stopped developing additional security measures like IT did because it embraced an isolated network,” says Steve Rawlins, Sr., CISSP, lead product cybersecurity officer for Emerson Discrete Automation’s controls and software. Physical isolation was considered one of the best ways to secure a network, and mitigated lots of other threats, and so other techniques and tools that IT developed were not implemented in the OT space.
“But those days are gone,” adds Rawlins. Almost no network is truly physically isolated anymore. It is necessary to update, monitor and control OT environments from places other than the production floor. PLCs and other OT environment equipment are still adding and incorporating all the lessons learned in the IT cybersecurity space to address potential and revealed vulnerabilities.
Around 2010, with the emergence of the Stuxnet worm, a wakeup call resonated throughout the industry, signifying that PLCs could indeed be targeted and attacked, says Melendez. However, executing an attack wasn’t a straightforward task; it required a deep understanding of how a specific PLC program operated, acting as a deterrent. Nonetheless, as interconnections expanded, the industry started fortifying these systems with additional security measures, though often unnoticed by many. This evolution signaled a pivotal shift toward recognizing and addressing the vulnerabilities that had previously been overlooked.
But PLCs aren’t the only risk. “I see industrial computers as the biggest risk here—and not from the hardware itself but from the fact that these computers are often not patched or maintained,” says Ryan Thompson, CRB senior specialist, industry 4.0. “Clients often do not patch hardware because ‘it is working’ and because of a history of patches causing software to stop working. This is especially true when the lifespan of automation equipment is much longer than an operating system life cycle—so when OS support runs out, there is no longer an easy migration path. This is why we still see Windows XP and Windows 7 on factory floors today.”
“The predominant cybersecurity challenge still prevalent in PLCs and data acquisition systems revolves around a lack of awareness regarding these critical issues,” says Melendez. The shift from solely employing physical PLCs to incorporating software-based PLCs and data acquisition systems utilizing alternative programming languages like Python, along with the integration of IoT devices relying on custom software, has introduced potential attack vectors. It’s crucial to note that singling out a particular manufacturing company or developer isn’t the solution here. The lack of awareness regarding cybersecurity is a pervasive issue that permeates all levels of society.
Fixing Key OT Cybersecurity Issues
What’s being done to fix controller issues just described? Festo’s Ruschival suggests a key solution. “Automation suppliers together with experts have defined the IEC62443 security standard. This standard includes a range of requirements for different applications across the entire lifecycle, including individual products, integration of products in plants, and operation of these plants.”
“The industry standard IEC 62443 is a big step forward on correcting these vulnerabilities,” says Emerson’s Rawlins. “This gives clear guidance and standard practices for manufacturers, designers and end users to agree on and work toward. At a minimum, customers should be looking at password complexity and network intrusion testing on products before they purchase them. Best practice would be buying IEC 62443-certified products and even seeking to certify their production facilities. In the future there needs to be equipment logging audit files for important events, two-factor authentication, centralized audit management, and real time network monitoring. But not all these capabilities will be able to be implemented on all product types yet.”
“In the case of Contec, we have been diligently implementing our CONTECSecure program and establishing the Contec Product Security Incident Response Team (PSIRT),” says Melendez. “These initiatives serve as fundamental platforms, enabling our customers to bolster their security measures. However, as a hardware manufacturer, it’s crucial to acknowledge that our efforts alone are insufficient if the entire [controls] chain doesn’t actively contribute to ensuring cybersecurity. This significance cannot be understated because attackers persistently seek any vulnerability to exploit, ranging from exploiting social engineering tactics (one of the most vulnerable aspects) to manipulating hardware design flaws to infiltrate systems.”
“I think most major [controls] companies are working proactively with OT security vendors such as Claroty or Nozomi Networks,” says CRB’s Thompson. Further, they are quick to resolve CVEs (Common Vulnerabilities and Exposures) that are posted by the Cybersecurity and Infrastructure Security Agency (CISA).
Carol Keller, security specialist with Gray Solutions (a CSIA certified member), points out some areas for equipment manufacturer improvement:
- Build in security as a standard in PLC designs, for example, secure boot processes, encryption and integrated firewalls.
- Provide regular security updates and patch management in a systematic approach to firmware updates and security patches.
- Implement more sophisticated user authentication methods, such as multi-factor authentication and role-based access controls.
- Increase focus on secure communications.
- Provide education and training for users related to cybersecurity practices and maintenance.
- Use physical security measures/secure locations for PLCs.
Critical infrastructure and industrial organizations must have a layered defense and ensure they are following basic security protocols like obtaining an accurate asset inventory and performing vulnerability assessments on those assets is mission critical, says Tenable’s Edwards. In addition, security teams should always change default passwords on OT and IoT devices and implement two robust multi-factor authentication programs, one to get into the enterprise network and another to get between corporate environments and sensitive OT networks—which PLCs fall within.
On Direct Internet Connections and Old, Forgotten Equipment and Bad Actors
“The idea of connecting any industrial controller directly to the internet without protection is indeed alarming and you would be shocked at how many manufacturers are currently following this bad practice,” says Gray’s Sr. Security Engineer Joe Liercke. In today’s cybersecurity landscape, basic protections like VPNs and firewalls are essential. However, the situation becomes more complex with older equipment, which might have been operational for 10 to 20 years or more.
“All too often people are quick to realize the benefits of remote connectivity or remote maintenance but where we often fail is to adequately assess the risks of such a connection,” says Tenable’s Edwards. “No cybersecurity expert would recommend a direct connection to the internet, but here we are. Organizations can leverage external attack surface management (EASM) tools to identify rogue devices that they are intentionally or inadvertently directly accessible from the internet.”
Why would anyone connect any industrial controller to the internet? “The short answer is that sometimes people are not fully aware of the risk, and these connections are made,” says Emerson’s Rawlins. Often, it is unintentional because users are not tracking all elements of their environment. A first step for protecting against exposing old equipment to modern actors is to make a complete map of everything connected to the network/control system. This should include all equipment, internal and external connections and equipment communications capabilities.
For example, does an installed sensor have Bluetooth capabilities? And is that connection used? Can it be shut off? If not, then this could be an access point for a malicious actor to enter behind firewalls and security devices, adds Rawlins. Once an end user knows what they have and what is connected, it becomes important to start looking at all the equipment and evaluate if it has known vulnerabilities, and then mitigate or replace them as needed. Update all systems as patches and updates are provided, and preferably sign up for notifications from the manufacturer.
The challenge of older, potentially forgotten industrial equipment poses a significant cybersecurity risk, says Contec’s Melendez. This issue highlights one of the most significant vulnerabilities in cybersecurity—knowledge gaps. It’s crucial to acknowledge that cybersecurity isn’t straightforward for users.
Addressing the security concerns associated with older equipment involves a multifaceted approach, adds Melendez. It includes not only implementing additional security layers like VPNs and firewalls but also educating users about the significance of cybersecurity practices. Moreover, there’s a need for continual updates and support for legacy systems to mitigate vulnerabilities and ensure ongoing protection against potential threats.
All equipment, regardless of age should have every layer of security possible because individual defense mechanisms can be breached with enough time and resources, says Concept Systems’ Newman. “The more layers of defense you create, the more expensive (time and money) it will cost an attacker to access a device or network. I would recommend avoiding connecting controls equipment to a network that provides internet access. If an internet connection must be provided for purposes like VPN for remote access or for patching software, it’s best to only provide internet access when needed and disconnect when it’s not needed.”
Finally, know your own staff members! Your worst enemy could be a disgruntled fellow employee who has the complete run of your system—not some foreign actor thousands of miles away.
References:
[1] “Top 5 Ransomware Attacks that Shook the Food Industry,” Sydney Perelmutter, Xtalks blog, June 22, 2023
[2] “Since 2018, ransomware attacks on food, beverage, and agriculture organizations have cost the world economy $1.36bn in downtime alone,” Rebecca Moody, comparitech, June 5, 2023, Website study
[3] “Exploitation of Unitronics PLCs used in Water and Wastewater Systems.” Nov. 28, 2023, CISA.
[4] “Remote attacks on process/automation systems can wreak havoc,” FE, February 17, 2021.