As manufacturers continue looking for new ways to utilize factory operating data and increase the added value of products, the need to connect factory system networks to the Internet is steadily increasing in the manufacturing industry, and with that comes increased sources of security risks.
In light of this trend, the Ministry of Economy, Trade and Industry (METI) has issued a document titled “The Cyber/Physical Security Framework for Factory Systems (Draft),” which defines “assumed factories” specific to the manufacturing industry with the goal of establishing the concepts and implementation guidelines for necessary security measures.
The following blog entry explains why factory system security measures are necessary—starting at the device level—and introduces Contec’s initiatives toward providing effective measures.
With the explosion of telecommuting and digital transformation, the world’s digital environment has drastically changed in recent years. As more and more people work from home or other remote locations and mobile devices become widespread, companies have started using a wider variety of endpoints for connecting to the company’s network environment for operations.
This increased network connectivity has also spread to factories, resulting in security risks in not only information technology (IT) but also operational technology (IT) and products. This trend has shown no signs of slowing, and cyber-attacks resulting in significant damage have also been reported. Damage due to ransomware has particularly become a problem in recent years.
In 2021, Japan saw at least 146 reported cases of ransomware, with 55 cases in the manufacturing industry. Toyota Motor Corporation—one of the world’s largest automakers—temporarily stopped operations at all of its plants in Japan in February 2022 following a ransomware attack at a parts manufacturer with whom the company does business.
Hospitals have also been reported as having been affected by ransomware attacks. For example, Tokushima’s Tsurugi Municipal Handa Hospital was hit by a ransomware attack in October 2021, and Naruto Yamakami Hospital was also hit in June 2022. Operations at both of these hospitals were severely hampered as they were unable to use their electronic medical records systems.
In today’s modern era, security is a management risk that can affect the entire business, so promoting appropriate countermeasures is essential. However, the increased diversity of targets and intrusion routes for attacks has made defending against cyber threats difficult when using only a traditional perimeter defense approach, so incorporating a new approach has become necessary.
As the importance of security measures increases, traditional perimeter defenses are no longer sufficient in protecting against cyber threats. Currently, countermeasures are being developed based on the idea that the Internet is no longer a generally safe place but one that is inherently bad, and the concepts of not only resistance but also resilience, zero trust, and cyber resilience are becoming more prevalent.
The zero trust concept is one that adopts security measures while distrusting all access. With conventional perimeter control methods, connections are divided between an inner network and an outer network, and security measures are enforced based on the idea of trusting an external connection once it has passed authentication and entered the inner network. On the other hand, zero trust incorporates enhanced authentication such as multi-factor authentication, device log monitoring, and access control based on the status of devices.
Cyber resilience refers to an organization’s ability to resist and recover from cyber-attacks with the assumption that such attacks cannot be prevented. In particular, this includes predicting cyber-attack threats, enforcing constant countermeasures (resistance), being ready to quickly and reliably respond to cyber-attacks when they occur, and maintaining a high level of organizational resistance to maintain these measures.
The following section offers an overview of major cyber-attacks that conventional security measures cannot protect against: zero-day attacks and malware attacks.
Zero-day attacks are cyber-attacks that exploit software vulnerabilities that have not yet been mitigated. There is generally no way to defend against zero-day attacks before they occur if the vulnerability has not been addressed, and the only countermeasures are patching vulnerabilities as soon as a solution becomes available.
Malware is a broad term for any malicious program designed to hinder users of the computer being attacked. These malicious programs include computer viruses, worms, Trojan horses, spyware, and various other types of programs.
Malware infections mainly occur through email attachments, over network connections, or by taking advantage of software vulnerabilities to extract or tamper with data. Ransomware (mentioned above) is a type of malware that encrypts or otherwise renders a computer unusable allowing attackers to take the computer hostage and demand money to free it.
Cyber-attacks have started looking beyond devices used in offices and homes, particularly in light of the introduction of smart factories, often promoted as “next-generation factories.” In conventional factories, industrial robots and automated assembly equipment are managed and networked using manufacturing execution systems (MES) and enterprise resource planning (ERP).
However, these networks are designed to be closed within the factory, with no need to connect beyond the factory using the Internet. Today, however, creating a smart factory requires the use of IoT devices that naturally require Internet access.
Any vulnerabilities discovered in such IoT devices could become targets for zero-day attacks. For example, let’s assume you have remotely accessed an IoT device on a factory’s local network, and you have used a USB memory device for maintenance.
Any IoT devices infected with malware could use these intrusion routes as stepping stones for an attack. Perimeter defenses alone cannot protect against such attacks, so device-level security measures become necessary.
As mentioned above, security measures must be enforced not only for the network but at the device level as well. Anti-virus software that protects at the device level can be categorized as using one of two methods: a deny list or an allow list. This section will explain these methods in greater detail.
A deny list is a security measure that blocks or removes suspicious code or data according to a definition file (deny list) that is regularly updated. Most conventional anti-virus software uses a deny list as the security measure.
However, the deny list method has problems protecting against malware with continuously changing code and zero-day attacks that occur before new definition files are distributed. This method also requires definition files to be updated and regular scanning to occur, increasing concerns about operating costs and stable operation of equipment.
The allow list method creates a list of only trusted codes that have been approved for execution. Any code that is not on this list is denied access. Maintenance is also required with allow lists, including adding new permission codes as needed, but the list does not need to be updated as frequently as deny list definition files.
The allow list method can also prevent malware and zero-day attacks. Moreover, because periodic scanning is not needed, operating costs can be reduced, and concerns about the operation stability of equipment can be minimized.
TPM is a security chip that meets the specifications set forth by the Trusted Computing Group (TCG). This function ensures secure storage and management of information such as encryption keys that previously needed to be stored on removable storage devices. The TPM function operates independently from the OS and other hardware, making it resistant to external attacks, and it can be used for various device security measures. A typical example of a TPM is BitLocker from Windows.
BIOS attacks exploit security holes in a system’s BIOS, or basic input/output system. The BIOS is the first program that is executed when a PC is started up, and a BIOS attack could prevent the PC from starting up, leading to a variety of problems.
Computer viruses that have infected the BIOS cannot be detected even with anti-virus software, and in extreme cases, the flash ROM and other hardware that contains the BIOS must be replaced.
Guidelines such as Trusted Platform Module (TPM; from the Trusted Computing Group (TCG)) and National Institute of Standards and Technology (NIST) SP800 have been established to improve security at the device level, and products that are compliant with these guidelines are from various manufacturers. Any company interested in doing business with the U.S. Department of Defense must comply with the NIST SP800 guidelines, and major countries around the world are beginning to follow this lead in requiring compliance even beyond working with the U.S. government.
NIST SP800-147 also ensures device reliability by protecting the BIOS from attacks. Contec offers various products with an NIST SP800-147-compliant secure BIOS with various protections such as BIOS write-protection, digital signatures, encryptions, and passwords.
The NIST SP800-193 guidelines—which take a more holistic view of security risks with an increased focus on the previously mentioned cyber resilience—have also been released. A more comprehensive security standard that extends to organization-wide systems and initiatives (NIST SP800-171) has also been released. Contec is also developing NIST SP800-193-compliant industrial computers with BIOS modification detection and recovery functionality.
See All Blogs