PLC cybersecurity isn't just an essential precaution; it has become a vital element in the manufacturing landscape.
The digital transformation of goods and services has continued to reshape various aspects of our lives. Industries like manufacturing and automation are no exceptions, with hardwired relay logic control systems upgraded to electronic Programmable Logic Controllers (PLC) as the primary control systems. Each advancement providing advantages in manipulating multiple automated processes to enhance speed, efficiency and, more recently, communication of large amounts of data for analysis. As the industries venture further into the age of Industry 4.0, these computer systems have inadvertently exposed industry to a higher risk of cyber threats due to increased network connectivity. This evolution has created the need to provide not just computer and server cybersecurity but PLC’s as well. These changes are becoming urgent and must be embraced if we want to maintain industrial operational continuity and ward off disastrous disruptions.
The drive towards more and enhanced interconnectedness in today’s manufacturing facilities means that PLCs, HMI’s, and SCADA systems that either function independently or on isolated plant floor networks have become part of larger, interconnected Industrial Control Systems (ICS). This integration improves operational efficiency and reduces costs, but it also introduces a new set of vulnerabilities that can be exploited by cybercriminals. This expanded industrial digital landscape highlights the increasing importance of PLC cybersecurity.
PLC Systems: New Attack Vectors
PLC’s have never been designed with security in mind. Anyone with the skills and equipment could upload, download, delete or modify programs. The security was assumed by the physical isolation of the controllers, which are typically mounted inside industrial control panels near the machines they control. Even as PLCs became interconnected, security was managed by ensuring the manufacturing network was separate (air-gapped) or firewalled from the outside world.
Now, as we transition towards a data-centered world with highly networked industrial environments, modern PLCs have become a potential target for cyber threats. The shift towards a connected operational model has changed attack vectors, giving cybercriminals new avenues for disrupting, damaging or manipulating PLC operations across all industries and platforms. The push for Industry 4.0 must take into account this dramatically changing landscape.
Cybersecurity threats targeting PLCs have become increasingly sophisticated and impactful in the past decade. Here are some notable instances of successful cyber-attacks on PLCs:
1. Stuxnet (2010):
In perhaps the most well-known example, the Stuxnet worm targeted PLCs used in Iran’s nuclear facilities. It was designed to exploit specific vulnerabilities and manipulate Siemens’ PLCs responsible for controlling the speed of centrifuges used to enrich uranium. The worm caused the centrifuges to spin too fast, leading to physical damage while simultaneously providing false feedback to the operators. This incident had significant geopolitical implications and illustrated the severity of PLC-related cyber threats.
2. BlackEnergy (2015):
In 2015, a malware strain known as BlackEnergy was used in a cyber-attack on Ukraine’s power grid, causing a massive blackout. The attackers used spear-phishing emails to infiltrate the ICS and installed the BlackEnergy Trojan.. The malware gained control over the Human-Machine Interface (HMI), which was communicating with PLCs. The PLCs were then manipulated to disrupt the power supply, resulting in approximately 230,000 people without power for several hours.
3. Industroyer/CrashOverride (2016):
Industroyer, also known as CrashOverride, was used in a cyber-attack on Ukraine’s power grid in 2016, marking the second attack on Ukraine’s power infrastructure in two years. Industroyer was designed to target PLCs and protection relays used in electric substations. Unlike most malware that target higher-level control systems, this malware was crafted to target the lower-level industrial protocols that PLCs use to communicate, showcasing an evolution in PLC attack vectors. Once infecting a system, the code would lay dormant until activated by a specific event or time.
4. TRITON/TRISIS (2017):
TRITON, also known as TRISIS, targeted Safety Instrumented Systems (SIS) and was unleashed on a petrochemical plant in Saudi Arabia in 2017. The SIS is a type of ICS used to monitor the state of the process under control to bring it to a safe state in case of abnormal conditions. TRITON manipulated the instructions in the SIS, with an attempt to cause physical damage to the plant and potentially harm the plant operators.
These examples demonstrate that PLCs can be attractive targets for hackers intending to cause physical damage, disrupt essential services or make geopolitical statements. They highlight the need for comprehensive and effective PLC security measures to protect industrial control systems. It should be noted that the Stuxnet virus was a wakeup call, resulting in a panicked attempt to lock-down and protect many manufacturing facilities, especially those where security depended on PLC or network isolation (air gaps) as part of the protection model. Also, although BlackEnergy was used in 2015, the malware was first reported as far back as 2007.
Detecting these viruses has proven to be very difficult. In the case of Stuxnet, it took months to find and unravel even the basics of its code, while Triton was discovered due to a bug in its operation. Stuxnet had already done a lot of damage by the time it was discovered while Triton managed to expose itself before any real harm was done.
Financial and Safety Implications
The financial implications of a successful cyberattack on a PLC system can be catastrophic. Unplanned downtime due to a cyber incident could lead to significant production losses, which directly impact a company’s bottom line. Moreover, the cost of remediation, system hardening and potential regulatory fines could also be astronomical. According to a survey of 900 companies from Trend Micro Inc, the average cost of an ICS breach in 2022 was approximately $2.8 million with 89 percent reporting some sort of attack over the past 12 months. Other reports suggest most companies are ill-equipped to prevent (or even detect) an attack, even though implementing robust PLC cybersecurity measures is an essential investment to mitigate these potential risks.
Additionally, safety is paramount in industrial environments and a compromised PLC could pose severe threats to life and limb. For example, manipulating a PLC that controls chemical mixtures could result in harmful spills or even explosions. BBC News reports suggest a cyber attack on a steel mill in Iran, operated by a Siemens process control system, resulted in severe damage to equipment but could have easily caused human injuries as well. Therefore, PLC cybersecurity is not just about preserving system integrity—it’s a critical component for ensuring the safety of workers and the public.
Regulatory Requirements
Several regulatory bodies recognize the increasing risk to PLC systems and have enacted laws and regulations mandating certain cybersecurity measures. For example, the North American Electric Reliability Corp. (NERC) regulates and enforces specific standards for the cybersecurity of industrial control systems in the power sector. This set of standards is referred to as NERC Critical Infrastructure Projection (NERC-CIP). Non-compliance can result in hefty daily penalties, making cybersecurity crucial from a regulatory perspective.
A Necessity, Not an Option
In an era where technology continues to rapidly transform industries, cybersecurity has become a pressing concern. Its growing importance cannot be overstated, considering the potential financial, safety, and regulatory implications of a breach. As PLCs become more integrated with other systems, their vulnerabilities will only increase, providing cybercriminals with more opportunities for exploitation.
Businesses must adopt robust cybersecurity strategies to protect themselves. These strategies could include system hardening, regular security audits, employee training, and the implementation of intrusion detection systems. Air-gapping and other isolation technics are no longer sufficient protection.
As we stride towards a more data-driven future, PLC cybersecurity isn’t just an essential precaution; it’s a vital element in ensuring the resilience, integrity and longevity of our increasingly interconnected industrial systems.