IT in Manufacturing

Cyber defence for industrial networks

December 2015 IT in Manufacturing

The last few years has seen huge growth in industrial networking. Since protocols like Fieldbus (IEC 61158) were not meant to be integrated into larger business networks, most suppliers and end users have concentrated on network connectivity and not network cyber security.

Given that the cyber security problems in industrial networking are similar in many ways to office networking, many industrial control system (ICS) asset owners have embraced the industrial network challenge and are expanding their deployments from the most vulnerable interconnected office to plant environments.

Meanwhile, other ICS asset owners have taken a cautious approach to this new world of industrial networking. Conversely, such organisations are concerned about the vulnerability of ICSs by the increased connectivity. Are there any basic steps an organisation can take to prevent compromise in this area?

Introductory cyber defence

Like all applications of defensive measures, cyber defence begins with a mindset or philosophy. This is grounded in the understanding that everyone who uses ICS is a target. No longer can any ICS asset owner say with certainty that “they are too small or too obscure to be a target”. In fact many smaller plants or facilities across the world are finding themselves increasingly being targeted as larger corporations establish sophisticated security defences.

Being a hacking target is one thing, but it is also hard for the average ICS operator to know where to concentrate any defensive measures. In large corporations, Security Risk Management efforts now quantify a scored hierarchy of importance. Then, after the hierarchy is established, security defensive measures are applied to the most critical systems first. Smaller ICS owners can do this scoring as well. But they should score systems which hackers are most likely to attempt to exploit, like PC workstations that are connected to critical systems.

Cyber defence guidance

According to the Australian Signals Directorate Top 35 list of mitigation strategies (, at least 85% of intrusions could have been mitigated by combining the top four mitigation strategies.

These four strategies are:

1. Patching applications.

2. Patching operating system vulnerabilities.

3. Restrict administrator privileges.

4. Application whitelisting.

Operating system and application updates – basic digital hygiene

For ICS computers, there is no better, high value mitigation than regular operating system (OS) updates. These should be set to “automatic”, but if you suspect your computer is out of date and has Windows OS, simply perform a windows update. The same can be said for other operating systems such as Linux. Operators should establish an update policy and perform the updates on a monthly schedule, if possible.

The following applications on ICS computers should be updated with the latest versions or uninstalled: Web browsers, Adobe Acrobat, Microsoft Office and Adobe Flash. These install base common applications are prime targets for hackers to exploit. A special mention should be the use of an up-to-date anti-virus. A non-current anti-virus is sometimes worse than none at all.

Wherever possible, ICS related devices should be updated to the latest software version. This is especially important for industrial network related devices like switches and routers. Hackers are very keen to infiltrate unsecure network devices to maintain persistence in an attacked organisation.

Restrict administrator privileges – keep safety features in place

The reason that administrator accounts need to be controlled is to prevent privilege escalation. Whenever possible, an operating system login should be done with standard user privileges. Administrator privileges should only be used when needed, and sparingly during normal operation.

Application whitelisting – no rogue programs

A whitelist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition on a system. Entities on the list will be accepted, approved and/or recognised. Whitelisting is the reverse of blacklisting, the practice of identifying entities that are denied.

For most computing applications, whitelisting is not very practical. But the principles of whitelisting can be applied manually to yield some protection. Mitigations like manually monitoring process listings to see if any strange applications are running and then ending that process/application if it seems to be running when it shouldn’t be.

How to detect if a system is ‘Hacked’?

There are many ways to detect if your ICS is hacked but without the use of sophisticated forensic tools, a qualitative assessment is usually an acceptable method for most ICS users.

Observable indicators of compromise (OIC)

• System runs slowly. This could be due to malware background processes running.

• System takes overly long to boot. This could be possibly due to hacker hardware drivers loading.

• System makes strange noises at odd times or at startup. This could be due to malware hardware driver being poorly coded.

• System applications do not run as desired, for example, the system update, system restore or anti-virus not being able to update is an indicator that the system has been hacked.

• You find web services, such as web searches, are redirected to unusual sites due to a Malware/Adware compromise.

In general, should any of the above occur, it is wise to contact an IT security professional to resolve the problem. Additionally, once the near term issue is resolved, the computing asset should be rebuilt with fresh OS load media during the next maintenance shutdown.

Can cyber defence be this simple?

Industrial networks offer huge advantages when secured properly. There is always the potential for a hacker to compromise your control system, however if you secure your systems, even to a basic level, most attackers will proceed to easier targets elsewhere.

The biggest issue today, in industrial networks, is the concern with disruption and loss of control.

Cyber security may be inconvenient but if you do implement it, you can still maintain operations within safety margins. Deployment of industrial networks with the above cyber defensive practices makes them more dependable and allows organisations to enjoy the benefits of increased connectivity.

For more information contact Christie Cronje, Yokogawa South Africa, +27 (0)11 831 6300,,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Siemens’ software for digital transformation of automotive design
September 2021, Siemens Digital Industries , IT in Manufacturing
Model-based development process and systems are used in Japan and globally to adapt to the biggest automotive transformation in 100 years.

Is track and trace through the factory a waste of time?
September 2021, Iritron , IT in Manufacturing
Modern track and trace solutions are purpose-built to introduce as little disruption to the existing production process as possible, while also being flexible enough to cater for plants that range from fully manual to fully automated.

Modularity for scalability
September 2021, RJ Connect , IT in Manufacturing
Businesses are looking for versatile solutions that are easy to maintain to ensure smooth operations while keeping costs down.

Saryx launches TMP
September 2021 , IT in Manufacturing
The digital transformation that has swept the world in the past few years has fundamentally altered most people’s approach to technology, with an increasing number seeking the ability to manage their ...

Secure boundaries enhance industrial cybersecurity
September 2021, RJ Connect , IT in Manufacturing
When enhancing cybersecurity, it is important to understand how industrial systems are exchanging data and how they connect to IT-level systems.

Siemens drives digital transformation at virtual Smart Mining forum
September 2021, Siemens Digital Industries , IT in Manufacturing
With its motto: ‘On the road to the digital future’, Siemens hosted its virtual Smart Mining forum from 3-5 August.

Deep-learning AI made accessible
September 2021, SICK Automation Southern Africa , IT in Manufacturing
SICK Automation has launched a set of deep-learning software and services called dStudio, making artificial intelligence (AI) more accessible to the southern African market. This software works with machine ...

How safe are our factories? Part 1: Cybersecurity for operational technology.
August 2021, Wolfpack Information Risk , IT in Manufacturing
If companies are regularly being subjected to cyber hacks overseas, isn’t it only a matter of time before someone with enough motivation, skill and resources targets us?

HSEC Online simplifies health and safety compliance for companies
Technews Industry Guide: Sustainable Manufacturing 2021 , IT in Manufacturing
This automated, cloud-based solution provides a transparent, collaborative workflow platform which eliminates most of the manual complexities of health and safety document management compliance.

Creating factories of the future
Technews Industry Guide: Sustainable Manufacturing 2021, SEW-Eurodrive , IT in Manufacturing
Raymond Obermeyer, managing director of SEW-Eurodrive South Africa, explains that Industry 4.0 includes all the opportunities for digitally networked production.