Two VINCI Energies brands, Actemium and Axians, have developed joint tools including a collaborative robot (cobot) in order to help IT and OT teams in the manufacturing sector come together to counter cyber threats.
Factories and workshops have long been managed by instrumentation and control systems closed to the outside world and particularly to players in the Information Technology (IT) and internet environments.
But as the manufacturing sector starts to become more digitised, with the arrival of sensors and other connected objects, the use of mobility tools, and the increasing “cloudification” of numerous industrial applications, we are seeing an integration of production systems controlled by operational technology (OT) with IT. Since IT systems are, by nature, potentially accessible from the outside, this increases the attack surface of industrial facilities. Collaboration between OT and IT is therefore crucial in order to address issues around data flow and processing, and increasingly to find solutions to industry-related cybersecurity problems.
“Given that all the goods we consume on a daily basis and all the services we use, like those linked to power generation/distribution and water distribution, are managed/controlled by OT systems, it’s easy to imagine the risk posed by industrial cyberattacks. For manufacturers, the question is not whether their facilities will be affected but when they will be,” warns Thomas Leseigneur, innovation manager at Actemium, the VINCI Energies industrial performance brand.
“While it’s clear that convergence is necessary between industrial and IT business lines, achieving that is not self-evident.”
No one is spared; even large groups are hit by hackers, with adverse consequences for Saint-Gobain and Renault, for example, where a mail server was blocked for several days and production stopped for several weeks, respectively.
Reconciling two cultures
“While it’s clear that convergence is necessary between industrial and IT business lines, achieving that is not self-evident,” says Vincent Bazillio, development manager at Axians, the VINCI Energies brand specialising in ICT solutions.
The differences in culture between the two worlds result in sometimes conflicting priorities: for IT technicians, confidentiality comes first followed by system availability; for OT professionals it is almost the reverse.
And they respond differently to threats too: in the IT world, the tendency is to shut down access so as to analyse and take corrective action, whereas production will remain the top priority for OT even in the face of a threat.
Actemium is an expert in industrial culture, its core business, while Axians specialises in IT operating procedures. It was this dual competence that brought the two VINCI Energies brands together to offer manufacturers cybersecurity solutions that comply both with industry-specific requirements and good information system practices.
In order to enable OT and IT managers to better protect manufacturing equipment and data, Actemium and Axians have developed awareness-raising tools for them, based on system vulnerability assessments and penetration testing carried out by “white-hat” or good hackers.
The idea is to show, by means of tests, what vulnerabilities can be exploited to attack an industrial system and how to secure its equipment.
Two demonstration tools are used in the presentations given to company IT and OT experts: a virtual reality tool and a small cobot called GrabIT.
GrabIT delivers a simulation of a connected factory, performed with an operator terminal, an automatic controller and a robot. The aim is to demonstrate what happens in a network. The cobot is given a task to complete: by choosing a colour on a screen, the cobot receives a command to go and pick up an object of the same colour with its grabber.
The task goes to plan up to the point where the simulation involves the operator opening up a Word file on a laptop to read a set of instructions. A virus in the file, spread by the USB memory stick containing the Word document, then causes the cobot to malfunction, its movements becoming unpredictable and potentially dangerous to humans.
Adopting good practices
The simulation helps manufacturers to realise that the PCs they use are not necessarily secure. They are informed that, fortunately for them, 80% of threats can be tackled easily by adopting good practices. “Having a Perspex screen in front of the PC included in the production hardware would have been enough to prevent anyone from connecting an infected memory stick,” says Bazillio.
The GrabIT demonstration is supplemented by a map of connected equipment, produced by Axians and Actemium teams.
Participants are often surprised to find out, thanks to the network mapping system, that a piece of equipment or sensor has been forgotten in a suspended ceiling or outside the premises, and that these devices represent a potential security breach.
The mapping includes a fact sheet detailing vulnerabilities for each component – information which can be valuable for maintenance technicians.
Once manufacturers are aware of security requirements, they put in place a number of measures, says the Axians cybersecurity expert, such as “a protection system for production line segments.” “Segmentation is a conventional measure in IT,” notes Bazillio. “It involves forming ‘security bubbles’ for hardware that requires the same protection, for example equipment that needs to be accessible to people on the outside.” This might mean configuring network switches or a firewall.