Featured Product
This Week in Quality Digest Live
Risk Management Features
Oliver Binz
Better internal information systems help managers tell consumer demand from inflationary pressure
Steven I. Azizi
Take these steps to protect your employees and your company
Oliver Laasch
There’s unlikely to be a point of general stability anytime soon
Gleb Tsipursky
You shouldn’t trust your gut as a decision-maker: Here’s why.
NIST examines disinfection methods that could be critical in the future if PPE supply is low

More Features

Risk Management News
ISO 21434 automotive cybersecurity and implementing design and process FMEAs
Implementing a SIOP process can smooth supply spikes while improving cash flow and increasing profitability
Does your business’ security match up with competitors?
Prior to vote, IAF seeks industry feedback to understand the level of demand from businesses and regulators.
The acquisition targets the rapidly widening gap between quality data creation and leverage
Winter 2022 release of Reliance QMS focuses on usability, mobility, and actionable insights
Designed to offer a comprehensive safety solution for fleet vehicles and workforce personnel
A cybersecurity expert lays out crucial HR practices to amplify attack readiness for modern businesses
NordLocker study discloses industries at a heightened risk of ransomware attacks, with manufacturers taking a troubling second place

More News

Michael P. Powell

Risk Management

Detecting Abnormal Cyber Behavior Before a Cyberattack

The development of standards-based cyber controls is an important aspect of security requirements for manufacturers

Published: Tuesday, April 6, 2021 - 12:02

The promise of advanced manufacturing technologies—also known as smart factories or Industry 4.0—is that by networking our machines, computers, sensors, and systems, we will (among other things) enable automation, improve safety, and ultimately become more productive and efficient. And there is no doubt that manufacturing has already benefited from that transformation.

However, connecting all of these sensors and devices to our industrial control systems, along with the increase in remote work and monitoring, results in manufacturing networks with greater vulnerabilities to cyberattack. This is an increasingly challenging dynamic as manufacturers sort out how to adopt commercial information technology (IT) standards that are compatible with their operational technology (OT) standards.

New standards-based capabilities will help manufacturers

NIST’s National Cybersecurity Center of Excellence (NCCoE), in conjunction with NIST’s Engineering Laboratory, recently released a report that demonstrated a set of behavioral anomaly detection (BAD) capabilities to support cybersecurity in manufacturing organizations. Using these capabilities enables manufacturers to detect anomalous conditions in their operating environments to mitigate malware attacks and other threats to the integrity of critical operational data.

In other words, manufacturers will be able to continuously monitor systems in real time or near real time for evidence of compromise. The development of standards-based cyber controls is an important aspect of security requirements of manufacturers.

How BAD monitoring translates to early detection of cyber threats

BAD involves the continuous monitoring of systems for unusual events or trends. The monitor looks in real time for evidence of compromise, rather than for the cyberattack itself. Early detection of potential cybersecurity incidents is key to helping reduce the effect of these incidents for manufacturers. Cyber breaches are typically detected after the attack.

BAD tools are implemented in industrial control systems and OT environments, and could be monitored by a human control interface, which many manufacturers use to monitor their operations. The operator would be able to see network traffic and be alerted to the addition of any authorized or unauthorized device or connection.

For example, the system would know what communications are authorized with a programmable logic controller (PLC), so any new contact would generate an alert. Likewise, any abnormal talking between connected machines, modifications in human-machine interface logic, or other anomalies would be noted.

The BAD solution is a relatively inexpensive, modular approach and an efficient way to detect anomalies. However, BAD alerts are passive in nature and would not necessarily take remedial actions such as shutting down the production process.

Manufacturers remain a target for cyberattacks

According to the U.S. Department of Homeland Security, manufacturing was the most targeted industry for infrastructure attacks in 2015, and small and medium-sized manufacturers (SMMs) continue to be prime cyber targets.

There is greater demand for cybersecurity because of manufacturers’ growing dependence on technology and data as drivers of productivity and efficiency. SMMs traditionally have found managing cybersecurity concerns a challenge for a variety of reasons:
• The manufacturing technology mix includes IT (e.g., networks and business-side software such as email, finance, and enterprise resource planning) and OT (operational technology, such as machines and control systems).
• Cyber competes with many other areas in terms of funding, awareness, and education.
• It’s difficult to dedicate specialty resources for in-house staffing.
• Cybersecurity has not been a priority in the OT build, which means as IT and OT are connected, the vulnerabilities of legacy systems become potential liabilities to the whole network.

What’s next from NIST Labs and NCCoE for cybersecurity

The work to develop the BAD capability used 16 test cases, or classifications. Some were simple alerts to an event, such as password and authentication failures; others involved some level of analytics, such as notification of unauthorized software installations and an alert of denial of service.

The next joint project from NIST’s NCCoE and Engineering Laboratory, Protecting Information and System Integrity in Industrial Control System Environments, takes a more comprehensive approach to protection from data integrity hacks. These capabilities include:
• Security incident and event monitoring
• Application-allow lists
• Malware detection and mitigation
• Change control management
• User authentication and authorization
• Access control of least privilege
• File-integrity checking mechanisms

Nine manufacturing vendors and integrators have signed cooperative research and development agreements (CRADA) with the NCCoE to help develop the capabilities.

Contact your local MEP center for expert cybersecurity advice

Cybersecurity experts working in the manufacturing sector see education as a key to SMMs adopting these cybersecurity solutions. More SMMs are looking at cyber consultations in much the same way they might seek expertise for finance or insurance.

If you aren’t sure where to start with cybersecurity for your manufacturing firm, check out this assessment tool
and NIST’s Cybersecurity Framework. You also can browse the NIST MEP collection of cybersecurity resources for manufacturers.

For particular needs, the most expedient route to find proper guidance is to connect with a cybersecurity expert at your local MEP center.

First published March 5, 2021, on NIST’s Manufacturing Innovation Blog.


About The Author

Michael P. Powell’s picture

Michael P. Powell

Michael Powell is a cybersecurity engineer at the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST). His research focuses on cybersecurity for the manufacturing sector, particularly how it impacts industrial control systems.