Machines across nearly every industry are becoming smarter, doing more tasks with less human supervision. As a result, machines also need to be more connected than ever before. A single machine might be in communication with a wide variety of other endpoints, interacting with other machines, services and humans.
Smart machines should improve our workspaces by enabling faster, more productive processes that make work easier for humans. But in addition to productivity benefits, connected machines also bring a new world of risks to the worksite.
With more points of connection, the potential for machine security incidents and interference also grows. What’s more: the potential consequences of security breaches also become more serious. A hack could mean more than just a loss of data; it could shut down machine operations and cripple production.
Machines hit by ransomware attacks can cause massive stoppages and huge financial losses. The average estimated cost for one minute of downtime in the auto manufacturing industry, for example, is $22,000/minute, according to 2005 research commissioned by Advanced Technology Services and conducted by Nielsen Research. And a ransomware attack could mean days or even weeks or downtime.
Often, machines are reactively maintained, and that can cost companies up to three times more than proactive maintenance. Machines that are connected to the network, if not proactively maintained for cybersecurity, will incur reactive maintenance costs plus the cybersecurity damages. For example, when the freight company Expeditors suffered a ransomware attack in 2022, it cost them $40 million in lost shipping charges, plus an additional $20 million in investigation and recovery expenses.
Simply put: for machines, cyber threats can have very real, very physical consequences. The best way to protect against these threats is to take a proactive approach and lay a secure foundation that builds security into machines to protect against threats, as well as those that may come in the future.
Manage OT machines like IT devices
As physical machines connect to the cloud and to one another, it’s important to start merging operational-technology (OT) and information-technology (IT) approaches to security. Operational technology and information technology have historically been separate fields, depending on different skill sets and procedures. But machines need to be secured and managed much the same way our laptops, tablets and devices are. Practices such as Zero Trust and Least Privilege are important to implement on both a hardware and software side.
Zero Trust is a security model that assumes that any device or user inside or outside the network is not trustworthy and should be verified before granting access to resources. This model involves continuous verification of devices and users to ensure that they are authorized to access the resources they are requesting. For machines, that means establishing a secure identity for both the machine and all the entities it might communicate with.
Another approach is the Least Privilege principle, which restricts access to only what is needed to perform a specific task. This principle ensures that users, devices and applications have the least amount of access necessary to complete a job. By limiting access, this principle minimizes the risk of unauthorized operations and ensures that, if a breach does occur, the damage it can cause is contained.
Understanding and mitigating risks
Machines function in a complex environment, and, as a result, there are a number of ways they can be exposed to risk. It’s essential to secure machines throughout all of their operational tasks.
As such, it’s important to think about all the potential access points throughout the machine's life and operation. There are several important risk factors to consider.
1. Hardware: Machines should incorporate advanced processors with security features that can help prevent hardware from being physically tampered with. Typical features might include:
• secure boot—requiring boot firmware to be signed by trusted signing keys
• secure enclave or trusted execution environment (TEE)—ultra-secure processing environment which is isolated from the general execution environment
• anti-tamper protections—ability to disable interfaces from which the processor can boot firmware and lock the processor configuration to require security features.
The security features can be leveraged to create a secure root of trust residing within or having its access controlled by the secure enclave. The root of trust is the machine’s unconditionality trusted component of the machine where the machine’s identity and highly sensitive cryptographic keys are stored. When a machine is properly manufactured with these security features enabled, many security threats from tampering of machines' most sensitive data can be prevented.
2. Boot: Every time a machine starts, it’s important to make sure that the firmware hasn’t been compromised. We call this “secure boot.”
When a machine is powered, the processor starts by running a trusted unmodifiable piece of firmware within the processor typically called the Boot ROM (read-only memory). The Boot ROM will perform cryptographic verification of a signature within the first piece of boot firmware stored externally to the processor. This verification is done using a public key written internally to the processor during the tamper-proof stage.
The signature verification done by the Boot ROM to verify the first piece of boot firmware establishes trust for the loaded boot firmware running on the device. Establishing this trust between hardware and software:
• prevents security threats that come from inserting malicious boot firmware which are difficult to detect
• enables trusted party to authorize—sign—firmware to run on machines
• establishes a foundation of trust in software running on machines which can be leveraged to establish a chain of trust all the way to the operating system (OS) and applications running on the machines.
3. Configuration: Configuration is an essential part of ensuring machines operate efficiently. It is critical that the configuration which is sent to a machine over the OT network is intended for that machine and that the machine can trust it. To ensure this happens correctly, the configuration should follow the following steps:
1. Before configuration is sent to the machine, it needs to be digitally signed and encrypted for that machine.
2. Upon receiving the configuration, the machine needs to decrypt and validate the signature using its root of trust to ensure that it can be trusted.
Encrypting and signing of a machine configuration helps prevent security threats that could come from inserting malicious configurations. It also protects against exposing any sensitive operational information.
4. Communication: Any single machine might be in communication with remote controls, other machines, service providers or management software. All of this communication needs to be protected.
Machine communication on the OT network must not have any security compromises made that would not be allowed on an IT network. Instead, communication across the OT network should follow IT policies which ensure the confidentiality, integrity and availability of the machine.
5. Updates: Machines will experience firmware updates throughout their lifetimes, and each of these updates could represent a chance of an attack if not protected. It’s important to keep a machine update up to date in order to:
• prevent exploitation of vulnerabilities in software which could enable control of machine
• deploy fixes which improve operational efficiency.
Often, updating machines is time-consuming. To reduce the impact on updating machines over the OT network, the operator of these machines need to:
• control when updates are applied by having the ability to schedule updates which minimize impact to productivity
• finely control what is updated, ideally being able to deploy updates to applications without requiring the whole machine to stop operating
• apply updates at scale across multiple locations over the OT network.
Machines of tomorrow
These risk factors are what we use as a core framework to establish trusted communication to, from and between machines. Defining and enforcing strong policies around hardware, boot, configuration, communication and updates can help protect your OT network and make machine operations more secure. This ensures that data, IP, assets and the people working around smart machines are protected.
As the machine systems scale and become more complex, the need for safe secure communication will grow exponentially. Waiting until a security incident occurs is not an option. The best way to protect organizations is to lay a secure foundation for smart machines now, that can grow, scale and protect operations tomorrow.
Ojha drives the development of Fort’s platform for machine safety, security and trusted communications. She previously led platform development at Autodesk and Citrix, and she has been awarded multiple patents in IoT and networking. Contact her at [email protected]
Register for the conference at Automate Registration.