Smart factory security: Understanding how to prevent identity-based attacks - Image by Gerd Altmann from PixabaySmart factories are undoubtedly the future of manufacturing.

Back in 2019, the Capgemini Research Institute estimated that smart factories would boost the global economy by $1.5 trillion by 2023, thanks to productivity gains and improvements in quality. And that’s just the tip of the iceberg.

The potential merits manufacturers might unlock through investing in smart factory solutions, aka industry 4.0, are extensive. They include:

  • developing bespoke products configured to customers’ individual needs
  • using intelligent sensors to advise on systems’ operational health in real-time
  • using automated technologies to mass produce at scale

From the perspective of identity security and identity protection, there are risks. Very often, the identities used to control a digital system make the system most vulnerable. Smart factories are no exception.

They are defined as highly digitised and connected environments where machinery and equipment powered by advanced technologies can improve factory processes through automation and self-optimisation.

The key word here is connected. The digital environments in smart factories typically comprise a group of Internet of Things (IoT) devices that are connected to a network, often wirelessly. Crucially, these devices each have their own computing power and logic, enabling them to be controlled remotely, acting upon specific commands.

The pros and cons of smart factories

This connectivity brings a plethora of benefits. However, network connections also bring about problems, creating larger digital footprints vulnerable to attack via digital means.

No one specific cyberattack vector is unique to smart factories. Rather, the way in which such factories use technology makes them susceptible to attacks in different ways.

For example, on classic computer devices, users can install protective software to check for viruses, ransomware or other indicators of compromise (IOCs). That capability doesn’t exist in IoT devices. Instead, the protection mechanism for these devices lies solely at the network level: monitoring traffic, understanding patterns, recognising and responding to potential IOCs.

In addition, threat actors targeting smart factories aren’t typically interested in stealing data. Instead, their ambitions tend to revolve around disrupting production and operations.

Smart factories make the lives of these threat actors easier compared with traditional factories. The more you automate and digitise operations, the more connected your systems are—and the easier it becomes for threat actors to move through the network.

Consider how digitised workflows are controlled

For this reason, it is important to understand the dependencies between the different components and services on which smart factories rely. That includes such things as the network transferring the proper data and identities used to authorise actions. What is happening throughout the production chain? How does each step relate to digital control mechanisms? These are the questions that should be asked and answered.

One trend emerging in smart factories is different products manufactured on the same automation line. This applies to the automotive industry, where different car models are produced using much of the same equipment. This flexibility is achieved using additional IoT systems and sensors that feed key information to central computers. This data defines which step in each process needs to be performed next, to match the relevant car model.

Equally, 3D printing has risen to the fore. Initially used for prototyping, this technology is now used to produce genuine components used in real-world models. Mercedes Benz, for example, is 3D printing genuine replacement parts for classic cars.

Multi-product smart manufacturing lines and 3D printing are examples of processes highly reliant on digitised workflows. And any digitised workflow must be properly controlled.

Digital identities can become attack vectors

That control is where digital identities come into play. Every controlled workflow is spawned through some form of digital identity. This could be a worker who uses their account to authenticate against a computer system to launch a manufacturing process. Or it could be the process that needs an identity to communicate with other elements in the smart factory, such as reading data to execute the next step in the workflow.

Digital identities are not only the classic account name and password. A digital identity can also be a pair comprised of a certificate and a private key. The latter is quite a common use case for building a chain of trust between the components involved in a smart factory workflow.

And wherever digital identities are used, they themselves become an attack vector. If threat actors capture and compromise these identities, they can be used to disrupt workflows and bring production lines to a grinding halt.

The importance of identity protection

In this sense, identity protection becomes even more important in the smart factory than in the traditional environment.

It is often difficult to isolate the smart factory environment from the office environment. In an ideal world, these networks would be wholly separated. The reality is that they often cannot be. Individuals who are not physically in the factory but work from their office or home need input into production processes. They must manage details such as the number of parts or products that must be produced.

This lack of proper network isolation increases risk. When infected by malware, an office environment—usually more susceptible to phishing attacks through human error—can then spread across and infect a smart factory environment.

That hasn’t always been the case. Attacking factories used to be much harder, though not impossible, as seen in the case of Stuxnet back in 2010.

Looking back on the Stuxnet attack

Stuxnet was malware designed by US and Israeli intelligence agencies whose goal it was to destroy the centrifuges that Iran was using in its uranium enrichment factories, effectively disrupting the creation of nuclear weapons in that country. The key challenge for the intruders was that these factories were completely offline, not unlike other operational technology (OT) infrastructure in many industrial factories of the past. The approach taken to attack Iranian factories could also have worked in other offline environments.

The attack succeeded, as was inadvertently confirmed by inspectors with the International Atomic Energy Agency visiting the Natanz uranium enrichment plant in Iran. There, the centrifuges used to enrich uranium gas were failing at an alarming rate. Eventually, a handful of malicious files were uncovered on one of the systems.

In this case, the computers were air-gapped from the internet, so the intruders needed to rely on other human weaknesses to transport their malicious code into the factory. The chosen weakness was human curiosity. The intruders placed an infected USB flash drive in the parking lot of the factory. As expected, a worker found and picked up the drive, then plugged it into the air-gapped computer. The rest is history.

Today, attackers don’t need to rely on physical behaviours. In cloud-connected factory environments, the threats are even greater.

The risk is real

Smart factories are subject to supply chain attacks following a similar pattern to that of SolarWinds. In that attack, threat actors were able to breach Microsoft Active Directory (AD), the primary identity store used by most enterprises worldwide. From there, the attackers updated the SolarWinds Orion software’s source code with malicious code in the Azure cloud tenant. That code later infected thousands of companies that used the Orion software with automatic updating in place.

This is a real risk. Many smart factories operate in a hybrid mode, leveraging both on-premises components and the cloud. They combine legacy technologies with new elements as the factory is modernised over time. This is also true for the identity layer. Most factories rely on AD identities to control digital workflows, which are also synchronised to the cloud (i.e. to the proper Azure AD tenant).

Factory modernisation does not happen overnight. Various existing factory components can have inherent IT risks. Systems often still operate on obsolete operating systems which no longer receive security patches. In some cases, even these systems are not properly isolated from modern IT systems in the factory. This means there are plenty of attack vectors for an intruder, potentially enabling them to compromise the company’s AD and lead to significant damage.

Understanding system dependencies

The specific attack paths differ depending on how the smart factory is connected. Simply the fact that it is connected makes it more easily attackable. Protection layers, therefore, must be adapted accordingly.

The impacts of smart factory attacks can be devastating. The productivity and efficiency benefits connected technologies provide have enabled some of the world’s leading automotive manufacturing plants to produce thousands of cars daily. However, outages of those systems can result in catastrophic financial losses.

Protecting smart factories

So, how can smart factories protect themselves from identity-led attacks and avoid unplanned downtime?

To start, operators in this space need to understand the dependencies of their systems on network identities. To determine what to protect, you must know which processes use which identities.

This understanding requires comprehensive analysis. Some processes might seem fully independent—until you consider how they are invoked. Before the process is allowed to start, a program might need to be executed. And to execute that program, an operator might need to log in to a console and hit ‘go’. If they can’t do that because the identity has been compromised, then your whole production line could be halted.

It is often enough simply to disrupt a key component in the production workflow. For example, many production workflows end with printing proper shipping labels for the produced goods. A world of just-in-time production means just-in-time shipping of goods, as storage units in the factory are minimised. If the identity used to send the proper print commands is compromised, the manufacturer might be unable to print shipping labels. This prevents goods from being shipped, thus stopping the entire production process. The logic translates across all key aspects of a smart factory.

A factory becomes smart if it comprises smart systems. A smart system is a connected system and connected systems typically need to be controlled by an identity. So, ultimately, those identities at the core of the operation are what we most need to protect.

SemperisFor security teams charged with defending hybrid and multi-cloud environments, Semperis ensures the integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing hybrid Active Directory environments, Semperis’ patented technology protects over 50 million identities from cyberattacks, data breaches and operational errors. The world’s leading organisations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in Hoboken, New Jersey, and operates internationally, with its research and development team distributed throughout the United States, Canada and Israel.


Please enter your comment!
Please enter your name here