FEATURE: Steel mills have unique challenges, vulnerabilities to cyberattacks (Part 2 of 3)

Pittsburgh — Note: Part 2 of 3

Historically, critical infrastructure systems like steel mills have had distinct vulnerabilities due to being purpose-built systems, designed to run with very little variation, according to Mark Fabro, president and chief security scientist at Lofty Perch, a consulting firm focused specifically on operational technology and industrial controls systems for cybersecurity.

In the past, cybersecurity was not a component of the build specifications or the procurement process. The risk of an attack was limited to anyone with physical access to the plant, creating opportunity for physical damage, malicious operation of the system or the introduction of malware via removable media, according to Fabro.

Part 1: Manufacturing faces distinct challenges in cyber risk mitigation

Part 3: Cyber-informed engineering perspective needed for cyber-defense

"Fast forward to where we are now, and those systems that were traditionally protected through isolation are now connected to back office, to the supply chain, to the vendors," Fabro said. "Those systems are now networked to a wide range of external systems, making it hard to delineate the extent of the interconnected systems. The challenge becomes accurately defining and securing the extent of the business-critical information infrastructure, and this is where new attack vectors can originate."

While cybersecurity measures can be implemented by steel mills, the older systems can pose additional problems. The last new blast furnace in the US was built more than half century ago.

A steel industry chief information security officer (CISO) said threat actors will look for "vulnerabilities in the software and work to exploit them. The manufacturing industry is often dealing with extremely expensive control systems that were either not designed with security in mind or are difficult to keep updated due to operating schedules."

The end goal will always be mitigating all vulnerability but that can be untenable, so asset owners need to think about consequence-based analysis, according to Fabro.

"Understanding the realistic cyber risk of manufacturing infrastructure needs to be done from the perspective of cyber-informed engineering, in order to understand how the uniqueness of manufacturing environments change the attacker's landscape of opportunity," he added.

The manufacturing industry has been slow to adopt appropriate cybersecurity measures, according to the steel industry CISO: "Financial organizations, for example, have had regulations for years requiring a focus on securing their data and systems, whereas in manufacturing it has been a choice to secure their systems."