請選擇您需要的產業:  

製造業需強化供應鏈的資安弱點 (2019-07-15 IEK產業情報網 )

As evidenced by the past events of information security breaches in manufacturing industries, attackers have various motivations from commercial competition, financial blackmail, showing off their capabilites, intention to cause mass destruction, or simply for fun without any malicious intent.
Production recipes, manufacturing processes and R&D status are all business secrets for high-tech manufacturers. Information leakage does not only affect orders, but also creates new competition. There have been many such incidents in the past. This is the reason why the demand has been strong over recent years for information security solutions that prevent information leakage.
The WannaCry ransomware attack in 2017 caused significant economic damage throughout the world. The virus spread fast, encrypting the data of victims, and the attackers would ask for ransoms to be paid in Bitcoins to protect their anonymity.
The technological evolution of production systems has led to the emergence of more information security threats in the manufacturing industries.
In conventional systems (particularly with industrial control systems that manage, monitor and control production facilities), production facilities are generally physically separated from external networks and are not susceptible to network security threats. However, the transition towards smart networking and production management and the demand for real-time equipment monitoring have prompted manufacturers to connect production systems to corporate networks to gain efficiency. This comes at the expense of increased vulnerability. In other words, the legacy protective mechanisms are no longer able to fend off ever evolving attacks once connected.
The above-mentioned issues have led to the following four issues regarding the information security of the manufacturing industries:

1. A low level of controllability over smart manufacturing systems
Companies typically purchase new production IT systems in the turnkey manner, i.e. software, hardware and operating systems. In order to avoid any disruptions to functionality, vendors do not open the access to the highest level of operating systems. Also, corporate IT or information security personnel are prohibited from installing any software or tools. Unless vendors release updates, IT and information security departments will find it difficult to repair and inspect any information security loopholes. This then begs the question whether the new equipment from suppliers is free from pre-installed viruses and whether customized software comes with pre-loaded malware. These are all issues that require extra attention.

2. Industrial control systems are not capable of sufficiently addressing information security concerns
As many industrial production facilities previously sat in an isolated environment, they were not designed with robust protective features such as identity authentication and basic encryption. If the internal networks are invaded, they are usually not equipped with effective defense mechanisms. If the attacker can penetrate via a single point, he can easily access different parts of the manufacturing system, e.g. controllers responsible for monitoring and supervising production programs. This can potentially cause the suspension of operations, damage to facilities, financial loss, theft of intellectual property, or jeopardize the health and safety of personnel.

3. Slowness in version updates for manufacturing systems
The operating systems for factory facilities and equipment are often powered by special drivers or bespoke programs. They are not off-the-shelf operating systems, but customized versions provided by vendors. As a result, the patches and updates significantly lag behind those for standard operating systems. The mainframes and computers are hence exposed to the risk of infection from viruses due to the lack of ability to immediately update the system with security patches.

4. Fixated priority of production reliability
Manufacturers seek to maintain the stability of production facilities and any environmental changes (e.g. the addition of enhanced security solutions) may affect manufacturing processes. Management prefer to make minor changes and attempt to maintain normal operations and reliability during the adoption of any new security solutions. This implies more time is required for assessment, testing and inspection of industrial control systems prior to installation.


Manufacturers are advised to refer to the information security risk management framework developed by the U.S. National Institute of Standards and Technology to deal with the above issues.
First, it is essential to stay on top of the current status of system versions and known vulnerabilities in the hardware, operating systems and customized functions.
Second, information security audits should be conducted during pre-installation testing and after the new machines come online, with vulnerability assessment and penetration tests, in order to ensure all the known weaknesses are under management and to mitigate the possibility of invasion by external malware.
Thirdly, it is necessary to ensure a complete suite of network information security mechanisms and solutions are in place. It would be a mistake to take these matters lightly simply because the production network is physically isolated.
Finally, it is necessary to perform regular audits, update the versions, install patches for operating systems and inspect the network architecture for any changes required after the new equipment is up and running.
The new systems and outsourced subsystems implemented as part of the introduction of smart networking management, real-time sensors, information and communication management and service platforms all come with information security risks for high-tech manufacturers in Taiwan. Therefore, it is a prerequisite for companies across the supply chain, from upper stream to downstream, to collaborate on risk management by providing transparent information on equipment and information security events. No companies can cope with information security threats alone any more. The best way is to construct a robust and comprehensive protection system throughout the supply chain.
本文原刊載於IEK產業情報網,著作權為工研院產科國際所所有。
加密貨幣
比特幣BTC 10011.42 -170.22 -1.67%
以太幣ETH 216.17 -1.88 -0.86%
瑞波幣XRP 0.288124 -0.01 -2.16%
比特幣現金BCH 311.70 -3.67 -1.16%
萊特幣LTC 73.43 -1.72 -2.29%
卡達幣ADA 0.051809 -0.00 -1.01%
波場幣TRX 0.017332 -0.00 -0.35%
恆星幣XLM 0.071470 -0.00 -3.30%
投資訊息
相關網站
股市服務區
行動版 電腦版
系統合作: 精誠資訊股份有限公司
資訊提供: 精誠資訊股份有限公司
資料來源: 台灣證券交易所, 櫃買中心, 台灣期貨交易所
依證券主管機關規定,使用本網站股票、期貨等金融報價資訊之會員,務請詳細閱讀「資訊用戶權益暨使用同意聲明書」並建議會員使用本網站資訊, 在金融和投資等方面,能具有足夠知識及經驗以判斷投資的價值與風險,同時會員也同意本網站所提供之金融資訊, 係供參考,不能做為投資交易之依據;若引以進行交易時,仍應透過一般合法交易管道,並自行判斷市場價格與風險。
請遵守台灣證券交易所『交易資訊使用管理辦法』等交易資訊管理相關規定本資料僅供參考,所有資料以台灣證券交易所、櫃買中心公告為準。 因網路傳輸問題造成之資料更新延誤,精誠資訊不負交易損失責任。