Food Engineering logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • PRODUCTS
  • TOPICS
  • EXCLUSIVES
  • MEDIA
  • FOOD MASTER
  • EVENTS
  • RESOURCES
  • EMAGAZINE
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Latest Headlines
  • Manufacturing News
  • People & Industry News
  • Plant Openings
  • Recalls
  • Regulatory Watch
  • Supplier News
  • PRODUCTS
  • New Plant Products
  • New Retail Products
  • TOPICS
  • Alternative Protein
  • Automation
  • Cannabis
  • Cleaning | Sanitation
  • Fabulous Food Plants
  • Food Safety
  • Maintenance Strategies
  • OEE
  • Packaging
  • Sustainability
  • More
  • EXCLUSIVES
  • Plant Construction Survey
  • Plant of the Year
  • Sustainable Plant of the Year
  • State of Food Manufacturing
  • Top 100 Food & Beverage Companies
  • MEDIA
  • Podcasts
  • Videos
  • Webinars
  • White Papers
  • EVENTS
  • Food Automation & Manufacturing Symposium and Expo
  • Industry Events
  • RESOURCES
  • eNewsletter
  • Custom Content & Marketing Services
  • FE Store
  • Government Links
  • Industry Associations
  • Market Research
  • Classified Ads
  • EMAGAZINE
  • eMagazine
  • Archive Issue
  • Advertise
Food Engineering logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Food Engineering logo
  • NEWS
    • Latest Headlines
    • Manufacturing News
    • People & Industry News
    • Plant Openings
    • Recalls
    • Regulatory Watch
    • Supplier News
  • PRODUCTS
    • New Plant Products
    • New Retail Products
  • TOPICS
    • Alternative Protein
    • Automation
    • Cannabis
    • Cleaning | Sanitation
    • Fabulous Food Plants
    • Food Safety
    • Maintenance Strategies
    • OEE
    • Packaging
    • Sustainability
    • More
  • EXCLUSIVES
    • Plant Construction Survey
    • Plant of the Year
    • Sustainable Plant of the Year
    • State of Food Manufacturing
    • Top 100 Food & Beverage Companies
  • MEDIA
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • FOOD MASTER
  • EVENTS
    • Food Automation & Manufacturing Symposium and Expo
    • Industry Events
  • RESOURCES
    • eNewsletter
    • Custom Content & Marketing Services
    • FE Store
    • Government Links
    • Industry Associations
    • Market Research
    • Classified Ads
  • EMAGAZINE
    • eMagazine
    • Archive Issue
    • Advertise
  • SIGN UP!
Latest headlines

Information Security

Beefing up on industrial computer security and password protection

Industrial automation systems are becoming secure-by-design, but weak passwords can wreak havoc with the best-designed systems

By Wayne Labs, Senior Contributing Technical Editor
ISCA standard

While an industrial controller or computer may be designed with security built in per ISA/IEC specifications, using easy-to-guess passwords will defeat all the security measures taken by the design crew.

Source: Wayne Labs.
April 6, 2018

A newly published standard specifies process requirements for the secure development of products used in industrial automation and control systems (IACS).

The new standard, ISA/IEC 62443-4-1-2018, is named Security for Industrial Automation and Control Systems Part 4-1: Product Security Development Life-Cycle Requirements. It also defines a secure development life cycle for developing and maintaining secure products used in an IACS. This life cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end of life.

The new requirements can be applied to new or existing processes for developing, maintaining and retiring industrial control hardware, software or firmware for new or existing products. The requirements apply to the developer and maintainer of a product, but not to the system integrator or user of a product.

“Designing security into products from the beginning of the development cycle is critical because it can help eliminate vulnerabilities from products before they ever reach the field,” says Michael Medoff, ISA99 group leader, who headed the development of the new standard.

“We all know how difficult and expensive it can be to constantly have to patch software in the field,” adds Medoff. “The new standard gives us a real opportunity to break the cycle of frequent security patches and to produce products that are secure by design.”
 

Weak passwords kill security

No matter how well security is designed into an automation system, computer database or email system, weak passwords will nullify all that work.

In a recent report from the Department of Homeland Security (DHS), criminals have discovered a new way of getting around password-protected systems designed to lock an account after a half dozen password attempts. According to information from a recent FBI investigation, malicious cyber actors have been using a style of brute force attack known as “password spraying” against organizations in the US and abroad.

In February 2018, nine Iranian nationals who were associated with the Mabna Institute were indicted for computer intrusion offenses related to password spraying. These techniques, while characteristic of Mabna actors, are not limited to just this group.
 

What is a brute-force attack and password spraying?

In a traditional brute-force attack, the bad guy attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked out, as commonly used account lockout policies allow three to five bad attempts during a set period of time. For example, banks and most email accounts use this protection.

During a password-spray attack (aka the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the bad guy to remain undetected by avoiding rapid or frequent account lockouts.

Password spray campaigns typically target single sign-on (SSO) and cloud-based applications using federated authentication protocols (where a single logon for one account allows access to other—often linked—and related accounts). An actor may target this specific protocol because federated authentication can help mask malicious traffic. Also, by targeting SSO applications, bad guys hope to maximize access to intellectual property during a successful compromise or attack.

Email applications are also a target, and successful break-ins promise rewards—a treasure trove of intellectual property and other sensitive data. In email break-ins, malicious actors would have the ability to use inbox synchronization to:

  • Obtain unauthorized access to the organization’s email directly from the cloud
  • Download user mail to locally stored email files
  • Identify the entire company’s email address list
  • Surreptitiously implement inbox rules for the forwarding of sent and received emails

Once into an email system, a hacker can have an almost invisible presence, siphoning off emails from people in the address book.
 

How can administrators tell if a spray attack has occurred?

A massive spike in attempted logons against the SSO Portal or web-based application is one indicator. Using automated tools, attackers attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer. Attacks have been seen to run for more than two hours.

Another indicator: employee logons from IP addresses resolving to locations inconsistent with their normal locations.
 

The typical victim and the damage

According to DHS, the vast majority of password spray victims share some of the following characteristics:

  • Use SSO or web-based applications with a federated authenticated method
  • Lack multifactor authentication (MFA)
  • Allow easy-to-guess passwords (e.g., “Winter2018” or “Password123”
  • Use inbox synchronization allowing email to be pulled from cloud environments to remote devices
  • Allow email forwarding to be set up at the user level
  • Limited logging setup creating difficulty during post-even investigations.

What can a successful attack do? Think Sony, for example. A successful network intrusion can have severe impacts, particularly if the compromise becomes public, and sensitive information is exposed. Possible impacts include:

  • Temporary or permanent loss of sensitive or proprietary information
  • Disruption to regular operations
  • Financial losses incurred to restore systems and files
  • Potential harm to an organization’s reputation.

DHS makes some suggestions to defer this style of attack. Administrators should enable MFA and review MFA settings to ensure coverage over all active, Internet-facing protocols. Password policies need to be reviewed, and all users should be following NIST guidelines and not using easy-to-guess passwords. Administrators should review IT helpdesk management related to initial passwords, password resets and lockouts. Many companies offer additional assistance and tools that can help detect and prevent password spray attacks.

The FBI encourages those who suspect intrusion to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by e-mail at CyWatch@ic.fbi.gov.
 

For more information:

Azure AD and ADFS best practices: Defending against password spray attacks, Microsoft blog.

ST04-002 – Choosing and Protecting Passwords , US CERT.

ST05-12 – Supplementing Passwords, US CERT.

KEYWORDS: cybersecurity industrial networks

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Wayne labs 200px
Wayne Labs has more than 30 years of editorial experience in industrial automation. He served as senior technical editor for I&CS/Control Solutions magazine for 18 years where he covered software, control system hardware and sensors/transmitters. Labs ran his own consulting business and contributed feature articles to Electronic Design, Control, Control Design, Industrial Networking and Food Engineering magazines. Before joining Food Engineering, he served as a senior technical editor for Omega Engineering Inc. Labs also worked in wireless systems and served as a field engineer for GE’s Mobile Communications Division and as a systems engineer for Bucks County Emergency Services. In addition to writing technical feature articles, Wayne covers FE’s Engineering R&D section.

Recommended Content

JOIN TODAY
to unlock your recommendations.

Already have an account? Sign In

  • Global Organic Food & Beverage Market to Grow

    Global Organic Food & Beverage Market to Grow

    With a CAGR of 12.07%, Bonafide Research estimates this...
    Latest headlines
  • skilled MEP worker

    Predicting Food and Beverage Manufacturing Trends for 2024

    The two words that should be kept in mind are labor and...
    Automation
    By: Derrick Teal
  • cleaning and sanitation

    The basics of cleaning and sanitation in food plants

    Sanitation maintains or restores a state of cleanliness...
    Cleaning | Sanitation
    By: Richard F. Stier
Subscribe For Free!
  • eMagazine
  • eNewsletter
  • Online Registration
  • Manage My Preferences
  • Customer Service

Food Plant Openings and Expansions May 2025

Food Plant Openings and Expansions May 2025

OT Cybersecurity Vulnerabilities in Food Manufacturing Facilities

OT Cybersecurity Vulnerabilities in Food Manufacturing Facilities

Understanding Impacts of OT Cybersecurity Events in Food Manufacturing

Understanding Impacts of OT Cybersecurity Events in Food Manufacturing

Food Plant Openings and Expansions April 2025

Food Plant Openings and Expansions April 2025

More Videos

Popular Stories

Salt

FDA to Amend Standards of Identity to Include Salt Substitutes

Vilter IHP in plant

Industrial Heat Pumps: Sustainable Energy Solutions for Now and the Future

FMTE Formed by Four Food Manufacturing Companies

Coalition Unites Europe’s Food Manufacturing Technologies and Equipment Sector

CHECK OUT OUR NEW ESSENTIAL TOPICS

Alternative ProteinAutomationCleaning/SanitationFabulous Food Plants

Food SafetyMaintenance StrategiesOEE

PackagingSustainability

Events

June 5, 2025

Mass Customization Driving Innovation in the Food and Beverage Industry

The food and beverage industry is at the nexus of transformative global manufacturing trends, driving a shift toward personalized, customer-centric solutions. 

June 5, 2025

How Cafe Spice Uses Automation to Propel Private Label

Learn about Cafe Spice’s new, state-of-the-art, highly automated manufacturing facility in Beacon, New York. 

View All Submit An Event

Products

Recent Advances in Ready-to-Eat Food Technology

Recent Advances in Ready-to-Eat Food Technology

See More Products

Plant of the Year

Related Articles

  • This propagation room starts leafy produce at one of Plenty Farms new facilities

    Processors up to speed on FSMA, but security issues remain

    See More
  • Rockwell ODVA

    Rockwell Automation introduces industrial control devices to support ODVA’s CIP Security

    See More
  • Programming field instrumentation

    Internet Engineering Task Force recognizes Endress+Hauser security protocol for field instruments

    See More

Related Products

See More Products
  • Functionalized_Carbohydrate.gif

    Functionalizing Carbohydrates for Food Applications

See More Products
×

Elevate your expertise in food engineering with unparalleled insights and connections.

Get the latest industry updates tailored your way.

JOIN TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Food Master
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Food Engineering logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Food Engineering logo
  • NEWS
    • Latest Headlines
    • Manufacturing News
    • People & Industry News
    • Plant Openings
    • Recalls
    • Regulatory Watch
    • Supplier News
  • PRODUCTS
    • New Plant Products
    • New Retail Products
  • TOPICS
    • Alternative Protein
    • Automation
    • Cannabis
    • Cleaning | Sanitation
    • Fabulous Food Plants
    • Food Safety
    • Maintenance Strategies
    • OEE
    • Packaging
    • Sustainability
    • More
  • EXCLUSIVES
    • Plant Construction Survey
    • Plant of the Year
    • Sustainable Plant of the Year
    • State of Food Manufacturing
    • Top 100 Food & Beverage Companies
  • MEDIA
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • FOOD MASTER
  • EVENTS
    • Food Automation & Manufacturing Symposium and Expo
    • Industry Events
  • RESOURCES
    • eNewsletter
    • Custom Content & Marketing Services
    • FE Store
    • Government Links
    • Industry Associations
    • Market Research
    • Classified Ads
  • EMAGAZINE
    • eMagazine
    • Archive Issue
    • Advertise
  • SIGN UP!