Understanding the sophisticated requirements of operational systems and how they differ from IT systems will enable manufacturers to devise more effective cybersecurity strategies.
Manufacturing companies racing to innovate by using transformative technologies recognize that today’s digital initiatives will be an essential source of their competitiveness in the next decade or even longer.
Well-implemented Manufacturing 4.0 (M4.0) technologies open opportunities to create new business models and to more capably achieve speed, agility, quality, and resilience across the business. However, if these technologies also open an organization to increased cybersecurity attacks, the impact of cyber risks could drastically limit these newfound benefits.
This is why the true measure for success for manufacturers will be how well an organization can achieve secure transformation to M4.0. To make that happen, executives must take steps now to fold operational technology (OT) cybersecurity directly into their innovation blueprints.
Having Exploratory Conversations
Of course, that’s easier said than done. Even before a manufacturing business starts to architect its secure M4.0 strategy, security champions at the firm must be ready to understand some key differences in how they secure OT systems versus what they typically do to protect IT business systems. OT technologies are different. Their uptime requirements are vastly more rigorous, and their role in powering a manufacturer’s core business function makes them trickier to defend than an everyday email server.
If a cybersecurity executive doesn’t recognize these differences, the typical exploratory conversation between them and an OT production lead tends to follow a very predictable and frustrating path. To illustrate the point, consider the following fictitious conversation of a security professional floating the idea of instituting some IT cyber best practices in OT production environments:
“I need to bring our OT systems in line with the cybersecurity practices we use in IT,” the security professional says. “Here are our patching and network security controls policies and practices. I’d like to start using these ASAP.”
This inevitably puts the OT engineer or production lead on the defensive, particularly when there’s an explicit or even implied sense of urgency in the timeline. These OT experts justifiably have big concerns about new security controls that could threaten to disrupt sensitive operational systems. What’s more, with this approach, they don’t feel like a partner in the discussion. They pull rank as a revenue-generating asset owner and squelch the conversation right then and there.
If security champions can come to the table equipped with knowledge of the exigencies of OT environments, that conversation looks very different:
“I’d like to discuss how we can better secure and monitor OT assets as we bolster digital capabilities in our environments. But I know you’re concerned about working with IT technology or cybersecurity companies that don’t get where you’re coming from as an operational professional. I’d like to bring in some OT cybersecurity experts who have walked in your shoes to ask you how our environment looks and what we can do to improve and protect our production assets without throwing off your workflows.”
Operational technology systems are trickier to defend against cyber attacks than IT systems.
That’s a lead-in that can actually start a dialogue about why cybersecurity needs to be a part of the OT transformational roadmap and how everyone can work together to achieve that. It’s also a great opportunity to provide some information on the added value that asset visibility can bring not only to security but also day-to-day operations.
Security-minded executives need to come ready for that early conversation to make their case from an informed and authentically empathetic position.
To help them do that, let’s look first at the reasons why M4.0 transformations need to be secured at the outset and then get more specific about how OT security measures must be different than the typical IT cybersecurity approach. From there, we’ll discuss some next steps for getting started in the secure transformation journey.
The Threats to Manufacturing Technology
Transformative technologies like automation, AI-backed analytics, 5G, Industrial Internet of Things (IIoT), flexible manufacturing systems, and smart robotics all tend to have one big common denominator. That commonality is hyperconnectivity.
These advanced OT technologies are interconnected with one another, the enterprise IT network, equipment suppliers, and the broader Internet. This hyperconnectivity facilitates a greater exchange of information for analysis, faster action, and greater interoperability across digital ecosystems. The acceleration of manufacturing hyperconnectivity is already well underway. According to a 2020 IDC survey of 1,014 manufacturers, 79% of global operational assets are connected to a network, up from 60% in 2016.
From a business perspective, digital advancement and hyperconnectivity are needed to take operations to a new level in terms of scale and speed, continuity, quality, predictive maintenance, and the ability to adapt quickly to changing customer demands.
From a cybersecurity perspective, the added connectivity across OT manufacturing systems increases the attack surface of a manufacturer’s production environment. The more connections M4.0 environments have, the more places threat groups have to intrude on the entire OT ecosystem.
It’s no coincidence that as OT hyperconnectivity kicks into high gear, so have attacks against OT and industrial control systems (ICS) run by manufacturing firms. The threat groups are opportunistic, and they’re recognizing OT manufacturing systems as a prime target for profiting both financially and politically.
Transformative technologies such as AI, 5G, and the Industrial Internet of Things have one big common denominator – hyperconnectivity.
The surge in ransomware and other attacks on manufacturing and industrial environments in the last year illustrate this phenomenon. Recent reports show that manufacturing is among the most targeted industries for ransomware attacks, and that 61% of manufacturers have experienced an attack that impacted their smart factories. Three-quarters of those incidents took production offline.
Meantime, even as the threats increase, most ICS/OT systems are unprepared to watch for or respond to these attacks. Dragos research shows that 90% of organizations had extremely limited to no visibility into their OT environments, including ICS networks, assets, and the flow of information between them. Additionally, 88% of organizations exhibit poor security perimeters around ICS networks, meaning they’re at increased risk of attack through IT networks or the Internet at large.
All of this is already happening in today’s factories. Imagine how the problems will be exacerbated, and new ones will crop up as manufacturers add more OT threat vectors via future transformative technology; that is, unless organizations take action now as they plan their future M4.0 implementations.
Manufacturers have the opportunity to learn the hard lessons that cybersecurity pros have picked up over the last decade of IT innovation, which can offer a sneak peek into OT innovation trends. They’ve found that layering connectivity and features into technology platforms without planning for security from the get-go causes problems down the road. Most cybersecurity pundits today agree that the bulk of today’s cybersecurity problems stem from the fact that many systems were designed with a build-it first, then secure it mentality.
While OT cybersecurity has some key differences with IT cybersecurity, there’s a fundamental truth that holds across both disciplines: When cybersecurity is folded into the design and architecture of systems from the outset, those systems cost less and run more securely over their lifespan.
How OT Cybersecurity is Different
At the same time, executive leaders must understand that securing OT systems will require specialized techniques and strategies beyond the typical IT cybersecurity wheelhouse. Unlike IT systems, ICS/OT systems control physical processes. They span the divide between the software plane and the physical world.
Often OT and IT share similar technologies, running on similar operating systems, network connections, and digital architectures. But OT is not a direct one-to-one equivalent to its IT counterpart. Most manufacturing OT systems evolved first in an environment where they were air gapped and not connected to outside IT systems. Even as that has changed, they still operate in a world apart from IT.
Effectively managing cybersecurity risk in OT environments requires recognizing the following differentiators:
Risk profile is different: The highest risks posed by OT vulnerabilities tend to be the ones that threaten the availability or integrity of systems rather than the confidentiality of data they contain. While IT is often consumed by privacy and data breach concerns, the thing that keeps OT operators up at night is disruption or malfunction of systems that could threaten the business and people’s safety.
Strategy and approach are different: The consequences of both security incidents and downtime caused by security measures inappropriate for OT run far deeper than for IT systems. An OT attack can more directly impact production, revenue, and the company’s reputation. And it’s also not often possible to stop a continuous process in a manufacturing facility to implement security controls or patch operating systems without sufficient planning. Additionally, strict safety regulations add additional constraints in how systems can be handled.
Technology is different: OT systems use different protocols, fit-for-purpose hardware, and software with configurations unique to each organization, arcane embedded technology, and a diverse range of endpoints—many of which run unsupported versions that cannot be easily changed due to the operational risk. Legacy systems are entrenched when the lifecycle of expensive OT machinery is measured in decades rather than years.
Undertaking an assessment of your company’s current security posture is the first step on a secure transformation journey.
Required skills are different: The distinctive nature of OT systems means that operators must come to the table with a set of extremely specialized domain expertise in process management and engineering. This means security teams will need to be especially careful to work closely with the specialists to coordinate security execution.
Stakeholders are different: OT cybersecurity planning and strategy must be done in collaboration with the relevant stakeholders, particularly operations engineers and production managers responsible for keeping OT equipment running and maintaining complex ICS vendor relationships.
Many cybersecurity risk management patterns and practices are relevant across both OT and IT domains. The ideas of limiting risk exposure by reducing attack surfaces and hardening configurations around crown jewel assets, for example, hold just as true in OT environments as in IT. Nevertheless, the points outlined above demonstrate how securing OT working environments is a unique proposition.
As manufacturers orchestrate a secure transformation to M4.0, OT cyber planning and execution should be carried out with these differences kept top-of-mind.
Building a Secure Transformation
Until recently, few IT vendors or consultants were able to tailor their cybersecurity solutions to the unique demands of OT environments, and few in-house cybersecurity experts understand the impact of these limitations. Manufacturers seeking to orchestrate a secure transformation will therefore need to work to bridge the gaps in OT security expertise and visibility that likely exist within their industrial facilities. The following are some steps to get started.
Assess what you have
Before embarking on a secure transformation journey, the first step is to establish a baseline assessment of the security posture of the existing OT network and assets. This discovery process should start with business priorities. The assessment team should gather input from the board, executive stakeholders, and asset owners on the highest business priorities tied to OT processes and then survey the environment to understand all the OT assets in place and how those map to high-priority processes.
The team then identifies and ranks the OT assets involved based on business importance. From there, the assessment team should chart out the threat scenarios most likely to target or most likely to cause extreme impact to those high-priority assets. With these scenarios in mind, they can then examine existing controls and how they stack up. This process can help identify gaps and provides a prioritized way to plan out incremental improvement of the cybersecurity protecting the OT already in use on the factory floor.
Plan for what you want to build
Of course, that initial OT cybersecurity roadmap will need ongoing adjustments in the face of secure transformation. As plans for innovation progress, manufacturers can plan for the risks that new technology may introduce by getting cybersecurity stakeholders involved early in the design and architecture of new implementations.
With heavy OT stakeholder collaboration, an experienced enterprise cybersecurity team should be able to take the lead on strategic planning of a secure transformation.
Bringing a Chief Information Security Officer in early to hear about business requirements and help vet new OT vendors can provide valuable insights and circumvent costly mistakes that can put manufacturing processes at risk later down the road. Additionally, bringing in outside experts in OT cybersecurity to evaluate products and configurations can ensure that implementations are secure from day one.
Lean on external services
With heavy OT stakeholder collaboration, an experienced enterprise cybersecurity team should be able to take the lead on strategic planning of a secure transformation. But the highly specialized nature of OT cybersecurity will likely require even experienced internal teams to tap into the expertise and credibility of external partners to see them through many stages of the secure transformation journey.
OT cybersecurity service providers can play a vital role in early assessment and secure design stages. Bringing in an expert, impartial third-party to mediate early discussions between the executive, security, and OT stakeholders can help everyone more quickly get on the same page. Experienced OT cybersecurity consultants have run through the process many times and know the mistakes to avoid and elements of planning most likely to be overlooked.
Meanwhile, when it comes time to execute, OT cybersecurity service providers can also help manufacturers quickly overcome internal skills gaps, for example, in areas like monitoring or ongoing incident response.
Get the right tools
Many IT detection and monitoring tools don’t translate well to OT environments. IT detection tools frequently don’t play nicely with OT systems or are impractical when placed within an OT environment. What’s more, the detection mechanisms and actions they take are based on IT-focused threats. This can be frustrating at best and devastating to OT technology at worst. For example, Dragos experts are repeatedly called to incidents at industrial organizations where they’ve found that Windows AV destroyed ICS applications because they looked odd to heuristics engines unaccustomed to the way ICS functions operate.
This is why manufacturers will need OT-specific cybersecurity tooling that can support the management of risks that matter most in industrial settings.
Key Questions to Ask
Orchestrating a secure transformation to resilient M4.0 technologies will require long-term investment and significant buy-in all the way across a manufacturing organization. As executives prepare to plan and execute their transformative strategies, they should ask their OT and cybersecurity stakeholders some important questions:
- Do we have the in-house OT cybersecurity expertise necessary to assess our existing OT controls gaps?
- Do we have cybersecurity incident response plans and resources in place to respond when major incidents occur?
- Can our existing cybersecurity tools get enough visibility into OT environments to detect OT-specific threats?
- Do we have a process in place to evaluate new OT technology and model threats introduced by future innovation?
- Do we need ongoing external resources to track OT threats in our network?
Thinking seriously about these questions and framing them based on the advice offered above can help manufacturers get serious about securing the future of their competitive prospects in the years to come. Managing the OT cyber risks of digital transformation through these proactive steps can help position manufacturers for greater advantage in their markets—without giving up those gains to costly security incidents along the way. M
For additional insights, access Dragos’s “An Executive Primer on OT Cybersecurity”, or its more comprehensive guide, Industrial Cyber Risk Management: A Guideline for Operational Technology.