All News & Insights

ML Journal August 2022

Resilient OT Cybersecurity: The Key to Digital Benefits

As manufacturers increase their OT investments, a well-planned cyber strategy is essential to resilience.   

Digital technologies are increasingly more accessible and cost-effective for manufacturers, leading to entirely new levels of operational efficiency. While legacy systems are still present in a great number of factories, many are being phased out in favor of newer systems that take advantage of predictive analytics, asset performance management, augmented reality, and other state-of-the-art approaches to improving manufacturing operations.

The benefits of digitalizing operations are top-of-mind, but manufacturing organizations are also considering the increased complexity, exposure, and risk presented by adding more devices and systems that are connected to internal and external networks. To fully realize the promise of digital transformation, manufacturers are thoughtfully and intentionally beginning a journey toward more resilient OT enterprises that can withstand cybersecurity threats.

Cybersecurity Challenges in Manufacturing

Merging manufacturing’s long-standing priorities of efficiency and productivity, legacy infrastructure, and today’s emerging technology results in increased risk for manufacturers across multiple industries.

A report from Food Processing, commissioned by Dragos and Fortinet, found that nearly half (47%) of companies in food & beverage manufacturing believe that the potential exposure to cyberattacks has increased moderately or significantly over the last 12 months. In that report, 100% of respondents ranked crisis management and business continuity as somewhat or very important cybersecurity concerns. Loss of productivity (74%), loss of revenue (71%), and service interruptions (69%) were also top-of-mind for many manufacturing security professionals.

Capgemini Research Institute’s report on smart factories identified pharmaceutical manufacturing as one of the most frequently impacted industries, with 44% of surveyed pharma and life science companies reporting at least one cyberattack impacting smart factories.

“Remote assistance capabilities expand the attack surface for threat actors operating from anywhere in the world.”

 

The Dragos 2021 Year in Review report – which includes a summary of results from cybersecurity assessments across various industrial environments – found that chemical manufacturers most commonly struggle with managing external connectivity, poor network perimeters, and limited visibility into OT assets.

There are a variety of factors manufacturers must consider when embarking on their cybersecurity journey:

  • Process automation. Automation is commonplace in manufacturing environments. Many manufacturing processes are relatively simple and repetitive, and automating them enables cost savings and more efficient production. Of course, automation also exposes manufacturing processes to risk because threat actors can exploit weaknesses or vulnerabilities in the industrial control systems, devices, components, and software to corrupt or disrupt production.
  • Remote operations. As a result of the COVID pandemic, many organizations have moved to reduce overhead and vendor support costs while maintaining or increasing productivity. Companies are adapting to remote assistance, engineering, and even operations. These capabilities expand the attack surface for threat actors operating from anywhere in the world.
  • Operational focus. A manufacturing facility’s competitive advantage depends on uptime and the availability of systems. Many facilities function in a 24/7, continuous manufacturing mode. Asset management and change control monitoring are crucial, and anything that threatens to disrupt production — like ransomware attacks — can pose an outsized risk in manufacturing environments.
  • Supply chain and partner/outsourcing vendor security. Supply chain attacks are increasing – according to a recent report from the Ponemon Institute, 34% of organizations identified supply chain and third-party security risk as one of their top three security challenges. Most manufacturers rely on a complex web of suppliers, partners, and outsourced vendors—any of which may be compromised by threat actors to leverage trusted relationships to gain access.
    Increasingly, vendors also have direct connectivity into manufacturing facilities, allowing for easier and more efficient troubleshooting, and enabling real-time data flow that feeds performance enhancements. These direct networks open another potential attack vector in an already highly connected environment.
  •  IT cybersecurity strategies cannot be re-deployed in OT environments. Digital transformation is driving more collaboration between IT and OT teams, but no matter who does the work, IT and OT remain two very different worlds with different technological and business objectives. IT cybersecurity strategies are effective in IT environments – OT environments need a different set of solutions and require a different journey. Companies that aren’t treating the two differently are opening their enterprises to additional risks – such as bringing a plant down with a mistimed or uncontrolled vulnerability scan or security patch update.

Defining a Sustainable ICS Cybersecurity Journey
Modern technology and digital transformation will continue to drive a focus on security for cyber-physical systems. Gartner estimates that by 2023, 75% of organizations will restructure risk and security governance to address a landscape that includes IT, OT, internet of things (IoT), and physical security—a 5x increase from 2021.

“IT cybersecurity strategies are effective in IT environments – OT environments need a different set of solutions and require a different journey.”

 

Despite the complexity, opportunities exist for manufacturers who build a program to address these risks. Forward-thinking manufacturers can benefit in the following ways after making targeted OT cybersecurity investments:

  • Greater volume and speed of projects. Manufacturing organizations continue to streamline and modernize by expanding connectivity and adopting new technologies to drive cost savings and efficiency. Manufacturers that are purposeful about creating and improving their cybersecurity programs can more easily scale these improvements across multiple processes and sites.
  • Operational excellence. Cybersecurity capabilities like asset inventories and visibility into industrial network communications are essential when responding to cybersecurity incidents or addressing vulnerabilities – but they also provide valuable new data and insights about digital assets that can be used day-to-day to diagnose and troubleshoot operational issues.
  • Developing people and skills. A growing base of skilled ICS security practitioners are highlighting the risks and importance of OT security – and communicating those risks more effectively to company leaders and boards.
  • Greater governance. Company executives and boards are more engaged and increasingly recognizing that cybersecurity doesn’t just apply to IT environments. OT networks support the core of the business yet historically have been neglected relative to IT networks.
    Today, leaders are realizing how critical OT networks are for the success of the enterprise and allocating resources accordingly. Manufacturers who have considered OT and industrial operations in their cybersecurity program can confidently and accurately answer questions in the boardroom.
  • Company culture. Organizations are aware of the increased threat landscape and the importance of effective cybersecurity. Security is becoming part of the broader corporate culture, and as manufacturers mature in their OT cybersecurity journeys, their cultures will operationalize strong security programs that ensure more resilient operations.

For manufacturers beginning or evaluating progress along their cybersecurity journeys, Dragos recommends the implementation of five critical controls for meaningful improvements in security posture:

  • Create an ICS-specific incident response plan. An OT incident and response plan must be distinctly different from an IT-focused plan. OT involves different device types, communication protocols, different types of tactics, techniques, and procedures (TTPs) specific to industrial threats. Investigation requires a different set of tools and languages. Managing the potential impact of an incident is different, along with a different path for recovery. Companies should consider having a team of responders ready, armed with proactive knowledge of your systems and familiarity with your specific business objectives.
  • Develop a defensible architecture. OT security strategies often start with hardening the environment – removing extraneous OT network access points, maintaining strong policy control at IT/OT interface points, and mitigating high risk vulnerabilities. However, even when technical controls are implemented correctly during a project, they will atrophy over time without appropriate investment in the people and processes to maintain it. The resources and technical skills required to monitor the environment and adapt to new vulnerabilities and threats is essential to success.
  • Deploy visibility and monitoring. You can’t protect what you can’t see. A successful OT security posture maintains an inventory of assets, maps vulnerabilities against those assets (and mitigation plans), and actively monitors the assets and traffic for potential threats. End-to-end solutions enable deep visibility and prioritized management of vulnerabilities.
  • Enable multi-factor authentication. Multi-factor authentication (MFA) is an excellent way to control access to sensitive applications through an extra layer of security for a relatively small investment. Remote access is a common example where MFA should be utilized and is being broadly adopted across most industries.
  • Develop an effective OT vulnerability management program. Knowing your vulnerabilities – and having a plan to manage them – is a critical component to a defensible architecture. According to the Dragos 2021 ICS/OT Cybersecurity Year in Review, more than 1,200 OT-specific vulnerabilities were released last year, many of them with incomplete or erroneous information.

While patching an IT system like a laptop in an office is relatively easy, shutting down a plant has huge costs. An effective OT vulnerability management program requires timely awareness of key vulnerabilities that apply to the environment, with correct information and risk ratings, as well as alternative mitigation strategies to minimize exposure while continuing to operate.

Every organization is starting from a different place, and every environment is unique. But, with a clear understanding of your risks, impacts, maturity, and gaps, you can create a roadmap that guides your team to implement and maintain a sustainable ICS/OT security program.   M

To learn more about OT cybersecurity and how your company can improve your security posture, visit www.dragos.com/resources.

About the authors:


Dan Scali is a Senior Director of Strategy at Dragos.

 

 
Eddy Wade is a Principal Industrial Consultant at Dragos.

 

 

View More