How manufacturers can bolster resilience through operational technology cybersecurity
Over the last few years, cyber attacks on manufacturing plants and public infrastructure have grown more severe and had a greater impact on the public. Recent incidents in critical infrastructure organizations highlight the evolving threats these operational environments face.
With the rise of M4.0 and growing dependency on data, manufacturers must transform their thinking about cybersecurity for operational technology (OT). While quick fixes or ad hoc policies might beckon, the long-term strategy should be to build a resilient organization to battle current and future threats.
Typical Cybersecurity Challenges
While difficulties securing manufacturing facility environments stem from several factors, loose governance is one of the prime culprits. Many times, roles and responsibilities for cybersecurity in a plant are not well defined. The automation engineer has many operational responsibilities, but sometimes cybersecurity is an afterthought and assigned as a hobby task. To make matters worse, relationships between other people or groups within the facility or enterprise aren’t formalized, leading to a vulnerability if an emergency should arise.
Limited expertise also poses a challenge. The idea of OT cybersecurity has only been around for about 15 years, and not many people have experience across M4.0, automation, and cybersecurity, resulting in a dearth of qualified OT cybersecurity resources. It takes a special combination of skill sets — from industrial control equipment and software to proprietary network protocols — and a fundamental understanding of the threats facing the OT space.
At the same time, threats continue to evolve. Since Stuxnet in 2010, threats to OT have increased exponentially, both in targeted attacks against infrastructure and collateral damage from ransomware. This escalation underscores the need for a resilient, strategic, and holistic approach to OT cybersecurity rather than an ad hoc, quick-fix approach.
“Since Stuxnet in 2010, threats to OT have increased exponentially.”
Organizations also often lack risk visibility. Many manufacturing facilities have a surfeit of data on production, raw material usage, energy consumption, and quality of product. One area of great need is an understanding of the risk associated with this data.
First, the infrastructure of the OT must be inventoried and managed in a way that facilitates a quick response to cyber events. If a vulnerability is located in a certain programmable logic controller (PLC), it could more easily be mitigated if the plant engineers know the location of the PLCs, the version of software and firmware, and the correct patch to install. Many factories do not have this inventory in an organized and secure location that can be quickly accessed by the appropriate personnel.
Second, the data moving between devices on the plant floor is a treasure trove of information concerning normal operation versus anomalous and potentially dangerous communication. Tools are available to view this data flow between devices and discern the risk to operations.
Finally, the fundamental difference between IT and OT cybersecurity processes precludes the ability to use tools meant for IT on OT devices, systems, and networks. These differences need to be understood at the enterprise level so that an OT cybersecurity program can be effective. Typical differences that can cause catastrophic production failures include nontraditional operating systems and applications; 24/7 operational requirements (100% availability needs); and primary directives on human safety. According to a study by TrapX Security, only 41% of responding organizations have a dedicated security team to secure their operational technology, while 32% of respondents rely on their IT teams to defend their OT platforms against cyber threats.
Creating a Transformational OT Cybersecurity Program
To address the challenges of OT cybersecurity, enterprises must look at the problem holistically. The path to a resilient program starts with understanding the business risk to the enterprise from unsecured OT environments. The following steps outline how to start and what is required:
1. Understand the business risk.
An OT assessment is a critical starting point for any organization to gain insight into the current state of its OT environment, including control system risks and vulnerabilities. This phase should answer five key questions:
1. What is in my production environment?
2. What is important to my organization?
3. What is my current cyber posture?
4. How can I reduce risk now?
5. How do we establish a continuous risk reduction approach that makes sense to the organization?
Many times, organizations lack a clear picture of what is in their environment and the associated business risks. It’s important to get a firm grasp of the devices, software, and network architecture to achieve a baseline that can be used to build a road map of needed improvements. At this stage, the organization should deploy a tool or process that analyzes qualitative and quantitative data to identify specific risks that pose the most significant risk to the business.
“The fundamental difference between IT and OT cybersecurity processes precludes the ability to use tools meant for IT on OT devices, systems and networks.”
An asset inventory with asset categorizations can be developed at the same time. These categorizations enable risks to be scored appropriately. For example, a PLC with many vulnerabilities that is used for a low-priority task will be scored low in priority, but a PLC with only one vulnerability on a critical task would be scored high. These insights are key to the development of a tailored OT security program that is in line with the organization’s risk tolerance and strategy to identify the most significant risks to the business.
At that point, it’s time to close foundational gaps. Once a baseline of current conditions is established, anything that is critical can be corrected quickly. The assessment of the environment will also reveal high-risk vulnerabilities that may require a longer term perspective to fix. These high-risk targets can be addressed in the road map.
2. Align the cyber risk to the business mission and develop a governance structure and road map.
While it’s tempting to stay on the path of fixing high-risk problems, the more resilient approach is to address the foundations of any OT cybersecurity program. This is the next step to transforming how cyber risk is managed. Once you gain visibility and stabilize the environment, it’s time to focus on building the program’s foundation to further reduce risk.
This requires aligning governance to an OT cybersecurity standard such as NIST or NEMA. Also, organizations need to define an OT cyber program future state, strategy, and road map to reduce risk, optimize investments in digital transformation, and align with enterprise risk appetite.
It’s also necessary to define roles and responsibilities by formalizing and socializing a governance model for the ongoing oversight of OT risk management, as well as a set of clear roles and responsibilities that will support the ongoing operation and sustainability of the OT cyber program.
In addition, action must be taken to establish cybersecurity compliance with known regulations (if required).
“The path to a resilient program starts with understanding the business risk to the enterprise from unsecured OT environments.”
An awareness and training program also should be created. To do so, use an existing safety culture and augment it with OT cybersecurity awareness, techniques, tools, and policy education. This is one of the easier programs to build since many times the safety education structure is already in place.
3. Institute a program of continuous improvement.
Establishing an OT cybersecurity program is the start of an ongoing practice of continuous improvement. Bad actors are not static; their methods, tools and motivation change daily. It’s important to always redefine the protections in place and constantly monitor for new threats.
One key activity for continuous improvement is to establish transformation measurements. A measurement program should distill control-level requirements into simple-to-understand measures of maturity, and progress should consistently be reported to senior leadership. Use this metrics program to tell your success story.
Organizations also should deploy mitigation tools and policy as per the road map. Execute your implementation plans with the support of a diverse team of professionals versed in operational technology, production processes, cyber, change management, supply chain, process design, and risk management. This may require outside resources.
Another vital step is to enhance the threat response. Enhanced monitoring controls will improve your ability to respond to cyber incidents that impact production. You should define custom alerts and build out OT-specific response playbooks for your Security Operation Center (SOC) analysts, as well as prepare and practice for OT cyber incidents. A critical component of any threat response program is to establish a recovery plan. After experiencing a significant disruption (e.g., ransomware attack), your production line should return to normal operations as quickly as possible. Strategies for establishing a viable recovery plan must include creating a baseline state including asset inventory, known good network connection state and a method to confirm that a return-to-normal condition is restored.
“Establishing an OT cybersecurity program is the start of an ongoing practice of continuous improvement.”
Finally, it’s critical to visualize your OT risk in real time. Create an OT Security Operation Center or align your existing IT SOC with your business mission and objectives to provide real-time visibility into business risks, personnel safety, environmental safety, quality, customer orders, and trade secret protection. For advanced organizations, use real-time risk data for improved decision-making to move beyond threat response to proactive risk management with an OT Risk Operations Center.
M4.0 Challenges Require IT and OT Realignment
Digital transformations with M4.0 drive innovative changes in how organizations leverage technology to gain insights and capture market opportunity. Some of the most significant change to OT environments is being driven by automation and artificial intelligence (AI) to improve reliability, performance, productivity, and safety.
Cyber is an often overlooked, yet critical component in the digital transformation of operational technologies and must be addressed for an organization to fully realize the benefits of its investment. Overlooking cybersecurity, in the new world of M4.0, introduces unneeded risk to the finances of an organization. Companies should consider the methods outlined in this article as a path to lower the risk to the plants and thereby help protect revenue and profits.
It’s important for OT cybersecurity metrics to be integrated with other key components in any M4.0 environment. By transforming OT cybersecurity defenses into a holistic program, companies will protect valuable M4.0 data, realize safer working conditions, and secure production quality and brand protection. M
About the author:
Douglas Clifton is a Managing Director in Ernst & Young LLP’s National Cyber Security group based out of Dallas, Texas.
Ken Keiser is a Manager in the Consultant Services at EY and a practice lead for Operational Technology (OT) Cybersecurity.