As plant connectivity intensifies, manufacturers need to embrace best practices to address the evolving threat landscape.
The benefits of connected industrial environments can be phenomenal. However, as manufacturers have continued along the digital journey, many have figured out the hard way that their plants were a lot less secure than their corporate IT network. Simply put, the same digitalization efforts that increase productivity, efficiency, and in some instances add new revenue streams, also increases the attack surface.
And, unfortunately, today’s cyber criminals are taking far more targeted, strategic approaches, often with the ability to leverage an entire toolbox of hacks. For instance, they can deploy malware to steal intellectual property, such as working their way into a robot to steal stored parameters providing knowledge a manufacturer spent years developing and perfecting. Additionally, ransomware could bring down a plant, sometimes resulting in catastrophic expenditures. Examples even exist where adversaries have tried to either blow things up or simply take over equipment.
There are many reasons why many manufacturing facilities lack the protection they require – the most common being that manufacturers often rely on older equipment that still functions properly. However, this equipment often lacks patched or sufficient monitoring. Also, according to the CyberX Global Risk Report, 71% of manufacturing sites have outdated Windows systems that no longer receive security patches from Microsoft, and more than a quarter (27%) of these environments have a direct connection to the internet.
“This is significant because for many years IoT environments were air gapped, making it very difficult for an adversary to get in,” says CyberX Vice President of IoT & Industrial Cybersecurity, Phil Neray. “As the industrial IoT grows, more devices are connecting to the internet, enabling an array of new applications for analytics, predictive maintenance, or optimizing the supply chain using real-time intelligence from the plant floor. While this increases connectivity between across the enterprise, it also increases the attack surface.”
Neray suggests the following steps to secure operational environments:
Understanding existing connections. Manufactures need to embrace better ways to understand what devices are connected to the plant networks, and how they're connected to each other. “If you don't know what you have, you can't defend them. We've worked with manufacturers who think they have x number of devices and it turns out they have three times as many devices,” Neray says. “They might be using spreadsheets or relying on documents created when the plan was first built.”
Addressing access paths to crown jewel assets. The initial focus should be on assets that – if compromised – would cause a major impact to the organization, or results in a significant safety incident. Taking this approach enables manufacturers to prioritize mitigation efforts since it’s impossible to fix everything at once. The key is to prioritize based on safety, environmental concerns, as well as revenue generation. “After identifying crown jewel assets, it’s important to figure out the different ways adversaries can reach those assets. Automated threat modeling can help by looking at vulnerabilities and the connectivity in your plant,” says Neray. “You can then identify what are the vulnerabilities that are most important to be fixed, whether it is installing missing patches or isolating a connection between networks to prevent attackers from hopping from one to the other. When patching or segmentation does not go far enough, compensating controls, like continuous network security monitoring, can help identify anomalies, as well as unauthorized activity.”
Replacing IT/OT silos with a Security Operations Center. There cannot be questions about who owns security for the plants. CSOs are being held accountable for protecting the security of the plants, just like they're responsible for protecting everything else in their organization – the IT network, smart building management systems, etc. These are all potential access points an adversary might use to gain access.
Effectively addressing these issues requires collaboration across historical boundaries with key personnel having the ability to provide input. When looking at the connected plant floor, the IoT team should be key stakeholders in how the company implements stronger security. This ensures that efforts avoid hampering production and avoids creating additional work for plant personnel. After all, their job is to produce rather than patching devices and fixing things. Best practices point to having a Security Operations Center in place monitoring threats and alerts, workflows, and security tools in existence to consolidate and correlate information across different parts of the organization.
Written by: Peter Fretty, Technology Editor for Industry Week.