Manufacturing ecosystem insights
- The manufacturing ecosystem is constantly at risk for cyberattacks.
- To mitigate risk, OT-CERT is a good way to exercise cyber cleanliness.
- Five key parts of mitigation are using an ICS response plan, a defensible architecture, OT visibility and monitoring, secure remote access and risk-based vulnerability management program.
The large manufacturing ecosystem across industry sectors recognize that security threats are proliferating rapidly across their domains. Corporations are reporting record profits — and cybercriminals always have operated on a “follow the money” basis, making them attractive targets for ransomware. At the end of October, for instance, Aurubis, the largest copper producer in Europe, had to shut down many of its IT systems after an apparent ransomware attack.
Most manufacturers also realize that cyber threats are not limited to IT systems anymore. For many years, industrial control systems (ICS) and operations technology (OT) were considered relatively safe because they were mostly closed-loop systems without internet access. This is changing quickly, however, as manufacturers look to modernize their facilities, using devices connected to the Internet of Things (IoT).
The Manufacturing Leadership Council (MLC), part of the National Association of Manufacturers, has identified cybersecurity as a key issue for members. Dragos research has shown an increase in ransomware and other attacks on the manufacturing ecosystem, making the sector one of the top targets for cybercriminals. Attackers know that manufacturing plants cannot afford downtime, nor potential threats to the quality of their output.
The Nature of the Threat Environment
Ransomware is the most visible cyber threat to the manufacturing ecosystem. The initial impact to the Colonial Pipeline in 2021 was within its IT systems, but out of an abundance of caution the company had to shut down some of its pipelines to keep the attack from spreading to its OT environment. The ripple effect was significant — gasoline and jet fuel shortages spread up and down the East Coast, gas stations faced long lines of anxious and angry customers looking to fill their vehicles, and bottlenecks in airline traffic.
The attack had several longer-term effects. It set off alarm bells not just to Congress, but to numerous federal agencies responsible for the 16 critical infrastructure sectors identified by the U.S. Department of Homeland Security. In the wake of the attack, the White House continues to expand efforts to improve the security of industrial control systems with a multi-year, public-private partnership strategy.
High visibility cyber incidents like these tend to raise awareness across industries. A survey conducted by MLC found that nearly 62% of respondents said they have a formal OT cybersecurity plan; nearly 40% have “high confidence” in their internal expertise, while another 46% said they have “moderate” confidence. More than half have adopted the NIST framework for OT cybersecurity. But the survey also found that almost 50% of those surveyed said they had been targeted or had been a victim of a cyberattack.
Despite those numbers, less than half of respondents — 48% — said they have introduced or changed cyber requirements for third parties, such as vendors, with whom they share data.
“I would bet you that if you went back to your cyber team and said, ‘Do we protect our intellectual property in our OT devices on the plant floor,’ you might get an aha moment with them, and I think that’s a really important aha moment because this has happened,” said Dawn Cappelli, Dragos’ director of OT-CERT. “There was an actor who got into an OT environment, stole the intellectual property from OT devices, exfiltrated it and then sold it for millions of dollars … [Your cyber teams] know that your IP is protected in IT. You know where it is, and you have a lot of controls. But if they can get into your OT environment, it will be much easier for them to extract that intellectual property.”
Another risk, Cappelli said, involves building automation systems.
“There was an … external attacker who got into a company’s OT environment and then access[ed] the building automation systems,” she said. “They shut down HVAC systems, and suspended refrigeration. In this company, that had a big negative impact.” The lesson in that example is that every company’s risk is different, she explained.
The third example of a kind of OT threat is from an insider, whether they are a current or an ex-employee. Cappelli cited one instance where a former employee still had access to the company’s OT systems. “After he left, he repeatedly went into their OT environment and shut down pumps, he shut down alarms, he interrupted communications and did that over and over again.”
Companies may have routines in place to remove ex-employees from accessing IT systems, she warned, but they often don’t consider the same practices for OT systems.
Mitigating Risk — and the Role of OT-CERT
Cappelli highlighted five critical controls identified by the SANS Institute that Dragos recommends for protecting OT environments:
- An ICS incident response plan
- A defensible architecture
- OT visibility and monitoring
- Secure remote access, with multi-factor authentication
- A risk-based vulnerability management program
She discussed each of these points, but highlighted OT visibility for the manufacturing ecosystem. “You can’t protect what you can’t see,” Cappelli pointed out. “Your IT security technologies are not sufficient to protect OT. Some of them are a great partner to OT controls, but you need more specific solutions to address your OT environment.” There are tools available to provide that OT visibility, which she characterized as a “need to have.”
OT usually isn’t connected directly to IT, making vulnerability management a significant challenge. “As a [former] CSO, I can tell you this is the biggest challenge for CSOs with OT environments,” Cappelli said. “If you’re from the OT world, you know that we can’t just push out patches — it can bring down the plants [or] parts of the plants.” As a result, CSOs struggle with how to patch ICS/OT products.
“The good news is, only 4% of [published] vulnerabilities in ICS/OT required immediate action. They only require immediate action if they’re actively being exploited, or a public exploit has been put out there,” Cappelli said. “If you have a defensible architecture and you have OT network visibility and monitoring, you can just shelve the rest and do a risk analysis. But wait until the next scheduled downtime to worry about the priority vulnerabilities.”
While the largest manufacturers may have big, complex OT environments, they also have the internal and financial resources to protect their facilities. Cappelli said that it’s the small and medium-sized manufacturers who may be at greater risk of attack because they don’t have the same technical or financial depth.
Original content can be found at Dragos.