If recent cyberattacks like SolarWinds and Oldsmar have demonstrated anything, it’s the vulnerability landscape in operational technology (OT) and manufacturing is changing rapidly – and not necessarily for the better. Risks are higher than ever before, and companies need to defend against this increasing industrial cybersecurity threat by changing their product design, development, service and support.
John Livingston, CEO of Verve Industrial Protection, discussed this changing environment and how the industry should respond to increasing threats and vulnerabilities in a video interview with CFE Media and Technology.
“We just released our annual review of ICS vulnerabilities from 2020, and the total number of vulnerabilities has grown by almost 50%, year over year,” Livingston said. “That means that we have a significant [amount] more risk in these environments. Not to mention, when we dive into those vulnerabilities, what we discovered was that those risks are increasing in criticality.”
The two biggest changes, according to Livingston, are the aforementioned increasing industrial cybersecurity threat and systems that are what he calls “insecure by design.” He said when companies consider vulnerability and security, they must go beyond the standard common vulnerabilities scoring system (CVSS) score and examine the fundamental design of their systems.
For example, do employees have remote access to their devices? What are all the pieces or software on those devices? Have users and accounts fallen dormant? Are passwords failing to meet standards or have they not been changed in a while? Any of these factors can allow a bad actor in and increase the risk of cyberattack.
“I think the Oldsmar water facility is a great example of this, where the hacker wasn’t really taking advantage of an industrial cybersecurity (ICS)-oriented vulnerability,” Livingston said. “They took advantage of the fact that the network was not basically designed securely – that you had TeamViewer within the environment, and you could remote access into that TeamViewer and make changes.”
To secure against these advancing vulnerabilities, Livingston said, companies need to create a holistic, 360-degree view of risk that takes into account all of the known vulnerabilities, but also includes looking at the insecure-by-design set of risks.
For more on the changing industrial cybersecurity landscape, you can view Part 1 of John Livingston’s conversation with Industrial Cybersecurity Pulse, where he discusses how the SolarWinds and Oldsmar attacks affect industrial applications in the present and future.
Watch for future installments from our CEO interview series.