In the modern environment, cybersecurity and manufacturing are inextricably linked. Pack Expo Chicago, a biennial trade show covering new trends in packaging technology, was held from Oct. 23-26 in Chicago. While the show focused on the packaging industry, several of the breakout sessions touched on cybersecurity. On Oct. 25, Jordan Lutz, cybersecurity services sales executive with Rockwell Automation, gave a presentation on “Building Your Cyber Resilience Program.”
Lutz spoke about recognizing the need for operational technology (OT) cybersecurity, how information technology (IT)/OT convergence is a catalyst, how the National Institute of Standards and Technology (NIST) framework and other measures can help improve your security posture, and where to get started. He began by citing a Gartner study on the top drivers impacting information security function and controls in the next three to five years. The Internet of Things (IoT) and cyber-physical systems ranked as the top issue, with 43% of respondents citing it is as a concern.
Lutz offered a quote from the study: “Most organizations are still in the awareness phase for [IoT security], but with attack vectors expanding and helpful tools only just emerging, security and risk management leaders need to update their current threat management strategies.”
Why are ICS-focused attacks surging?
This increased threat has been proven true over the years with industrial control system (ICS)-focused attacks on everyone from SolarWinds to Oldsmar to Colonial Pipeline. One of the reasons things are getting worse is that cyber crime continues to pay — and pay handsomely. Lutz said there has been $12 billion in damages due to ransomware attacks in the last three years, and 53% of industrial manufacturers have experienced a cybersecurity breach at their facility during that same stretch.
In recent years, critical infrastructure ransomware attacks have become more frequent, with the food and beverage sector — near and dear to the Pack Expo audience — under increased threat. According to Lutz, industrial companies remain a prime target because they have legacy unpatched infrastructure and a lack of skilled resources to properly manage cyber risk. In addition, most industrial automation environments are poorly inventoried. If you don’t know what is connected in your environment, you cannot properly secure it.
Lutz said one of the major factors spurring cyberattacks on OT systems is IT/OT convergence. This emphasizes the need for the modern, interconnected environment to bridge the gap between IT and OT and the different stakeholders. These groups need to build and grow as a team, create a shared strategy and vision, and execute as a team. In this effort, organizational structure matters because cybersecurity is a team sport. It takes complete buy-in across the organization, which could require cultural changes and a multiyear approach. The goal is to create an “everyone is responsible” mentality, Lutz said.
Cyber resilience and the NIST framework
When trying to build cyber resilience, the first challenge to overcome is the skills gap. Lutz cited a stat that 80% of organizations say they have a hard time finding and hiring security professionals, while 71% say it is impacting their ability to deliver security projects. He recommended using the NIST cybersecurity framework to develop a proactive approach to industrial cybersecurity. Simply choosing a standard and using that to measure your progress can set your organization on a path to cybersecurity maturity.
The NIST Cybersecurity Framework is:
Before the attack, organizations must identify threats and protect systems. During the attacks, they must detect attackers. After the attack, they must respond and recover.
Risk-informed cyber strategy
Lutz concluded by presenting three different cyber strategies. The first was what he called a risk-informed cyber strategy. This model will help companies improve their risk posture with limited capital expenditure and shortened implementation timelines. The steps are:
- Establish asset visibility
- Determine your current risk posture
- Develop a base cybersecurity hygiene program
- Have OT network readiness
Repeatable cyber strategy
The next option was a repeatable cyber strategy. This approach is a more foundational way to improve overall cybersecurity risk posture with moderate capital investments and defined operational expenditures. The steps are:
- Comprehensive installed base review and migration
- Deploy segmentation between IT and OT environment
- Secure endpoints
- Deploy continuous threat detection
- Monitor and manage OT environment
- Create a disaster recovery plan
Adaptive cyber strategy
The final option was an adaptive cyber strategy. This approach outlines a comprehensive OT cyber strategy providing a multiyear approach and blueprint to al elements of an adaptive program approach. This would include detailed financial capital planning, cultural change management outcomes and workforce skills gap mitigation by providing security managed services. The steps are:
- Modernize plant or enterprise installed base
- Modernize OT networks
- Deploy continuous monitored capabilities
- Expand to integrated security management and administration
- Augment workforce with a security operations center
- Develop incident response handling
Building a cyber resilience program takes time and effort, but threat actors are always looking to exploit industrial systems. The goal is to harden your security posture to deter attackers and prepare your organization to respond quickly in the event of a cyberattack. This will help minimize damage and downtime, and keep your business running in the event of an attack.