Using defensive deception to prevent IT/OT manufacturing threats

Courtesy: CFE Media
Courtesy: CFE Media

Protecting information technology (IT) and operational technology (OT) networks is crucial to safeguarding the manufacturing industry. As part of the SecureAmerica’s Institute’s (SAI) nationwide initiative to empower the U.S. manufacturing enterprise, SAI and partners at North Carolina State University (NC State) and Airgap Inc. are developing technology to resist attacks, detect attacks in progress and ensure an IT/OT system can automatically restore itself to a trusted state.

Cyberattacks are one of the biggest threats to any organization and commonly target IT networks, (which share information, data and resources between computers in an organization). The manufacturing industry is particularly vulnerable because its IT networks are linked to operational technology (OT) networks that directly control machine functions and processes. If an attacker corrupts the entire IT/OT system, it can lead to a complete business shutdown, resulting in financial losses and ripple effects across the industry.

“Most of the manufacturing in the U.S. happens in small and medium-size firms, making them an ideal target,” said Rob Gorham, SAI’s executive director. “The NC State team’s effort to protect valuable manufacturing capabilities across IT and OT is important in the SecureAmerica Institute’s journey to enable robust manufacturing supply chains.”

“Manufacturing equipment is expensive, and many smaller manufacturers have limited resources when it comes to technical expertise and budget,” said Dr. Munindar Singh, alumni distinguished graduate professor in NC State’s computer science department. “This means their networks are not always following the best practices needed to quickly isolate and mitigate potential threats.”

Singh and his partners, Abhi Muthiyan, architect of Airgap Inc., and Dr. Samudra Vijay, president and CEO of SAM Analytic Solutions, are collaborating on a two-fold automated approach for manufacturers to detect and resist cyberthreats. A virtual honeypot (a security mechanism that creates a trap to lure bad actors) is created to deceive potential attackers paired with an appliance to isolate an OT network from its backup.

“Malware and ransomware can easily penetrate an entire system,” Muthiyan said. “We are trying to prevent entire manufacturing plants from shutting down due to attacks and help them recover swiftly. Our isolation methods retain local backup copies, which enable recovery in hours, as compared to recovery in days for cloud backups.”

Backups should be immediately separated from the network to protect sensitive data in the event of a cyberattack. Vijay and his colleagues are developing a device to immediately cut off backups from the network and prevent attackers from accessing the entire system.

“Isolation of threats permits companies to continue operations while assessing the problem and decreasing severe impacts,” Vijay said. “This technology can dramatically increase the resilience of small businesses and manufacturing entities.”

The NC State team applies layers of detection and deception to IT/OT networks including vulnerability detection, file system monitoring and dynamic provisioning of honeypot resources for programmable logic controllers, human-machine interface and supervisory control and data acquisition systems.

This intentionally compromised system will mimic a vulnerable manufacturing machine and trick the attacker. Once malicious intent is discovered, the risk analyzer categorizes the threat and triggers alerts, specific device isolation or entire network isolation. “We want to trap the attacker in the least disruptive way to an organization and convince them they’re getting something valuable when they’re not,” Singh said.

Most traditional approaches to cybersecurity assume the attacker is outside the walls — that an organization or business is like a walled city and is safe.

“In reality, most attacks come from within. This could happen through phishing attempts, corrupted USB drives and more,” Singh said. “That’s why we need to isolate different parts of the walled city from one another. If an attack only corrupts one small corner, we can limit further harm and strengthen the industry.”




Keep your finger on the pulse of top industry news