According to a number of different reports, the manufacturing industry is one of the top targeted sectors by cyber criminals. To celebrate Manufacturing Day, and in the midst of Cybersecurity Awareness Month, industrial cybersecurity company Dragos brought together thought leaders Robert M. Lee, CEO and co-founder of Dragos, and Blake Moret, chairman and CEO of Rockwell Automation, to delve into critical topics surrounding the current state of manufacturing cybersecurity, manufacturers’ responses to increasing risks and the journey to enhance operational technology/industrial control system (OT/ICS) cybersecurity.
The current state of manufacturing cybersecurity
The webinar was kicked off by Lee, who gave his assessment of the current state of the manufacturing industry and manufacturing cybersecurity. According to Lee, the manufacturing sector tends to be more innovative and embraces new technologies like automation. But with this value comes some consequences, such as an increased attack surface.
Attacks on manufacturing have essentially doubled, and corporate boards and high-level executives are fully aware of that fact. Members of various boards talk to each other, share information and know about compromises that don’t reach the media.
But even with that, most companies spend 95% of their security budget on the information technology (IT) portion, not the OT portion. And that’s a problem because much of a company’s revenue generation and impact on safety comes from the OT side of the house.
“Most executive teams, and especially the boards, are realizing that the enterprise cybersecurity investments that they had depended on before are not actually enterprise-wide,” Lee said. “Most of the enterprise cybersecurity that people talk about is enterprise IT cybersecurity.”
Lee said the good news is that awareness of OT security is now happening on boards. They’re looking at how they’re going to invest and who has the expertise.
“The temperature is increasing pretty quickly, where there is not an appetite to ignore the risk to the actual revenue portion,” Lee said.
Risks to the supply chain
When asked about how Rockwell is managing risk around their supply chain, Moret said that China and cyber risk are the two biggest interrelated topics in boardrooms today. From a supply chain standpoint, manufacturers have just come out of more acute shortages around chips and other products. So in addition to the potential for attacks against their own companies, there is also a lot of concern about suppliers suffering attacks.
Companies expect their suppliers to have a certain operating standard and a willingness to undergo audits. They need supplier software and products to be safe, so it doesn’t create an easy path into their own architecture.
Moret said that because suppliers are part of Rockwell’s offerings, they need to uphold the same standards. And this isn’t just a problem for big companies; it impacts small- to medium-sized companies, as well. They generally can’t afford the IT staffs of bigger companies, so they really have to trust their partners. “Protecting the supply chain is everybody’s responsibility,” Moret said.
The rising level of cyberattacks
Lee said that the rising level of cyber threat can often lead to exhaustion in company leaders, or a feeling that they can never do enough. Sometimes there is an attitude of: “Why even invest if we’re just going to get hacked?”
Lee argued that while the media and the cybersecurity community celebrate hacks, they don’t do enough to celebrate wins. He said we owe it to the community to amplify positive stories more often and celebrate manufacturing when they do the right things and win. Defense is doable, and it is not inevitable that the adversary will win.
Moret cited that 29% of industrial companies reported an attack, and those are only the ones that were reported, so it’s the job of executives to deal with it. Companies need to make sure they’re addressing simple blocking and tackling, and the basics of a true defense-in-depth strategy. They also need to set up the right governance structure.
Manufacturers response to risk
According to Moret, cybersecurity is one of the top five concerns of executives and boards, along with things like inflation and supply chain disruption. It’s also a major stumbling block in the move toward smart manufacturing.
“Cybersecurity resilience is the first and the last question to investment decisions toward moving more into smart manufacturing by our clients — period,” Moret said. “It’s overwhelmingly the largest obstacle toward faster adoption of smart manufacturing technologies.”
The number of attacks has almost doubled in the last year. Companies need to be able to put a strategy in place that makes them the hardest possible target. Moret said 100% resilience is not going to be achievable. Companies should be looking for progress over perfection. The goal is to be better today than you were the day before.
Another thing that can help protect OT/ICS is creating designs for systems that are secure right from the start. Security should never be an afterthought with new technologies.
“You don’t want to put something in place and then touch it up afterward,” Moret said. “Just as we design for security and just as we design for getting better information out of our real-time control systems, these systems have to be secure by design. Again, it goes back to a defense-in-depth strategy.”
These systems should be IEC compliant and have segmented networks, so if something happens, it can’t easily proliferate across systems. Moret pointed out that this isn’t easy and needs to be backed up by resilient budgets, especially because “this is expensive stuff.”
Understanding manufacturing cybersecurity risk
The first step toward understanding manufacturing cybersecurity risk is to understand that OT is fundamentally different from IT. Lee said the security community is still having the discussion around why OT is different from IT, but boards generally are not. They increasingly understand that IT and OT need to be protected differently.
The government is also very aware that OT security is different, especially as they’re tasked with protecting critical infrastructure. The expectation from the government is that companies have a responsibility in the community. If your choices make the community unsafe, you shouldn’t make that choice. Because there is an impact on national security, you need to be a good player in this community.
But asset owners and operators are more aware of how to secure their facilities than the government. According to Lee, the government should not tell companies how to secure their systems; their job is to tell them why the systems need to be secured.
In order to protect critical systems, boards must have people on hand who know what good looks like. This involves doing the right scenario planning, knowing the specific risk to your industry, running tabletop exercises and creating a sense of urgency begore you’re in a real attack — because you likely will be at some point.
Regulatory impact on manufacturing cybersecurity
When it comes to protecting critical assets, everybody generally wants to do right, but their biases flavor what their version of right looks like, Lee said. The government must decide why they care about this and why are they involved. What is the outcome they’re trying to drive to, and how is success measured? But Lee urged the government to leave the outcome and the “how” to asset operators. He said the most relevant expertise is generally in the private sector.
It’s also important to disclose when attacks happen, especially if you’re a public company. From a company perspective, there may not be a lot of value in disclosing, but collaboration leads to good outcomes. The more knowledge that’s out there, the better prepared we can all be.
But, Lee said, if you wait for the government to step in, they will eventually do it. It’s important to write your own story and not give them a reason to get involved.
Moret agrees that companies must be able to control their own destiny and stop engaging in the fantasy that someone is going to do it for them. Internal processes should always be top of mind.
The manufacturing cybersecurity journey
For companies who are on their own OT cybersecurity journey, Lee spelled out his five critical controls for OT cybersecurity, which he developed with Tim Conway of the SANS Institute. Lee said these controls are really about establishing a strategy around the minimum security required against real threats.
Years ago, SANS created the 20 critical controls for enterprise IT security. Lee and Conway were then asked to develop the equivalent for the OT/ICS side. They went through the OT attacks they had access to and looked at what security controls were effective in all of them.
The 5 critical controls for OT
- An OT/ICS-specific incident response plan
- A defensible architecture
- Visibility and monitoring
- Secure remote access
- Key vulnerability management
Lee said these five things can help you build a world-class OT cybersecurity program. It’s important to take an intelligence-driven approach. This helps take the bias out of discussions and gets to the point of, “We’re here to protect communities.”
Moret finished by offering some advice to boards and executives looking to scale their cybersecurity operations. He said you begin with a talent assessment and asking whether you have the right people internally. You need framework that can survive people leaving, and your trusted outside partners should be a part of this.
When an attack happens, you need to have a plan. Lee and Moret both agreed on a final point: Don’t let your ICS be someone else’s first ICS.