Each new internet-connected device — whether it be a large manufacturing robot or a small sensor — carries with it the burden of joining your local network in accordance with the latest cybersecurity practices. The problem is that putting in too many roadblocks, such as limiting access via firewalls or making access so difficult it impedes productivity, will potentially limit its ability to communicate freely with other devices or send critical diagnostic reports back to stakeholders.
According to IBM Security’s 2022 X-Force Threat Intelligence Index, manufacturing is now the world’s most targeted industry. However, the promise of greater business growth through connected devices has motivated many companies to continue forward, ignoring cybersecurity risks in favor of greater plant efficiency and modernisation.
For the first time in five years, operational technology (OT) facilities are an even bigger target than the finance or insurance industries. This can be attributed to both taking advantage of an industry where even an hour of downtime can have a significant financial impact on a company, making high ransoms more likely to be paid, in addition to the ease of hacking into these improperly secured OT networks that operate on legacy machines and components, which can be up to 30 or 40 years old.
With the events of recent years showing us that manufacturing supply chains are as critical as they are vulnerable, asset owners and operators are facing their greatest challenge — applying the proper cybersecurity controls within their OT networks without hampering their production capabilities.
Here are four pillars to securing your OT devices both in the short and long term:
Visibility reduces risk: The main challenge of OT-connected machines is that understanding their current security status is easier said than done.
Chief Information Security Officers (CISOs) are tasked with securing connected machinery that cannot be taken offline to review credentials, apply a manufacturer-approved update or even for a general inspection. With so many devices operating in such synchronous precision, the risk of any downtime, including installing an update or doing a simple restart, may result in more lost revenue than it’s worth.
Gaining full visibility into your network, mapping it and understanding what are your ‘crown jewels’ and how to protect them is a challenge CISOs and security decision-makers face on a daily basis.
Assess your risk: This brings up the age-old question, how much risk is acceptable? Or, if rephrased, where do I start, and how do I prioritise my security roadmap?
With a virtually mapped facility it is possible to carry out risk assessments by running simulated attacks and remediation techniques. Many times, teams are surprised that Facility A, which houses more critical equipment, is less impacted, while the impact on Facility B was worse than anticipated.
Here is an opportunity to compare previous hypotheses against newly produced data. Update playbooks, practice mitigation techniques and consider which investments are critical to achieving your risk reduction goals.
Make a plan: Comparing new risk assessment data against operational needs and company goals pivots the role of an OT CISO from someone who is always putting out fires to one who can make proactive data-driven decisions.
An actionable security plan should answer the following questions:
- Which devices are at the greatest risk?
- Which machinery has critical software updates ready to be installed?
- What security controls are available to help assess and carry out a security plan? The right tool will paint a clearer picture of all devices and the software versions they operate. It will also allow teams to obtain the information they need to generate an active baseline to run against anomalous events.
- Do I have a list of cybersecurity hygiene policies that the organisation must follow?
In the short term, the plan should include limiting network access and reviewing credential information for every connected device. Long-term goals will be within reach only once the full network is mapped and you have a virtual environment to understand device roles.
Patrol the network: Threat landscapes are always in flux. A secure network today may become exposed to a new vulnerability tomorrow. Even if cybersecurity teams could shut down a full facility and conduct a thorough manual risk assessment, the validity of this review has only a short lifespan.
Ongoing monitoring and the ability to run simulated attacks with the team are the only way for security decision-makers to keep pace with, and act faster than, attackers. Preventing all attacks is impossible, but the right approach will provide the oversight your new security goals demand without the operational interruptions that organisations fear.
An attack is imminent
Global attack data shows us that manufacturing, infrastructure and supply chain operators must assume that a serious attack is imminent. The outcome of a successful vulnerability exploitation will be nothing short of ransomware payments, costly downtime and exposed data.
Identifying a normal operations baseline and implementing an ongoing monitoring tool will allow teams to identify anomalous behavior early, signaling a breach attempt and allowing time to stop a hacker in their tracks.Securing industrial environments is crucial to protecting a business’s assets, reputation and customers. However, it is essential to approach security from a business-first mindset, taking into account the business’s overall goals and objectives, the potential impact of threats and the costs and benefits of security measures. By doing this, businesses can ensure that their security roadmap supports their operations and protect them against potential cyberattacks.
Original content can be found at Control Engineering Europe.