Securing OT and OT/IT dependencies in manufacturing and process industries
25th April, 2024 • Online
The most complicated challenge in cybersecurity? Probably. A regulatory timebomb? Definitely.
A critical priority for companies and governments
Industrial organizations are at a turning point in their OT cybersecurity journeys. This includes discrete manufacturing operations that assemble many small parts into larger manufactured objects, such as automobiles or laptop computers, process industries that transform raw materials into a more useable form, such as mining or refining and also many types of critical infrastructure: Industrial operations that are essential for society to function such as transportation, power, and utilities.
According to McKinsey, more than 90% of manufacturing firms have had their production or energy supply hit by some form of cyberattack and 96% of business leaders indicate the need to invest in OT cybersecurity, and approximately 70% of those who have invested in it are facing implementation challenges.
In the US, CISA has highlighted dramatic increases in OT system cyberattacks, and in Europe ENISA's findings mirror this. The World Economic Forum has also just also put out a bulletin highlighting OT risks.
But OT risk is not a single issue. Attacks on (often legacy) ICS and SCADA systems are one thing. Attacks on broader industrial systems that cause physical consequences in the real world are another. And attacks on the IT systems upon which OT systems are increasingly reliant is another (IIoT insecurity is a big issue). Only a minority of attacks are "pure" OT compromises like the 2020 EKANS ransomware attacks against Honda and Enel and recent German wind turbine attack in 2022.
Increasingly, threats exploit the growing size and diversity of IT/OT attack surfaces. Attackers can rely on industrial control systems (ICS) being connected to corporate TCP/IP networks at least periodically giving access to them via standard business networks. For example, ransomware that encrypts data on IT networks is now a significant issue in OT security. And of course, attacks on IT/OT systems at third-party suppliers can then be weaponised against downstream IT/OT systems.
For example, in February 2022, Toyota shut down 14 manufacturing plants because of a cyber-attack on Kojima Industries, a key supplier. When the company was hacked in February 2022, the world’s top-selling carmaker had to halt operations at 14 factories at a cost of about $375 million.
The complexity of the IT/OT environment brings unique security challenges. For a start, normal tools do not work very well. In OT environments scanning-based solutions like endpoint detection and response (EDR) or endpoint protection platforms (EPPs) are not suitable. They rely on continual telemetry and cannot operate properly in an air-gapped situation.
These systems also fail to detect fileless and evasive attacks reliably as many threats don't create recognizable signatures EDR. The same applies to solutions that use similar technology in other parts of the IT environment, such as NDRs deployed to analyze network traffic. This is important because threats such as unauthorized firmware installed on OT systems or unknown, dynamic variants of malware normally found in traditional IT environments are becoming more common.
Even where traditional solutions do detect issues, because they struggle with, the diverse range of legacy OS, hardware, and applications that exist in a typical OT environment they often create huge numbers of false positives. These would bring manufacturing processes to a halt and downtime is the single biggest issue in critical industrial processes. Revenues are at risk as, sometimes, are human lives. Replacing compromised OT is extremely costly and time-consuming and so is remediation.
So, what are the solutions? Is Zero Trust the answer? What does layered security in an IT/OT environment look like? How do you deal with the issue of false positives? What kinds of solutions are not dependent on online updating? And how can firms stop advanced threats from cross-propagating business and OT systems. Industrial infrastructure is a prime target for well-funded attackers and complex attacks like zero-days, fileless worms, trojans and malware.