As Attackers Increasingly Focus on Manufacturers and Other Industrial Targets, IT and OT Must Work Together to Protect the Organization
Given the frequency and severity of cyberattacks in the news, cyber threats are top of mind for boards of directors and executive teams. In fact, according to Aon’s 2017 Global Risk Management Survey cybercrime ranked number five among the top 10 concerns for risk decision-makers globally and number one among respondents in North America – above concerns about economic slowdown, increasing competition, damage to reputation, and regulatory changes.
While the financial services industry has long topped the list of industries targeted by cyberattacks, research now points to the manufacturing sector as the most frequently targeted. A recent report by Deloitte (PDF) finds that 39% of manufacturers experienced a cyber incident in the last 12 months, with 38% experiencing losses between $1 million and $10 million per occurrence. Executives across the industrial sector are asking CIOs and CISOs questions about risk management they have never been asked before. For example: Are threat actors bypassing our defenses? What is our applicable risk? What kind of impact can they have?
These questions can be tough to answer because you can’t protect what you don’t know. And most CIOs and CISOs of industrial organizations don’t have much visibility into their operational technology (OT) environments – the so-called non-carpeted space – and what drives that side of their business. They have expertise in the IT domain – the networks, servers, endpoints, and applications that comprise this dynamic environment – and are primarily focused on protecting information.
Unlike IT, the technology in OT environments is purpose-built to monitor and control physical processes and equipment. These environments tend to be fairly static and don’t change unless failures occur or changes in operational parameters are necessary. This means devices and networks remain in place typically for decades, and could be several generations old compared to their three to five year old equivalents in IT. Further, the primary focus of people who work in OT is maintaining uptime and ensuring outputs meet design specifications and are delivered on schedule.
As malicious actors increasingly focus on manufacturers and other industrial targets, IT and OT must work together to protect the business better. But applying traditional IT security approaches to the OT side of the business won’t necessarily translate well. As a security practitioner, a fundamental question to consider is how do you gain the visibility and influence you need into the operations domain to address the questions your executive leadership is asking?
These three recommendations can help you get started:
1. Collaborate with OT to create a tailored security plan for the operations domain congruent with the broader security strategy and goals. From inception, think about the differences between the IT and OT environments and then embrace the reality that you can’t take what you’ve been doing in IT all these years, even if successful, and translate it directly to OT. You need to consider the overall security objectives for your organization and then work in partnership with OT to develop a plan tailored specifically for that domain. With a plan that encompasses OT security within the corporate umbrella, investments can be prioritized to align with business unit objectives, not IT drivers.
2. Establish a common lexicon and frame of reference around cybersecurity. This means taking what IT security people are passionate about (e.g., threats and vulnerabilities) and translating that into concerns in the operations domain (e.g., downtime and compromised quality) to show how the right security investments can actually improve operational outcomes. Additional protections that can lower the likelihood of costly or unsafe OT events will capture their attention and create common ground to build upon.
3. Put some near-term security measures in place for immediate benefits. Using the OT security plan you’ve jointly created, work in partnership to identify and implement a handful of security protections that aren’t in place today and that will demonstrably improve the environment without negatively impacting operations. Some relatively quick wins that support key business unit objectives can help build trust. Here are three areas that have proven to be effective.
• Improve the separation between OT and the rest of the business. In order for the business side to consume production data, the data must travel ‘northbound’ into the IT space. Sometimes this communication isn’t done in a secure manner, potentially allowing threats to move laterally across IT and into OT domain, compromising its integrity. Establishing a robust DMZ (demilitarized zone) to isolate systems on each side can provide better protection and allow only authorized communication through. Clear ownership of the DMZ based on established security-leading practices is a critical factor that will help facilitate this process.
• Lock down remote access to OT environments. Every industrial organization has employees, contractors, and vendors who need remote access to their OT environments. Clearly defined access controls, particularly for employees and contractors, can help protect against threats they may unwittingly introduce to the environment. However, restricting access to vendors can be more challenging because much of the OT equipment must be remotely maintained by a vendor under the terms of a support contract or warranty. If organizations can’t support this capability, then warranties might be voided, software might not be patched with certified updates, equipment might not be maintained, and the risk of failures could increase. An effective secure remote access implementation plan is a must.
• Restrict portable media use through corporate-issued devices. Another risk to the operational domain is hand-carried malware. Some of the most destructive malware is very often carried into the OT environment by an employee with a USB drive or a vendor whose laptop may have become infected. These pose a risk to critical equipment and processes. You can help increase operational integrity through effective security procedures and policies that appropriately restrict portable media use. An effective means to reduce operational risk is to allow the use of only corporate-issued USB drives in OT and implement a check-in, check-out system.
Ultimately, the goal of IT/OT convergence is to make the OT side more resilient through effective cyber protections, and instill confidence in your board and senior executives. By demonstrating a proactive approach with measurable improvements to OT security early on while accommodating operational priorities, you are more likely to get the investments you need. These investments will allow you to implement a long-term strategy that aligns to your organization’s desired business outcomes and that greatly increases the security posture of your OT environment.