By Dick Bussiere, Technical Director, Tenable
Ransomware attacks have disrupted the manufacturing industry significantly and emerged as one of the biggest concerns for manufacturers among cybercrimes in 2021. According to a SANS 2021 Survey: OT/ICS Cybersecurity report, two out of ten manufacturers experienced at least one intrusion over the last 12 months. What’s more alarming is that globally, nearly half (48%) of the manufacturers were not aware of whether or not they were breached. The increasing convergence of IT, OT and IIoT have rapidly expanded the attack surface and number of threat vectors. However, the security skillsets required of having to be masters of both IT and OT concurrently is challenging especially given the dynamic nature of the threat surface and increase in the pace of attacks.
OT teams are primarily concerned with the physical world — the safety of life, limb and property, the availability and integrity of the processes being managed, and ensuring the consistent quality of the product being produced. The “traditional” IT concerns of preserving the Confidentiality, Integrity and Availability (CIA) of data are viewed as secondary in the OT world. What is considered important is making sure that the control traffic is accurate and timely to ensure that production continues safely and without interruption. That said, the concepts of cybersecurity practised within IT can have great value within the OT world. Consider the fact that OT environments are not only comprised of programmable logic controllers (PLCs) but up to 50% of that very environment consists of IT devices such as Windows and Linux computers that host Digital Control Systems (DCS) and Human Machine Interfaces (HMI), switches, routers, and an ever-growing inventory of Internet of Things. When deployed inside the plant, these devices can expose operations to the same threats and vulnerabilities that would be seen outside the plant. The reality in today’s converged IT/OT environment is that OT operators must learn and apply fundamental cybersecurity practices, and in doing so improve their ability to maintain Safety, Availability and Quality.
IT education for OT managers
Cybersecurity is viewed by many operators as a measure that creates more complexity among OT teams. It is often not understood and shunned, rather than embraced as a necessity. On the other hand, suffering a ransomware attack on an unpatched Windows-based Digital Control System would impact OT KPIs. We thus have a world where neither plant managers nor the business as a whole can continue ignoring OT environments from a cybersecurity perspective. OT managers must understand that the days in which “air-gapping” was the sole method of maintaining security is no longer viable. Taking the best IT security practices and applying them, customized for OT, will improve the ability to maintain KPIs while also removing risk from the equation. OT managers must also recognize that adopting good cyber hygiene by taking proactive security steps before an attack occurs is significantly less disruptive than having to address an attack in the process – such as ransomware. Having to address a ransomware threat after the organization has already been attacked means it is too late.
At the same time, IT teams need to realise that the OT world is different and that the cyber-physical nature of the environment imposes kinetic risks that have extremely serious consequences. There needs to be an understanding by IT teams as to why OT teams operate as they do – and indeed there are many reasons. The OT team has a hard job!
This knowledge gap can be bridged with better collaboration between IT and OT teams and can be facilitated by an understanding at the highest levels of the organization regarding the cyber risk in OT environments. Senior-level understanding paves the way for OT security to become a priority with all stakeholders.
Without buy-in from plant managers, CISOs will not be able to make much progress as OT teams may be resistant to the involvement of IT teams in operations. This is largely due to the perception that involving people outside of the OT teams may risk downtime. There is also a strong “if it ain’t broke don’t fix it” mentality in OT which may be difficult to overcome. Once CISOs do the hard work of convincing plant managers of the benefits to them of embracing good cyber hygiene, it becomes easier to educate the entire OT population about cyber risks and the impact these can have on the safety, availability and quality of operations.
Priorities of IT vs OT are the same but monitored differently
Ultimately, IT and OT teams are concerned about the same things but are using different languages and actions. To meet in the middle, risk and threat assessments must take a holistic business-oriented approach. One of the best tools to help perform the risk assessment process is NIST Special Publication 800-82, which offers specific guidance for Industrial Control System security.
Per this document, organizations should employ a risk assessment process that has four components:
● Framing – Developing the framework for the risk management process and the level of acceptable risk.
● Assessing – Identifying threats and vulnerabilities, the damage that could be done through the exploitation of these, and the probability of these being leveraged successfully during an attack.
● Responding – Identifying countermeasures to address identified threats and vulnerabilities, and implementing said countermeasures.
● Monitoring – Constantly looking for new vulnerabilities and threats, and adjusting
The importance of the risk assessment and management process must be all-inclusive – from the executive suite to the shop floor. Everybody has a role to play in OT security – it is not just the domain of the IT or OT team. This brings us to the next point.
C-level MUST lead the change
Getting C-level support for better collaboration between IT and OT teams is the key to success. Some organizations begin by creating a C-level role to facilitate the convergence. It is quite common to appoint a Chief Digital Transformation Officer, who is tasked with bridging the gap between IT and OT and establishing incident response processes that span both groups.
Business-level oversight and C-suite leadership enable both sides to collaborate effectively with each other. Increasingly, organizations are taking senior, experienced engineers from OT business units and assigning them to support incident response within the security teams. This creates an environment where both IT and OT teams can collaborate effectively.
Nothing rewarding comes easy and this is true for agile IT and OT. Effective IT and OT alignment, and mutual understanding, gives security teams more control over distributed operations. When both teams understand and respect each other’s roles, it increases responsiveness when incidents occur, leads to better decision making and reduces response times to unforeseen disruptions.
Effectively defending interconnected OT environments requires a multifaceted and integrated approach between both OT and IT teams. This can only be achieved through the education of all stakeholders, establishing sponsorship at the most senior levels of the organization, and establishing robust risk management processes. If manufacturing organizations get these three areas in order, they can weather the storm and be better prepared for cyberattacks.