In manufacturing, 87% of organizations are adopting new technologies and retrofitting legacy equipment in their effort to speed up Industry 4.0 (4IR) adoption. This is no longer just an operational technology (OT) engineering objective. According to a BDO study, even financial leaders now view cloud (74%), IoT (58%), and artificial intelligence (16%) as the leading transformational agents to decreasing costs and increasing productivity. In 2021, as we combine general business sentiment around digital advancement with the headwinds brought about by the pandemic, we are observing an acceleration of investment in industrial solutions that will substantially affect efficiencies, deliver competitive advantages, and bring overall costs down.
What Are the Risks of Industry 4.0?
With any opportunity there is also risk. In the case of investments into 4IR and industrial technologies, the risks associated with integrated legacy equipment, next generation sensors, and edge compute, PLCs and other industrial equipment markedly increase the attack surface. For example, the manufacturing industry was number one target for phishing attempts (38%) and number one for browser exploits (26.5%). This didn’t take into consideration the unmanaged devices or next generation IoT platforms and sensors. As aged equipment is being added to industrial or corporate networks, attackers are recycling older attack methods to exploit vulnerabilities and launch attacks against operations—and ultimately the balance of the organization.
What Are Typical Industrial Security Challenges?
Within manufacturing, there is often little in the shape of enterprise standards, and this results in a great deal of risk. Unfortunately, this chaos is here to stay within OT environments due to the long lifespan and high cost of industrial equipment, along with the variation in sourcing and purpose. The following are some of the most common challenges that we see across industrial landscapes:
• Unsupported Technology: This is a broad challenge that includes unique operating systems, end of life software, antiquated or unsupported hardware and software, and/or lack of modern support for current enterprise security toolsets.
• Production Impact: I often refer to this as “don’t touch my production line” or specifically, any security, software, or policy management solutions that are controlled by an organization outside of production. The truth is that most security and management toolsets do impact operations in the form of affecting machine performance, closing ports or shuttering processes, or forcing enterprise policies down to unmanaged machines that IT doesn’t understand. This typical response from OT has arisen from years of avoidable events stopping production and lack of awareness of both parties’ needs.
• Visibility, Monitoring, and Integration: Most industrial devices were introduced into the factory for a single purpose and are rarely managed or coordinated with IT. These devices may lack password protection, account management, or federation with any enterprise identity management, and certainly are not monitored for security, access control, or other risks. These risks often also include modern IoT products. While supporting next generation technology, they often lack the ability to be discovered, centrally managed, or logged—and they represent sizeable security risks.
• Resources and Skillsets: Unlike in the typical IT environment, there are seldom adequate operational technology resources and skillsets to manage such a diverse range of specialty hardware, software, and events occurring. Imagine how difficult it is for IT to manage a structured environment built atop policy, standards, and a common team. Now imagine an unstructured team of engineers moving on from the company, leaving little knowledge of the machines behind. Now try to keep these devices operational as well as secure.
All together, these challenges open manufacturers to significant risk for insider and outside security events. Without adequate controls and management, IT and security are unable to have visibility across the entire enterprise. When an event does unfold, your security team has few tools available to respond, remediate, and restore operations with confidence.
How Can Manufacturing Adapt?
Trends are shifting. The positive news for manufacturers is that 55% of business leaders recognize that increased security risks accompany this industrial transformation. This is creating a more mature view and a coordinated path forward where we combine Industry 4.0 and industrial security investments to ensure the company advances business goals while also mitigating the security risks.
Some of the most common security solutions to consider within industrial environments include:
- Application, policy, and access control
- Anti-virus and endpoint protection
- Backup or offline anti-virus and vulnerability scanning
- IoT or industrial assessments
- Artificial intelligence to detect behavioral patterns
- Secure industrial networking
While most of these solutions are not new to IT, this level of security hygiene may be new to OT, where security has typically been a second thought. Many of the existing and trusted security vendors now provide industrial offerings aimed to alleviate the typical operational technology concerns, improving the level of acceptance and adoption by engineers. These next generation solutions mitigate security risks unique to OT, while offering IT or security teams the integrated ability to predict, prevent, detect, respond to issues.
When it’s not possible or practical to install security suites on top of industrial equipment and sensors, consider leveraging network security solutions that move monitoring and protection software off industrial end points and build it into the network. This offers flexibility in how industrial equipment risks are mitigated since a one-size-fits-all strategy seldom applies in these environments, while also instituting multiple layers of security.
Industrial cybersecurity and industrial network solutions provide a holistic approach to mitigating the inherent risks of the modern-day industrial environments, while unleashing innovation and industrial transformation. Connection offers a full range of IT and OT cybersecurity solutions, services, and regulatory information, along with specialty services aimed at assessing 4IR or IoT risk in your environment. To learn more about how Connection can help you solve your broader industrial and IT security challenges, contact us today.
Ryan Spurr
Ryan Spurr is the Director of Manufacturing Strategy at Connection with 20+ years of experience in manufacturing, information technology, and portfolio leadership. He leads the Connection Manufacturing Practice, go-to-market strategy, client engagement, and advisory services focusing on operational technology (OT) and information technology that make manufacturers more digitally excellent.
