Not Scared about OT Security? You Should Be!

Ryan Spurr

OT Security Problem

IT has long battled cybersecurity incidents across various industries for years and implemented measures to combat threats in the traditional IT domain. But there has been a massive shift from traditionally targeted industries to manufacturing in the last couple of years. More specifically, targeting manufacturing operational technology (OT) environments where technology, security, connectivity, and endless vulnerabilities exist. Coupling legacy technical debt with the adoption of cutting-edge IIoT and IoT technologies; it’s no wonder this hasn’t happened sooner.

Manufacturing has become the world’s #1 most attacked industry for two years in a row. The average cost per incident is $4.47 million, and the business outcomes have never been more tangible, or severe. Gone are the days of casual or low-impact incidents. Today’s attackers are praying on manufacturing OT environments because they understand two things. First, manufacturers have a low tolerance for downtime and the inability to manufacture and ship products to their clients. Second, many manufacturers have a wealth of intellectual property, deep process expertise, and other data worthy of exfiltration.

Because of this, the #1 business outcome is extortion (largely a result of ransomware), and the #2 business outcome is data theft. These two outcomes make up most of the business impact, with extortion resulting in 32% and data theft and 19% of all incident outcomes. Both situations represent massive risk, downtime, business expense, and potential supplier, client, and brand impact. If you’re still not persuaded by the data, then look at a recent Connection Survey of Manufacturers, where we polled OT and IT leaders on their perceptions of cybersecurity risk posed by OT systems and infrastructure. 77% of all leaders viewed the OT environment as a moderate to severe threat to their business. Our peers are very mindful of the situation manufacturers face as attacks ramp up in our industry.

This is no longer if but when. It’s not even when but how often. Regarding frequency, 69% of the manufacturing industry experiences OT incidents at least every two months. This is the new world manufacturers must live within. Attacks are both expected and likely to be more frequent as compared to prior years. Successful attacks with OT environments are also alarming. Defense is no longer the only criterion. Manufacturers must also consider how to detect, contain, and remediate a higher rate of successful attacks to ensure business continuity.This makes complete sense because not all manufacturers are taking the threats seriously when we look at manufacturing OT cybersecurity hygiene and readiness. For example, 80% of manufacturers lack the tools to discover assets, defend, prioritize, and remediate OT/ICS/IoT equipment. These are the basic capabilities all manufacturers should have in place today.

There Is Good News—Solutions Exist to Minimize OT Risks

When mitigating OT risks, many solutions exist and can be tailored to the unique nature of your business, equipment, regulatory compliance, and risk levels. Any manufacturer can and should implement the following recommendations to minimize top threat vectors, most prevalent attacks, and improve overall cybersecurity hygiene.

  1. Industrial Asset Discovery and Visibility: It’s tough to access operational risks when you don’t have visibility into the devices connected to OT networks—but that is precisely where most manufacturers find themselves. 80% of manufacturers had limited or no OT network and asset visibility in 2022. This leaves organizations blind to identifying the types of devices and the risks posed by a wide array of industrial, legacy, and new smart technologies, let alone craft a strategy for creating defense in layers. 

    Many solutions now exist that allow manufacturers to scan, detect, profile, and prioritize based on risk, and ultimately formulate an appropriate strategy for cybersecurity defense, monitoring, and response based on the unique nature of your technology landscape.
  2. OT Network Segmentation: Unfortunately, 50% of manufacturers still have poor security parameters or no network segmentation. Segmentation allows manufacturers to isolate heterogeneous devices, coalesce like devices based on the type and risk factors, and most importantly, minimize adjacent infection when cybersecurity attacks are successful. 

    Today’s network and security platforms provide new capabilities that make it easy to segment networks. I’m not talking about the long-utilized approach of a firewall between OT and IT—that no longer cuts it. Organizations must segment or microsegment devices everywhere while applying zero-trust policies to minimize risks. This is especially true within the operational environment where legacy or end-of-life devices may lack patching, or ICS/IoT technologies may have extensive vulnerabilities. 

    If you do nothing else—work with an expert team to assess your network, infrastructure, and policies—and segment your network to mitigate the most significant potential threat to successful attack propagation.
  3. OT Facility and Equipment Access Control:54% of manufacturers lack OT user management solutions, putting their business at risk for unauthorized access, no role restrictions, and worse yet, shared passwords known to all and vulnerable to internal or external threats. 

    For example, regarding authentication and stolen credentials, 20% of all cybersecurity incidents result from poor or non-existent user credential management within operational environments. If your company is looking to a to ISO27001, NIST, or CMMC, putting controls on all equipment within this environment is paramount as you try to address access control, auditing and logging, and integration with identity and access management systems.

    Fortunately, solutions exist today that go beyond traditional end-user access control. It’s possible to leverage secure cryptographic badges (for example) for facility and factory access, as well as access to workstations, virtual terminal sessions, shared devices and kiosks, and industrial control systems (ICS). This means that front-line workers can use a physical item they possess for all forms of access control, all with an intuitive and integrated solution that makes IT, security, and front-line workers happier.
  4. Extended Detection and Response (XDR): Endpoint protection solutions have long existed—most typically require software agents to be deployed on a device. Of course, in the OT environment, installing agents can become complicated due to the type and status of a device. For example, equipment may leverage an unsupported operating system, be end of life, lack patching for known vulnerabilities, or simply because the devices cannot bear the performance hit by invasive agents running on production equipment.

    While traditional endpoint protection solutions are still a part of a complete solution, extended detection and response introduce a layered approach to mitigating some of the typical inadequacies of the OT environment. These modern solutions offer a mix of hardware and software infrastructure, allowing for the monitoring of many types of devices, supporting deep packet inspection, and offering the ability to integrate with upstream monitoring platforms like SIEM. Some XDR solutions offer even deeper capabilities for OT/ICS/IoT equipment, such as virtual patching (this is detecting signatures or known threats without the use of software agents onboard) or behavioral analysis (this is the act of baselining normal device behavior—such as ports, target systems, memory registers, and commands—to identify when a potential attack is underway and deviates from usual activity). 
  5. OT Integration with Corporate-managed SIEM/SOC: Let’s assume you have adequate asset visibility, network segmentation, and protections at the OT level. Successful attacks will still occur despite all the defensive investments. We should then be asking ourselves a series of questions to understand if we have the necessary data to discern and act.
  • How quickly will your cybersecurity teams detect and be alerted?
  • How will they know how many devices or the extent of their tech estate is compromised?
  • How will they know what the event is and what corrective actions should be taken?
  • How quickly can the team remediate to return the business to normal operations?

This is the situation many manufacturers face. They have strong cybersecurity hygiene and integrated monitoring in the traditional IT-managed domain but lack insights from OT. In today’s complex world, manufacturers need a single pane of visibility of their entire enterprise.  

Many solutions make it easier to integrate network, firewall, end-point protection and XDR, and other appliances with corporate SIEM/SOC monitoring. This can be integrated with your own SIEM/SOC, or with a 3rd-party managed service that combines OT and IT into a single integrated view of your business, and the very best approach to shorten time to discovery, containment, and remediation.

Let’s Make It Happen

We understand that manufacturers operate within different subindustries, held to various industry standards and regulations, and that risk is unique to your business. Our Manufacturing Practice, Solution Architects, and Network and Security Services teams work with manufacturing organizations to help them minimize cybersecurity risks so you can focus on what you do best.

Our Manufacturing Practice has a team of experts from trade, an evolving portfolio of manufacturing solutions, and assists IT and OT teams by augmenting their existing skillsets with complimentary advisory services to help your business accelerate technology adoption where it matters most.If your business is interested in learning more about how we support our clients or the topics covered, engage Connection’s Manufacturing Practice to learn more about this technology, available services, and the many use cases that may benefit your organization.

Ryan Spurr is the Director of Manufacturing Strategy at Connection with 20+ years of experience in manufacturing, information technology, and portfolio leadership. He leads the Connection Manufacturing Practice, go-to-market strategy, client engagement, and advisory services focusing on operational technology (OT) and information technology that make manufacturers more digitally excellent.