Why Isn’t Operational Technology Security Keeping You Up at Night?

Ryan Spurr

Manufacturing tech estates are wildly complex with a high mix of unmanaged equipment that can put the entire business as risk. In fact, according to an independent study from Fortinet, “9 out of 10 organizations experienced at least one operational technology (OT) system intrusion in the past year, up 19% from 2019.” As companies address corporate security, it’s operational technology that represents the next big risk that could stop production, jeopardize intellectual property, and impact your customer. 

When discussing security with manufacturers, the most common statements I hear include, “We have nothing of value,” or “Our production is air gapped from IT.” The truth is that breaches are happening even with disconnected machines and unmanaged networks. Your business may not be top secret, but your intellectual property, process, and machines are fair game for state and industrial espionage—bad actors will pursue it.

What are the top cyber threats my company faces?

Manufacturing is full of at-risk technologies ranging from computers, networks, robots, and sensors. Actually, it’s mind boggling when you combine the machine age with lack of security, inability to procure replacement hardware, and end-of-life software. It’s no wonder why “65% of manufacturing environments run outdated operating systems” and why these environments contribute to an increased attack surface.

Unmanaged networks represent another challenge often unaddressed. These industrial environments are often stitched together with a mix of miscellaneous routers, nodes, and cellular connectivity bypassing corporate infrastructure. External entities will not just attack the machines—they will also target network vulnerabilities and weaknesses in its architecture.

With at-risk environments and threats, including ransomware or cryptojacking, manufacturers also need to think about their response to potential events. One study found that “75% of IT managers could not restore all of their lost data from backups.” OT-focused business continuity and disaster recovery solutions should be in place in order that weaknesses in security do not halt or compromise operations.

Does my company comply with leading security standards and does it need to?

Regulations are also reshaping how manufacturers implement security, either in the form of security standards or compliance to industry regulations. Within these industrial environments, a staggering “44% do not track and report compliance with security standards or industry regulations,” despite having such mandates with regulations like NIST 800-171, CMMC, ISO27001, or CSAT.

Whether driven by standards or regulation, security isn’t only an IT security responsibility. It requires all departments, including operational technology, to ensure adoption and adherence. Despite awareness of the risks associated, we often see factories and research facilities choose complacency in lieu of convenience. With less importance placed on cost avoidance, manufacturers take limited action or perpetuate bad security hygiene until the risks are realized and negatively impact business.

How can I keep my data safe?

If today’s operational technology environment wasn’t challenging enough, IDC predicted that “80% of manufacturing data will be placed at the center of processes by 2020,” meaning there’s no processes without data. And according to IoT for All, there will be and 80 billion Internet-connected machines” by 2025—making your data more vulnerable than ever. The OT landscape is expanding at a pace never seen before. The drive to adopt new devices and technology in OT will only increase the security challenges facing manufacturers.

No infrastructure will ever be perfect, so that’s why it’s important for leaders to come to terms with the whole of their landscape and implement clear roles and responsibilities, as well as implementing single pane of glass security across IT into OT. Manufacturers that address these challenges are, according to the same Fortinet study, “4 times as likely to have centralized visibility in the SOC” and “two times as likely to currently have the CISO/CSO responsible for OT security,” leading the way for organizations to monitor their business security threats, troubleshoot, and quickly identify resolutions.

Securing your facility gives your customers a better experience

The good news is that it doesn’t have to always be this way. Most of the risks discussed can be mitigated with industrial networking, security software, and hardware upgrades—and still ensure that research and production operate to their goals. What is most important for OT and IT leaders to understand is that “90% of manufacturers will leverage real-time data” to avoid unplanned downtime by 2021 or to deliver new solutions in support of Industry 4.0. 

It doesn’t have to be one or the other. While laying the foundation for secure and reliable OT infrastructure, this same platform can be used to accelerate tracking solutions and unlock OT data to speed research, design, and optimize production facilities. Is your industrial strategy ready for edge compute, sensors, and other new solutions to drive business growth with network and security at the foundation? Connection helps manufacturing customers jettison their legacy and build industrial security strategies. We help improve security posture, visibility and response, and delivery against operational goals to unlock future potential for business stakeholders. Contact us today to discuss your operational technology, and we’ll work with you to create a secure, efficient solution.

Ryan Spurr is the Director of Manufacturing Strategy at Connection with 20+ years of experience in manufacturing, information technology, and portfolio leadership. He leads the Connection Manufacturing Practice, go-to-market strategy, client engagement, and advisory services focusing on operational technology (OT) and information technology that make manufacturers more digitally excellent.