Surge in Cyberattacks Puts Manufacturing OT Systems at Risk

Surge in Cyberattacks Puts Manufacturing OT Systems at Risk

In Germany it’s called Industrie 4.0, in Japan it’s Society 5.0, and in China the government created a Made in China 2025 plan to develop its manufacturing sector. The World Economic Forum refers to it as the Fourth Industrial Revolution.1 While not identical, each of these Industry 4.0 concepts has at its heart the critical role manufacturing, and therefore operational technology (OT) security, plays in the digital economy.

It sounds paradoxical: aren’t future economies supposed to be driven by services and the free-flowing movement of data? In reality, making things, and particularly the way we make them, has never been more important.

Unfortunately, an extraordinary surge in cyberattacks is putting innovation gains at risk, acting in opposition to the increases in productivity and flexibility of new manufacturing systems.

Let’s look at some common security weaknesses within manufacturing OT systems, and at what can be done to mitigate vulnerabilities.

Cyber-Physical Systems and Cybercrime Contribute to Risk

What each of these manufacturing initiatives stresses is that the future will involve integration between the digital world and the physical world, where raw materials are processed into goods. Industry 4.0 proposes that the integration will be based on high levels of automation, smart manufacturing, and optimization of OT and logistics, all driven by the expansion of big data analysis, real-time data collection, and machine learning.

As impressive as this sounds, this new industrial revolution needs to address the extraordinary surge in cyberattacks that have put manufacturing OT systems and automation at risk.

Increased OT Threat Levels

The opening of traditionally closed OT environments means that they are no longer immune to the threats targeting IT environments. Although incidents affecting manufacturers rarely receive publicity, third-party reports offer glimpses into the volume and type of threat activity.

One of these reports, the IBM X-Force Threat Intelligence Report Index 2020,2 reported a staggering 2000 percent increase in incidents targeting OT environments. The most common techniques included targeted attacks against known vulnerabilities and brute-force password attacks in legacy OT hardware and software.

Targeting Complex Manufacturing OT Processes

These highly targeted attacks reinforce the need to protect resource availability and prevent production process disruption. Attackers understand that they only need to successfully disrupt one element of a complex supply chain to bring the entire production line to a standstill. Today’s manufacturing processes rely on complex interactions between a wide range of subsystems, such as raw materials, purchasing, inventory, order management, packaging and material handling.

Manufacturing OT at High Risk From IT

Most manufacturing involves specialized OT networks, yet commonplace IT systems are often the pivot point that attackers use to breach OT environments.

Far from being separate entities, IT and OT networks have become increasingly connected. Connected systems make sense from an operational perspective because they allow a single team to holistically manage production systems. Unfortunately, this connectivity also opens up OT systems to attack.

One of the most well-known examples of bad actors targeting OT manufacturing systems via IT systems is Triton, which targeted vulnerable IT systems to ultimately disrupt operations in a petrochemical plant in 2017. Triton was the first OT-focused attack to target a Safety Instrumented System (SIS), a critical component of industrial processes. SIS are the “last line” of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire.

In another example, a phishing attack resulted in major damage to a German steel mill. In 2014, the German Federal Office for Information Security (BSI) revealed that a cyberattack had damaged the steel mill, using a spear phishing campaign to steal credentials to gain access to the corporate IT network. After compromising the main network, the attack targeted the mill’s control systems. This resulted in failures that caused major damage to the mill’s blast furnaces.

Deploying IoT in Manufacturing OT Environments Increases Cybersecurity Risk

Use of IoT technology in industrial environments is rapidly increasing as organizations embrace the use of these low-cost devices to improve Manufacturing Operations Management (MOM) for competitive reasons. IoT devices deliver value by accurately monitoring a wide range of processes related to manufacturing, such as flow, humidity, light, pressure, proximity, sound, temperature and vibration.

Juniper Research recently forecast that there will be 83 billion IoT connections by 2024,3 and 70 percent of those will be in the industrial sector. These converged OT/IoT environments don’t just add to the security challenge, they change the security calculus because device security hasn’t kept pace. For example, many of the IoT devices deployed have limited computing power and are therefore unable to run an agent to provide protection from attack. They also lack the ability for operators to update their firmware, leaving millions of legacy IoT devices with vulnerable operating systems permanently at risk of exploit.

The Future of Security in Converged OT/IoT Environments

Industry 4.0’s embrace of automation and autonomous systems requires organizations to apply the same layers of cyber defense to their OT manufacturing environments as they do to their IT environments. Here are two examples:

  • Network Visibility: Manufacturers must have an accurate inventory of their OT/IoT devices and systems as the starting point for securing their network, yet a consistent challenge to both IT and OT security operations teams is knowing what devices are on their network.This includes the ability to monitor their network state in real time to understand device behavior. Detecting anomalous activity early can prevent operational disruptions caused by maintenance issues as well as cyberattacks.Also, in this era of remote workers, real-time visibility into the number of remotely connected devices and the behavior of remote systems is critical.
  • Threat Intelligence/Vulnerability Assessment: Another important aspect of manufacturing cybersecurity is leveraging multiple sources of threat intelligence to improve the ability to detect attacks targeting OT and IoT systems.SOC teams need to be able to react quickly when they detect indicators of compromise (IOCs) and anomalous behavior in their network. Many attackers, once they have compromised one system inside a network, move laterally to rapidly perform extensive system reconnaissance.To reduce the potential of a bad actor exploiting a known vulnerability, knowing what systems are vulnerable (and therefore likely targeted) is fundamental to cybersecurity best practices. Embracing a well-defined vulnerability assessment and remediation process is vital to maintaining operational uptime.

It’s Time to Address Manufacturing Cybersecurity Risk

With the expanded attack surface caused by companies embracing Industry 4.0, organizations need to prepare for attacks that will target their previously ignored manufacturing OT environments.

Those legacy OT systems that used to be isolated and proprietary are now connected to IT systems that are exposed to the internet. They are running operating systems and applications with well-documented and easily exploited vulnerabilities.

It’s essential to develop an accurate understanding of the devices on your manufacturing network. Start by creating an accurate view of all devices, as well as any devices they communicate with.

Then, enrich that view by continuously monitoring your manufacturing systems for malicious and anomalous behavior that could impact operations.

Add threat intelligence and vulnerability assessment as well, and you will significantly increase your cyber resiliency—your ability to continue operations during and after a cyberattack.

If you’d like to find out more about how we can help, let us know.

This is an adaption of an article originally published in the Journal of International Security.

References:

  1. “The Fourth Industrial Revolution: what it means, how to respond,” World Economic Forum, 2016.
  2. “IBM X-Force Threat Intelligence Index,” IBM, 2020.
  3. “IoT Connections to Reach 83 Billion by 2024, Driven by Maturing Industrial Use Cases,” Juniper Research, 2020.