In the world of operational technology, security culture has long been restricted to the physical realm. But as digitalisation opens up new possibilities for industrial breaches, Project One experts argue, companies must adapt to factor building management systems, access control, CCTV and utilities supply into their security considerations.
A possible scenario: the manufacturing engineer had worked in this factory for 25 years. He knew his production lines inside out. He knew his job and while he had heard some company broadcasts about cybersecurity in factories, he knew his machines were standalone and the factory was well protected from intrusion. But this morning he noticed the robot arm behaving differently from usual – not very different but enough that the product coming through the outfeed was starting to fail the laser-controlled quality inspection. To the naked eye, the product looked the same, but the precision quality check had picked up out-of-tolerance measurements.
After an investigation it turned out that a virus had infected the robot programming. The day before a maintenance engineer had performed a routine service – the engineering laptop he connected to the process line had been used by his son for internet gaming. Unwittingly, a virus had made its way to the secure production line.
There was no ill intent, and the result was a minor loss in production. But the lack of controls exposed the myth that standalone OT is safe. Because it can be vulnerable to removable media plug-ins, hot-spot dialups, unsupervised remote maintenance connections or internal malicious actors.
The story is fiction, but similar real-life situations have happened. We have all heard of IT security and are familiar with changing passwords, multi-factor authentication, anti-virus engines. We all know that IT is becoming more under attack, but that the defences are evolving in front of our eyes, so we feel secure.
Why is OT different from IT?
In the world of OT, things are different. Machines and production lines can be 20 or 30 years old. The scope is wide: manufacturing machines, robots, test rigs, simulators, intelligent tooling, and in the facilities world: building management systems, access control, CCTV and utilities supply.
The culture of security has been restricted to physical, preventing access to the site, but not digital. Passwords are often still the same as the manufacturer default that was installed many years ago. Firmware may never have been updated.
This makes OT a different paradigm – the people side needs attention as they need to be bought into today’s threat world which is different from their entire working experience.
In IT security, the threat priority is often categorised as CIA:
Confidentiality is the most important. Nobody wants their data accessed or stolen.
Integrity – again avoiding data being compromised.
Availability – access and uptime are important but not as much as the two higher priorities.
In OT security, the pyramid is inverted. Continuous manufacturing means that:
Availability comes first, otherwise factory operational efficiency plummets.
Integrity – processes must not be tampered with.
Confidentiality – losing programs or designs is to be avoided but secondary to the prevention of disruption.
Aggregation of data can be an issue in secure environments. Safety trumps all the above in OT as environmental accidents or physical harm are possible consequences of OT incidents.
IT has a culture of security. We all know of viruses, anti-malware, email phishing and the need to keep software updated. But OT has no such historic culture. It is owned and used by non-cyber professionals. There are often obsolete operating systems, firmware that has never been upgraded, passwords shared and never changed.
Unless you have walked around a factory recently, or worked on an engineering test rig, OT can seem industrial or far-away. But it also exists in office buildings with access control systems, CCTV and building management systems. Also, electrical supply plants and water and waste systems. Breaches in any of these could quickly render that building unusable and have the potential to put staff in harm’s way.
Companies may not have accurate asset registers, and these may not be to a detailed level. Until you open a cabinet on a manufacturing machine, you cannot be sure there is not a connection there back to the manufacturer or to the open internet. There may be connections that you do know about – for remote access and maintenance. But these may be unmonitored and it may be possible for access to be initiated by the remote party.
Machines very often have the manufacturer’s default passwords still in force. And passwords may be openly shared amongst the team – or often printed on the access panel. This leaves machines vulnerable to visiting third parties or disaffected internal staff.
Newer machines will often have connections to a network, to the cloud or corporate networks. In OT these networks are often flat, without segregation, thus once access is gained, a threat actor may walk across the network and the site.
Third parties constitute a major threat – they may be left unsupervised; they may bring infected laptops or USB drives on site. Passing removable media amongst staff is a common threat.
The common link in OT is the person. The manufacturing engineer and all those who may have reason to access the floorplate must sensitively be briefed and brought to awareness of the new threat world. They must be given the impetus to take cybersecurity seriously just as they do with safety. And they must be trained in OT security working habits and policies so that they know how to work in today’s world. Cultural change is the most important response that we can implement.
Who must be involved?
Key to securing an enterprise is having an active Sponsor: the person who holds the risk were an untoward event to occur. This will often be the Manufacturing or Engineering Director. They will want assurance that their operations will continue unperturbed.
Whereas for IT security, the IT team with the Cyber team can perform the work, this is different in the world of OT. It becomes a team sport – the active participation of Manufacturing, Engineering, Facilities, Supply Chain, IT and Cyber teams is needed.
The Sponsor must tell the staff that cybersecurity is important, and they must listen, learn and support the OT security project. Then the project team must sell to those staff such that they build their awareness and knowledge to work safely in a new way.
The Sponsor must drive an end-to-end project to implement OT security across the business. Organisations may be tempted to hand-off responsibility: the Cyber team to conduct assessments then the Manufacturing team to implement remediations. This will fail: an organised end-to-end responsibility must be taken, and this must include people and cultural change as the core thread.
Decisioning is around risk. What is the attack risk and the event consequence at the outset? Which of those risks are the least tolerable and demand urgent attention? Then after remediation, the senior owners of risk must review an outturn status – the risk will never be zero, but has it been reduced to an understood and accepted position, allowing work to move on to subsequent areas?
This article started with a fictionalised story but every year there are more real-life events. Such as the 2022 attack by the Predatory Sparrow group on an Iranian Steel factory. CCTV video was released which shows workers leaving the floorplate shortly before a machine behaves erratically, spilling molten steel and starting a blaze.
Nowadays, boards are asking the question: will the cybersecurity breaches that they hear about in the news happen to them? Are they carrying risk and what should they do about it?
At Project One, we have real-life experience of managing and mitigating the OT cyber threat. We have built assurance programmes to secure the Operational Technology across complex enterprises. We have delivered remediations on the ground, pragmatically and swiftly securing factories and sites. We have responded to OT security events and managed the recoveries. OT security is a topic that every business must take seriously. Project One can help answer those questions from the Board. And can actively support making businesses safer and more secure.
Source link
#Enterprises #security #operational #technology
