The continuing convergence of operational technology (OT) and information technology (IT) systems creates possibilities for businesses to increase efficiency and improve performance, and it can even reduce operating costs. Unfortunately, it also creates new opportunities for cybercriminals to exploit OT systems that are significantly more challenging to protect than traditional IT. Many organizations operate on aging infrastructure no longer supported by updates and patches from the original manufacturers. Worse still, many systems are incompatible with modern cybersecurity solutions, requiring the business’s managers to think ‘outside the box’ to keep the OT protected.
For manufacturers, an attack that disrupts production for any length of time has the potential for both physical and financial harm. Their attackers know manufacturers rely on OT to keep production lines moving, and capitalize on exploiting those systems with ransomware and other common attack tactics. Keeping those OT systems secure is a must for manufacturers—and it starts with improving visibility and mitigating vulnerabilities before attackers have the chance to exploit them.
The challenge of protecting OT
Operational technology is designed to monitor and control processes and equipment in the physical world, such as industrial control systems, supervisory control systems, robotic equipment in factories, and dozens of other manufacturing assets. IT systems are (comparatively) simple to upgrade and replace, but OT systems are generally expected to last much longer. After all, while a company might upgrade its laptops or migrate some of its business applications every few years, it’s unlikely to replace an entire manufacturing line—which is both prohibitively expensive and unnecessarily disruptive.
As a result, many of the OT systems in use now are significantly older than most IT systems. Unfortunately, that often means the two don’t communicate well, making IT and OT system integration a challenge. The imperfect connections between legacy equipment and modern technology create additional exposure points for attackers to exploit—and there is not much that manufacturers can do to address the problem directly.
Because OT systems are essential to operations, manufacturers often have to accept that some element of risk is inherent to the technology. That risk can be mitigated by isolating and segmenting OT infrastructure, but that reduces visibility into those systems. Less visibility means less ability to monitor for attack activity, which hands adversaries another advantage.
The expected service life for OT systems presents another problem: if OT remains in use for years (or even decades) it eventually reaches a point where the original manufacturer no longer supports it with updates and patches. For attackers, this creates a perfect storm. Because OT systems are large, expensive, and integral to operations, manufacturers are less inclined to replace them unless absolutely unnecessary. But the longer they remain in use, the more vulnerable they become—and the more difficult it is to compensate with other controls.
Targeting and exploiting OT systems
Social engineering is one of the most common attack tactics used to target businesses, including manufacturers. As vulnerable as OT systems can be, the truth is that human beings are almost always the weakest link in any system. There’s a reason that the human element is involved in a whopping 82% of all cyberattacks: it’s a lot easier to trick an employee into handing over his or her credentials than it is to hack into a network. Adversaries use phishing scams, business email compromise (BEC) attacks, and other tactics to access admin credentials and gain privileged access to OT systems and other valuable assets. Of course, social engineering is hardly the only way attackers gain access to those systems: application exposures and misconfigurations are also common.
Because OT systems are tied to monitoring and controlling physical assets, there’s the very real possibility that a compromised system could not only cause financial loss, but physical harm to both equipment and employees. For example, if an OT system designed to monitor the chemical balance in an industrial mixing tank or the pressure in a valve is compromised, the potential damage could be astronomical.
That said, most attackers are not out to cause destruction or loss of life—they’re typically motivated by financial gain or in pursuit of social or political change (also known as “hacktivism”.) Manufacturers also tend to be highly motivated to pay ransom demands to regain access to their systems and resume operations as quickly as possible.
So, the question is: How can manufacturers protect their OT systems and prevent attackers from compromising them in the first place?
Visibility and communication
The answer starts with visibility. The lack of visibility into OT leaves systems unprotected—and that’s if organizations are aware they exist at all. Discovery is the first step in the vulnerability management process, helping manufacturers to understand better what systems they have in place and what’s particularly vulnerable to attack.
Manufacturers need to conduct a thorough asset inventory to understand critical information about their environment, asking questions like, what OT systems are present and what purpose do they serve? Are those systems still functioning effectively? And are they still supported by the manufacturer? Knowing the answers to these points will help present a more holistic picture of the gaps in your environment today.
Software ‘versioning’ is the next critical step. Once discovery has concluded, ensure the OT systems in use have the most up-to-date software and firmware installed. It’s also important to review the organization’s access controls to identify which users can update OT systems. Because attackers often attempt to access OT systems using stolen credentials, limit the number of identities that can grant privileged access to those systems. If it’s feasible, implement solutions that monitor users accessing OT systems and flag any suspicious or unusual behavior.
For OT systems no longer supported by the manufacturer, there may not be recent updates or patches to install. For these systems, visibility is even more critical. Manufacturers should consider implementing continuous-monitoring solutions capable of flagging abnormal behavior to security teams for immediate attention. OT systems may not always be compatible with modern cybersecurity solutions, but monitoring tools can still flag suspicious behavior, such as an unrecognized user attempting to gain access to OT systems or install an update. Quickly identifying and remediating such activity is one of the most effective ways to limit the risk inherent to OT systems.
Finally, an underutilized path to limit risk is improving internal communications. At large organizations—such as most manufacturing companies—teams are often siloed. For example, IT and security teams may have limited contact with the employees interacting directly with OT systems, creating a disconnect. As a result, security teams can lack intimate knowledge of exactly how OT systems function, while employees interacting with OT may not know what sort of suspicious activity should be flagged to security. Simply improving the lines of interoperability and interdepartmental communication can help get everyone pulling in the same direction and ensure all parties have a more complete view of the attack surface.
Limiting vulnerability by improving visibility
Securing OT systems against modern threats can be a significant challenge, but today’s manufacturers have more options than ever at their fingertips. Even OT systems no longer supported with updates and patches can be protected by layered security solutions, including continuous monitoring tools designed to improve visibility. By improving detection capabilities and ensuring appropriate remediation plans are in place, manufacturers can shield even their most vulnerable OT systems from today’s most advanced threats.
Tyler Zito is a senior solution architect with Expel, which develops managed detection and response software.
