Interpol issued a warning about the increasing number of cyberattacks targeting key organizations and infrastructure involved in the COVID-19 response. With the enactment of the Defense Production Act, this alert encompasses manufacturing facilities, which are now on the frontlines producing urgently needed ventilators and personal protective equipment like masks and gowns. Cyberattacks threatening the integrity of the supply chain are more concerning than ever because disruptions and delivery delays leave healthcare providers and patients without essential protections and at increased risk for infection.
Manufacturers are particularly vulnerable to cyberattacks because interconnected information and operational technology (OT) systems create opportunities for massive disruption with far-reaching impact — a primary motivator for cybercriminals. Although protecting core IT networks is critical to reducing this risk, additional protections must be in place to block adversaries from moving laterally and compromising OT systems as well.
Threats can interfere with manufacturing processes by seizing control of industrial equipment or shutting down critical systems related to supply chains, such as automation and control systems, HVAC, energy management, fire and gas detection, surveillance and physical access control systems.
With so much at stake, manufacturers — especially those producing assets necessary to combat the COVID-19 pandemic — must be vigilant in protecting both IT and OT systems. To accomplish this, they need to understand how these two types of systems differ, yet also intersect, and how to use this knowledge to identify areas of weaknesses.
Challenges in OT security
OT systems encompass the machines responsible for physical processes and operations in plants and other industrial facilities, and often rely on proprietary communication and network protocols, many of which lack encryption. Although many common frameworks ensure commonalities between IT systems, this is not often the case for OT systems, which typically rely on vendor-proprietary and often insecure protocols.
Simply put, it is inherently more difficult — if not impossible — to ensure OT systems reach the same level of security as IT systems. Consider the task of patching, for example. IT systems can easily and systematically be updated to implement the latest security updates and fixes. The same is not true for OT systems, which are engineered to be operations-centric. As a result, updating OT systems with the granularity and efficiency of an IT system can often be impossible due to numerous constraints, many of which are contingent on the vendor’s design of the system itself.
According to ABI Research, another very real challenge for securing OT systems is funding. Manufacturers are continually investing in ways to innovate their products, which is certainly a significant consideration and will typically be prioritized ahead of other investments. And, to be sure, retrofitting older facilities to integrate with IT networks comes at a significant cost, especially today, as many organizations are cutting budgets.
Recognizing vulnerabilities and reducing risk
A proactive cybersecurity posture is important to preventing potential supply chain disruptions and ensuring resiliency in operations. Manufacturers must consider the nuances of relying on numerous, highly connected IT and OT systems to create the most secure environment possible. Further, this challenge varies in complexity and operation — the IT and OT environments and the underlying risks for a manufacturing facility will be vastly different in a petrochemical refinery and a geographically dispersed power transmission operation, for example. Our observations from working with a number of clients indicate a few recurring weaknesses, which include but are not limited to:
- Lack of host security. Hosts on the network can present an array of attack vectors. A prominent threat frequently used by adversaries is ransomware. Ransomware attacks are devised most frequently through phishing attempts — emails impersonating legitimate sources but tricking recipients into clicking on a link containing a malicious executable resource. Once executed, the ransomware will encrypt data on the hard drive using military-grade encryption standards. The only way to obtain the decryption key is by paying a ransom, which can easily range from a few thousand dollars to hundreds of thousands of dollars.
· Lack of training. Training educates employees to identify a potential cyberattack and how to appropriately report a suspected security incident for an organized response. Organizations often lack basic cybersecurity training for all employees, whether it’s for the IT or OT side of the business. Key opportunities for awareness and training can be incorporated during new employee training and as an annual refresher.
· Lack of access control. Human machine interface (HMI) provides operators quick access to monitor processes and adjust any ongoing operations if needed. Oftentimes, modifying live processes will require user authentication, and in OT environments engineers have been observed to frequently share these credentials. Due to the time-sensitive criticality of adjusting live physical processes, implementing granular user access controls for individual engineers may even be counterproductive and downright unsafe in OT environments.
- Lack of formal asset inventory. Everything that exists on a network must be accounted for in order to appropriately protect it. This is especially true in a manufacturing facility, where each asset should be identified with clear indications of how it is connected to the OT network. An asset inventory should also include any OT network operating in an islanded cell.
- Lack of application whitelisting. Application whitelisting should be employed where possible and if approved by the system vendor. This process specifies approved applications and files that are permitted and reduces the risk of malicious or unauthorized applications being installed and executed on systems.
The sudden need for the production of critical medical equipment has brought into focus the integral part manufacturers play in our healthcare system. Investing in necessary tools and tactics to maintain the strongest security posture possible will not only ensure the safety of our providers on the front lines, but also allow manufacturers to meet business goals. But even beyond the pandemic, these strategies will remain crucial to protecting operational technology from cyberattacks that shut down manufacturing efforts and disrupt supply chains critical to national security.