Following individual attacks from state cyber-armies in the past, organized cybercriminals have now also discovered the manufacturing industry. This reduces the time that companies have left to at least implement basic protection in operational technology (OT) and integrate this into IT security. Concepts and technologies are available and, especially on the process level, facilitate increasing automation and integration that can bring things up a gear.
Business efficiency processes are driving ahead with digitalization and the accompanying networking of manufacturing environments. Exceptional circumstances like the coronavirus pandemic have accelerated this process even more with the introduction of ad hoc remote access points in places, for example.
This is understandable: necessary business transformations have always led to (sometimes disruptive) changes and especially in manufacturing, the show must go on, even during the pandemic.
However, the stark rise in the number of cyber incidents in manufacturing worldwide makes it clear that we should pause this transformation. It’s important to address weak spots for cybersecurity in the right way. This involves first closing existing gaps as quickly as possible, so that we can move forward on a solid foundation.
The lockdown was the defining topic of the year in 2020 and it presented difficult choices for decision-makers in businesses. Companies that didn’t think much of working from home previously were also quick to discover that remote access points were the method of choice for business continuity. For office work, such a remote working environment was comparatively easy to achieve. This applied to the blue collar sector, but not to warehouses or manufacturing. Here, a large (if not the largest) proportion of added value is generated on site – like in the operation of critical infrastructures.
Home office in manufacturing? Difficult. But in fact, machines and plants can of course be maintained and operated from a distance. In line with this, the number of remote access points in operational technology (OT) also grew rapidly in 2020.
The lockdown forced us to act. At this time, I saw many manufacturing environments where this was implemented in a pragmatic way – in remote administration, for example. On the side wall of a 19-inch rack where we had just installed an OT security monitoring system for machine control, an “F” box (small DSL router) was hanging, taped onto a switch. And although I stopped and looked at it for a few seconds, people often said to me: “It’s just temporary”.
That’s perhaps an extreme example of how we opened up our OT networks and are now reacting in retrospect, thinking about segmentation and transparency (surveillance of network activity) and trying to catch up without disturbing production.
This has made us vulnerable. So it’s no wonder that damage to manufacturing plants from ransomware (that spreads across unsecured network connections and is most successful in infecting unpatched systems) in particular is currently the most relevant threat. A predictable development after the speed of networking outdated systems undertook the speed of protections.
We therefore need to be faster in two ways. First, we need to close the protection gap that has been produced. That includes for example the lack of segmentation, access controls (including secure, industrial-grade remote maintenance access points), monitoring, endpoint protection, and cybersecurity processes in manufacturing.
Second, there is the question of response times: especially in the case of a ransomware attack in older manufacturing environments, the infection can spread across the whole network in a matter of minutes under certain circumstances. Here, a manual response is too slow. However, an automatic response is no easy task in the manufacturing environment, with few standardized and sensitive (sensitive to changes to or installation of software) endpoints and protocols. This is because our standard IT solutions are often unusable due to their high rates of false positive detection results in certain instances. Under certain circumstances, they can even erroneously block critical process communications.
How can we speed up now?
It is well-known that the integration of IT and OT security is a necessary requirement of effective cybersecurity. If we look at the above example of ransomware infection, such attacks often start with activities in the IT sector (phishing emails, malware downloads, accessing infected websites, suspicious DNS requests, installing suspicious software at endpoints, remote access at unusual times, etc.) that are easily detected with current methods and technologies in the sector. Alarms triggered in this sector can therefore be used as an early-warning system. Response times in the OT sector are being accelerated through analyses from the IT sector. This integrated approach (IT plus OT) therefore facilitates more targeted responses. If necessary, SIEM or SOAR use cases and scenarios for OT systems can also be activated: Security information and event management or security orchestration automation and response automate and accelerate typical manual level 1 SOC analyst activities like verification, qualification and queries.
Any technology whose objective is to automate processes, machines, and plants can be described as automation technology. This means that these processes, machines, and plants are put in a position where they can work without human input and control themselves.
Institut für Integrierte Produktion (IPH: Institute for Integrated Manufacturing)