Detect cyber risks before they cause downtime

Production lines are the crown jewels for manufacturers, the core systems for creating value and revenue. Downtime, especially unplanned downtime, is anathema. According to Forbes, unplanned downtime costs industrial manufacturers up to $50 billion a year, and shutdowns can consume up to 1-10% of available production time.

Decades of industrial digitization have improved efficiency, reduced errors and reduced costs, but have also introduced greater cyber risk which, if undetected, can lead to unplanned downtime or worse. , in the event of a malicious attack. Ransomware attacks grab the headlines, but real downtime threats are more mundane: misconfigurations of assets or networks that are detected late, unwanted process changes, resource usage spikes , new connectivity and other anomalies are much more likely to threaten productivity than external cyberattacks. They are also well under the control of your operational technology (OT) engineering and IT team.

Three fundamental best practices can help you detect and mitigate operational and cybersecurity risks before they cause downtime:

  • Maintain an accurate inventory of all connected devices.
  • Network segmentation to prevent unwanted access and reduce the blast radius in the event of cyber incidents.
  • Non-intrusive network monitoring to detect any threat before it affects availability

Inventory all connected assets

Cybersecurity starts with maintaining an accurate inventory of all connected assets, including where they are and what they are communicating with. For manufacturers, this means managing OT/Industrial Control System (ICS) devices as well as all computing and Internet of Things (IoT) devices connecting to the OT network.

Unfortunately, discovery approaches that work for IT don’t always work for sensitive OT and IoT assets given security regulations, vendor interoperability issues, industrial process requirements, and other considerations. Many OT and IoT assets cannot host an agent or specialized software component installed on the device to perform security-related actions and cannot be scanned by standard IT security tools.

Then there’s a bigger problem: while much of IT includes planned obsolescence, OT assets have long refresh cycles – up to 30 years. Until recently, they weren’t tagged, so they weren’t built with security or even integrity in mind.

Adding security (like agents) later can be difficult. The albatross of “security after the fact” has been hard to shake. Some major security tool vendors are finally implementing “secure by design” principles for the latest technologies, but as Vedere Labs pointed out with its OT:ICEFALL vulnerability disclosure, this remains the exception. . To complicate matters, known issues in OT assets associated with “insecure by design” practices are not always assigned a Common Vulnerabilities and Exposures (CVE, or Publicly Disclosed Security Vulnerability) number, so ‘they remain less visible and exploitable than they should be.

Despite these challenges, OT and IoT can be inventoried using passive techniques to discover, classify, and assess them for compliance with your risk policies. This includes agentless techniques, including non-intrusive network monitoring leveraging Deep Packet Inspection (DPI) that includes hundreds of industry protocols to identify assets, extract configuration details, and detect connectivity anomalies and of behavior.

Network segmentation

Digital transformation relies on the convergence of OT and IT systems. Modern manufacturing would not be possible without flexible production methodologies that rely on hundreds of digital systems, sensors, and interconnectivity between IT and OT networks. Connected Programmable Logic Controllers (PLCs) that control valves, pumps, and other equipment manage each process. The use of IoT devices to collect real-time data on production processes has exploded. This data flows into IT departments or even the cloud to enable better planning, forecasting and overall performance against metrics.

Convergence does not mean that IT and OT systems are consolidated into a single flat network. On the contrary, information is shared to allow them to interoperate. The challenge is how to securely connect IT and OT assets and systems that need to communicate while preventing those that don’t from doing so. Often, unwanted communication links go unchecked and vulnerabilities lurk in plain sight, assuming OT and IT are separate when they are not. Such assumptions increase the risk that malware on one network will spread and affect other networks. In manufacturing in particular, the answer is segmentation.

While in IT the common approach is to apply patches, this may not be possible in production environments. Patching OT devices is notoriously difficult, due to their critical nature. Systems have to be shut down and restarted to load patches, which means downtime, and some processes and equipment, like a blast furnace, have to be shut down slowly for security reasons, which increases costs.

Instead of applying patches, vulnerable devices often need to be dynamically segmented from other parts of the network until they can be patched. Segmentation projects are notoriously complex, but they don’t have to be. Today, you can take advantage of software that visually maps traffic flows and identifies what should and shouldn’t be communicated based on asset classification and how you want them to interact. With a traffic matrix, you can reverse-engineer your segmentation policies based on simulations that illustrate the impact of various changes without causing disruption.

Non-intrusive network monitoring

To avoid costly downtime, threats to business continuity must be detected and addressed as early as possible. This can be accomplished by scanning connected devices for configuration changes and vulnerabilities. However, unlike traditional IT, OT assets cannot be continuously scanned in the same way and many risks will go unnoticed. Instead, a system designed for manufacturing environments must have the ability to passively monitor network infrastructure to locate assets and detect behavioral changes and anomalies. This requires understanding dozens of industry protocols and continuously monitoring communications and comparing them against a database of OT/ICS-specific Indicators of Compromise (IOCs) and CVEs.

The bane of many surveillance systems is that they produce a flood of information about potential damage, not all of which is urgent. To be useful, critical alerts must be prioritized based on operational or cybersecurity risk so that the right team can respond.

For example, OT engineers need to quickly spot unwanted process values, incorrect measurements, or when a critical device fails so they can resolve issues faster. Likewise, IT/security teams need visibility into suspicious user behavior and unauthorized network connections – and, of course, they need to be notified as soon as an actual cyberattack is detected.

Automate the fundamentals to minimize downtime

With industrial environments increasingly dependent on digital systems for production, fundamental cybersecurity is essential. OT/ICS and even IOT assets present challenges because they typically cannot be patched or scanned – and may even be insecure by design. These challenges can be overcome by:

  • Global management of your asset inventory.
  • Network segmentation to prevent unwanted access.
  • Monitor the environment to detect threats as early as possible.
  • Prioritize and, where possible, automate responses to avoid costly downtime.

All cybersecurity starts with knowing what is on your network. Beyond that, manufacturers need to know what cyber and operational risks exist at sites and be able to detect and prioritize responses to threats before they cause downtime. Each of these activities, including incident response, can be largely automated without risk to OT systems.

Given the lack of cyber skills, the explosion of specialized assets, and the changing threat landscape, automating cybersecurity operations is not only desirable, but imperative.

Comments are closed.