5 Min Read
From supply chain risks and breaches to employees’ physical safety, the manufacturing industry is no stranger to operational technology (OT) security challenges. The good news? Experts say awareness has increased among manufacturers. But whether that will lead to improvements is difficult to say.
OT controls the processes and equipment necessary for manufacturers. It’s built to last, but that also means there’s legacy technology — unsupported and difficult to update — on the factory floor. A lack of visibility around an overwhelming number of assets presents heightened concerns as well. And then comes the human factor.
“People are the biggest risk to computer system…
5 Min Read
From supply chain risks and breaches to employees’ physical safety, the manufacturing industry is no stranger to operational technology (OT) security challenges. The good news? Experts say awareness has increased among manufacturers. But whether that will lead to improvements is difficult to say.
OT controls the processes and equipment necessary for manufacturers. It’s built to last, but that also means there’s legacy technology — unsupported and difficult to update — on the factory floor. A lack of visibility around an overwhelming number of assets presents heightened concerns as well. And then comes the human factor.
“People are the biggest risk to computer systems, period,” says Almog Apirion, CEO and co-founder of Cyolo, which provides secure remote privileged access for industrial and OT systems.
Abundant Access Points Equals Abundant Problems
Indeed, human risk leads to bad access. Manufacturing companies must secure a wide range of assets and access to them. The number of access points continue to grow with mergers and acquisitions, with acquired companies bringing in their own vendors and using their technology, Apirion says. For most companies, gaining visibility across access points is almost impossible now, he adds.
On top of those security headaches, it’s also difficult to keep track of users and who has or needs access to which technologies — especially when multiple users are granted permission to the admin account.
Related:Critical Claroty Authentication Bypass Flaw Opened OT to Attack
It makes incident response investigations much more difficult.
“We hear from more and more customers that something happened during the weekend at 3 a.m., and it’s Operator 1 or Admin 1, but they don’t know who it is because they have so many different people associated with it,” Apirion explains.
In another case, Apirion observed one user who had to perform seven logins to gain access. If users must do that to do their jobs, they’ll likely bypass the system, he warns.
Prioritizing IT Over OT
Another hurdle is how manufacturing companies operate in a variety of environments. Technologies can be connected to the cloud or even offline, requiring different security measures around identity and segmentation. The old perception that if technology is not reachable, it’s not “breach-able” is now obsolete, says Apirion, emphasizing how IT and OT have become hyperconnected.
While effective OT security is vital, focus oftentimes revolves around IT instead.
“Security around IT is more developed even though companies are making money off of manufacturing stuff,” Apirion says.
Related:Bombarding Cars With Lasers: Novel Auto Cyberattacks Emerge
Can Manufacturers Keep Up With a Growing Attack Surface?
OT security problems often stem from pressures the industry faces to lower costs, increase supply chain efficiencies, and adopt technologies to scale, explains Kory Daniels, chief security and trust officer at LevelBlue.
“Organizations want to increase AI adoption, go faster, reach more markets, and be more competitive, and that’s putting a strain on security teams on keeping up with, ’Do we know how are attack surface is evolving?” Daniels tells Dark Reading.
That requires companies to keep a good inventory of their OT input, asset health, knowing what’s interconnected and corporate-connected, and how much open source is being leveraged to increase manufacturing capabilities.
“Companies need to consider the manufacturing supply chain process of moving things from supplies and goods across an ecosystem of partners,” Daniels says.
But challenges exist on so many different fronts. First, OT means taking technology that was never designed to be Internet-facing and making it so. Second, certain skills are required to handle and support OT, but the skills of the workforce who understand those processes are shrinking.
The ability to implement effective and timely patch protocols in very sensitive environments is another critical concern. Patching for manufacturers requires downtime — a luxury the industry cannot afford.
Related:The Fight Against Ransomware Heats Up on the Factory Floor
“Once you even identify the security risks, what do you do about them?” Daniels asks. “And how do you do it in a way [that] the company is making informed risk decisions versus just by default accepting the risk out of fear of what else you will disrupt or break?”
Rising Awareness, but Security Stays the Same
Despite burgeoning and continued OT security problems, Apirion has observed that awareness is improving. Recent incidents like the ransomware attack against Asahi served as a wake-up call to the industry, he says. On top of prolonged production disruptions, in the most recent update, Asahi warned that personally identifiable information “may have been subject to unauthorized data transfer” as well.
The breach highlights both financial and supply chain risks.
“Supply chains are an attack vector but also the other direction is that they’re going to carry and suffer from implications,” Apirion explains. “If I supply Ashai goods, and they’re losing to the competition, I’m going to lose money and fire employees. Everything is interconnected.”
Ashai isn’t alone. A recent LevelBlue report stated that 28% of manufacturing executives confirmed their organization has suffered a breach in the past 12 months. And thirty-seven percent said they experienced a “significantly higher volume of attacks.”
LevelBlue’s Daniels agrees that the industry has become more aware. Prominent attacks like the one against Colonial Pipeline or, more recently, Jaguar Land Rover highlights how damaging fallout can become. Now conversations around OT resiliency have become more commonplace in the boardroom or as an executive topic. Daniels would like to see that expand across the industry.
Whether OT security is improving, however, remains to be seen.
“I think one of the hardest parts with this, in terms of, ‘Are we getting better,’ is how do we measure better outcomes?” Daniels asks. “It’s difficult to quantify if we’re getting better, unless it’s based on how many breaches.”
What Can Manufacturers Do?
An identity-focused security strategy is vital to curb OT security challenges for manufacturing because of the legacy systems, Apirion recommends. Governance should also play an important role to help ensure security is not excluded from project requirements as the board gets excited about new technology adoption to reach broader markets or to increase efficiency — especially as AI increasingly enters the mix, Daniels says.
He calls for a strategy where employees know who to reach out to in any situation, roping in security, compliance, and IT teams.
“Illuminate the entire OT estate because you cannot defend what you can’t see and what you don’t know,” Daniels urges.
About the Author
Features Writer, Dark Reading
Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she’s not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.