Cybersecurity in Manufacturing: IT, OT Is Everyone’s Job
A CBIA Manufacturing Spotlight Article
September 5, 2023
The American manufacturing sector continues to rank among the most frequently targeted by cyberattacks.
As manufacturers continue to adopt smart technologies and increasingly connected industrial devices known as internet-of-things devices, manufacturing is anticipated to remain a top target for the foreseeable future.
Manufacturers are high-value targets for several reasons including their general importance within the economy, legacy information technology and operational technology, and the value of their data for the purposes of intellectual property or identity theft.
Increased Incidents
Many manufacturing companies have seen an increase in cyber-related incidents associated with the industrial control systems used to manage their operations.
These systems can range from programmable logic controllers and distributed control systems to embedded systems, special purpose systems, industrial IoT devices, and systems that manage quality, health, safety, and even the building or facility itself.
However, recent survey data indicates that while the overwhelming majority of manufacturers have implemented capabilities to detect cyber-events, very few extend that monitoring into their OT environments.
The unfortunate reality is that cybersecurity is no longer limited to certain departments or people within an organization.
When every piece of equipment, component, employee, partner, vendor, visitor, and electronic device represents a potential vulnerability, cybersecurity awareness must be built into your culture and every employee should be trained and empowered to assist in your risk mitigation efforts.
Evolving Adversaries
The manufacturing sector is susceptible to a broad range of cyberattacks targeting their operations, infrastructure, and intellectual property.
Attacks commonly deployed by adversaries include:
Phishing: The attacker sends an electronic communication—typically email—to one or more members of an organization impersonating a trusted colleague or associate.
The email contains a malicious attachment or link, which opens the network to intrusion when clicked or opened by the trusting recipient.
Phishing attackers are now leveraging artificial intelligence to eliminate the tell-tale phrasing and grammatical mistakes frequently recognized by recipients as a sign of impropriety.
DDOS attacks: The attacker generates overwhelming bandwidth loads to cause system disruption and/or create opportunities for malware to be deployed.
As more IoT devices are introduced to the manufacturing process, the risk of Distributed Denial-of-Service attacks increases.
Devices that consume significant bandwidth by their nature, such as digital surveillance systems, are particularly susceptible to DDOS attacks.
Malware and ransomware: These attacks are common across IT networks in all industries. However, the manufacturing industry remains a top target.
Cyber criminals use malware to cause economic or operational damage by corrupting or stealing information, overloading networks, or creating opportunities for further attacks.
Ransomware is a type of malware used by adversaries to deny access to data or systems through encryption, then demand payment for the key to restore the data or systems.
Supply chain attacks: Hackers commonly penetrate networks by hacking a vendor who has a connection to the manufacturer’s network, but does not have sufficient security.
It is therefore important for organizations to assess the security practices of vendors who are granted access to the organization’s systems in advance.
Targeting Operations
Cyberattacks, like those described above, have become the predominant means of intellectual property theft in the manufacturing sector, which is often considered theft of the manufacturer’s most valuable asset.
In recent years, attackers have demonstrated an increasing level of sophistication in their technical and business acumen. It is a criminal enterprise after all. Specialization is one such criminal innovation.
Today, an ambitious attacker who lacks the skills to break into a manufacturer’s network can purchase access on the dark web from an “access broker.”
An access broker acquires access to organizations and sells this access to other adversaries, including ransomware operators. Access brokers are particularly skilled at avoiding detection.
Last year, the popularity of access broker services increased by 112% compared to the prior year as measured by the increase in dark web advertisements for access broker services.
Advertisements for access to manufacturers’ networks ranked among the top five sectors for access broker advertising.
Sophisticated Strategies
In addition, the manufacturing sector ranked among the top five sectors targeted for interactive intrusion.
Interactive intrusions are defined as malicious activities where an adversary actively interacts with and executes actions on a host server.
Unlike automated malware attacks that rely on the mass deployment of scripts and tools, interactive intrusions leverage the ingenuity and problem-solving skills of human adversaries.
Human adversaries are able to function in ways that mirror expected user and administrator activity, making them much harder to detect and defend against with software or AI-driven tools alone.
The key takeaway is the sophistication of the organization’s adversaries.
Cybercrime—at its highest level—operates like a business enterprise.
Unless a manufacturer implements an equally sophisticated mitigation strategy, leveraging the strengths of its entire business enterprise, the risk of catastrophic data and financial loss as the result of a cyberattack increases substantially.
Managing Cybersecurity Risk
Although it may not be possible to prevent being victimized by a cyberattack, there are several interventions manufacturing organizations can deploy to mitigate the likelihood and impact of an attack.
In addition to a comprehensive data and system backup strategy, which is essential to the restoration of data held for ransom and may spare leaders from the difficult conundrum of making a ransom payment, manufacturers should consider the following mitigation strategies.
1. Perform a risk assessment. The foundation of an effective and robust cybersecurity program is identification of risk and evaluation of the organization’s cybersecurity practices and ability to recover from an attack.
It is important to understand the manufacturing environment and the assets that comprise it to design and implement mitigating controls.
Cybersecurity assessments can be self-conducted or facilitated by cybersecurity professionals. By conducting an assessment, an organization gains a better understanding of its cybersecurity position, where vulnerabilities exist, and what actions are required to address them.
This empowers manufacturers to prevent or mitigate the consequences of a cyberattack.
Further, it affords the organization the opportunity to develop a prioritized mitigation strategy and roadmap that can be shared with executive leadership and, where appropriate, the board to address risks that are commensurate with the organization’s resources and risk tolerance.
2. Review incident response and business continuity plans. Responding to a cyberattack can cause a tremendous amount of stress on an organization.
This is not the time for developing, fine-tuning, or deep thinking with respect to how your organization will contain the attack and restore operations.
Organizations that maintain a thorough and well-documented cyber-incident response plan and business continuity plan will be significantly better positioned to navigate the chaos and minimize the disruption.
This is an iterative process, and the importance of practicing through simulations or table-top exercises cannot be overstated.
It is important to walk through each plan to identify and resolve flaws and other problems beforehand. After each practice session, a debrief is recommended for sharing lessons learned and revising the plans accordingly.
3. Implement a framework. The adoption of a cybersecurity framework facilitates cybersecurity assessments and other cybersecurity measures.
The U.S. Cybersecurity and Infrastructure Security Agency recommends the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity because it provides a prioritized, repeatable, and cost-effective approach to managing cybersecurity risk.
The NIST framework applies across all organizations, regardless of size or cybersecurity sophistication.
It was developed by consolidating many existing standards, guidelines, and best practices across industries. In general, the NIST framework identifies five core functions designed to help mitigate cybersecurity risk.
-
- Identify: Manufacturers employ a variety of internal control systems to monitor, automate, and control critical physical processes in addition to a variety of IT systems and networks in their day-to-day operations. Identifying, assessing the criticality, and prioritizing each asset and system is the foundation of the framework.
- Protect: In this phase, protective cybersecurity measures are implemented to protect from various types of cyberattacks. The criticality determined in the identification phase will decide the level of security measures that should be implemented for each asset or system identified.
- Detect: Protective measures may not be enough to prevent or mitigate a cyberattack. Therefore, the ability to detect cyber intrusion activity, misuse, or negligence is critical to containing the activity and ensuring an appropriate response level. In this phase, detection technology and procedures are implemented to discover abnormal conditions with IT systems and networks using a strategy of continuous monitoring and detection.
- Respond: In the event of a cyber-incident, the organization takes appropriate action in response to the detected cyber incident. Cybersecurity response activities may include executing a response plan and mitigating newly identified vulnerabilities.
- Recover: Recovery activities may include executing a recovery or business continuity plan, managing public relations, and communicating recovery activities to internal stakeholders and executive and management teams. Several important steps in the recovery phase include root cause analysis, collection of information and evidence, determining the impact of the incident, notifying impacted individuals and government agencies under applicable data breach notification laws, and recommending improvements to the systems and the incident response plan.
Depending on one’s industries and customers, certain cybersecurity certifications, such as the Department of Defense’s Cybersecurity Maturity Model Certification, may be required, many of which rely on a strong cybersecurity framework,
4. Create a cybersecurity culture. Begin building cybersecurity into all future project planning – designing and including security controls at the front end of projects.
Important controls to consider include use of secure network segmentation models, deployment of passive monitoring solutions (to provide visibility of networked assets and activity while minimizing the risk of disruption), secure remote access, control of removable media, improved management of privileged access, and executing consistent backup processes (especially for critical systems and configurations).
Every employee with access to a manufacturer’s network can—and should—play a role in protecting the organization from potential cyberattacks.
Manufacturers should provide regular training and education with respect to appropriate use of their network infrastructure, cybersecurity awareness, and best practices (now referred to as “cyber hygiene”).
Consider approaching cybersecurity like other significant corporate initiatives and be creative in developing postings and other educational collateral, playing games, awarding prizes, or other provide other incentives to the staff who serve as your first line of defense.
Cybersecurity is everyone’s job, but they may not be aware of it yet.
This article first appeared on CBIA's website and is published here with permission.