Defence in-depth security for critical manufacturing

Dataquest recently organized a webinar on Standard-based Defence-in-Depth Security for Critical Manufacturing. The webinar is part of the magazine’s capacity building and information sharing initiative where we bring experts from the industry to talk about technology trends, latest developments and CIO challenges, as also “how to” training programmes and strategy sessions.

In the session we had four distinguished guests with lot of experience across enterprise IT, Operational Technology and Cybersecurity. They will take us through the steps and processes of DID or Defense in Depth approach to cybersecurity.

Subhendu Parth, Editor, Dataquest, addressed with a welcome note and the guests on the webinar. He said Defense in Depth approach can be thought of as a series of layered defensive mechanisms. It’s like a multi-layer security ring designed in a way that if the first mechanism fails, the second, and then the third layers get activated to thwart an attack. What this means is that we are building redundancies in our security layer to increases the security of a system as a whole and addresses many different attack vectors.

Whenever we have a discussion with CIOs, everybody says, we are concerned, but the existing security system is working fine. However, traditional security no longer works. There is a need for a different proactive approach to deal with a series of automated attacks.

The IoT is also being weaponized. They have launched the DDoS attacks. A recent statement before the Parliament of India, the Ministry of Electronics and IT informed that the Indian citizens, commercials, and legal entities, face almost more than seven lakh cyberattacks. This is the data till August 2020.

Experts also point out that the total number of DDOs attacks may double to around 14.5 million by 2022, a massive hike. We are also aware that during the peak of border skirmish during the June, hackers based in China attempted to penetrate the Indian infrastructure and banking sector infrastructure.

We are also aware about the use of AI and analytics by rouge companies, including some of the neighbouring countries, for profiling over 10,000 influential Indians, as part of the hybrid warfare. That aims to cripple the economy by hitting the businesses. All of this becomes more important, particularly for the critical infrastructure and manufacturing sectors.

While data and information security were always important, Covid-19 and WFH have unleashed a security nightmare.

Today's CIOs are on their toes, and they are ready to throw in more money. Can all these increases in investment on cybersecurity controls make modern enterprises really, really safe?

He also introduced the participants.

Anand Sengupta, Group CIO, Carrier Aircon Ltd, has been driving digital transformation and managing enterprises, enterprise wide infrastructure, and core competencies in implementation and managing a savvy ERP environment, and implementing global applications and projects.

Kamal Dhamija, Chief Security Officer, Apollo Tyres, is a technology evangelist and cybersecurity expert. He has a lot of experience in strategical technical business and project management.

Asif Iqbal, Senior Specialist, Specialist, OT Cybersecurity with Fortinet, is helping in solving cybersecurity challenges involving OT and critical infrastructure.

Robust policy framework

Anand Sengupta said that we have a very robust policy framework. We have a very robust framework, governance mechanism, multiple layers, securities, etc. With the Covid-19 and WFH coming into the picture in the first quarter, all hell broke loose. We were not prepared for this. We could scale up and strike a very delicate balance. We are providing a robust infrastructure to protect the company information and assets, and also to not hinder the productivity. That balance was always there, and we had to maintain that.

With WFH, there was lot of pressure on our organization. In the Malaysia entity, there was the MCO or the movement control order. We had to make sure that there are customers to serve an AC industry. The challenges were always there. Business is almost always running. We had to ensure people had access to the systems, from providing laptops to everybody, access to critical systems, CRM, etc. We made sure that everything is secure. We have a good governance mechanism. What helped that we could scale up pretty fast! My team, and the global security organization scaled up very fast. We did it successfully. Now, most of us are working from home. There are certain things in place. WFH culture is the new normal now.

He split his discussion into two parts -- pre- and post-Covid-19. In the pre-Covid-19 era, we realized that the weakest link in the chain was the individual. He could click on something that would open bay for a malware to come in. You would not be aware of what he or she is doing.

Like any other company, hackers were trying to break into the company, and the network. We do have a DiD in place, with multiple layers. Now, everything changed!  Things that were not there before, like, marketing and digital marketing events. We are in a better place now. It's a journey. As the hackers innovate, you have to do so yourself. It's a constant journey. We also have VR.

CISO perspective

From a CISO perspective, Kamal Dhamija, Apollo Tyres, brought a different perspective. Almost 70% of the people must be using, any kind of office-provided laptops, desktops, or mobiles. In the new normal, people are doing WFH. We have to educate each and every user in terms of dos and donts regarding the IT-provided laptops and desktops, and mobiles.

Just because of the fault of one user, we don't know what kind of trouble we can get for the whole organization. For example, if a single user has a password, and his laptop, and he has received certain kind of phishing e-mail. He might click on that web link, suspiciously, and his machine is going to be compromised. Now, that machine is going to be used as a hub by the hacker. He can perform any kind of vulnerability activity, or compromise assessment. He can do anything with the laptop.

What is the most critical component? We have to ensure that our users are aware about the latest dos and donts with respect to the IT security policies. If we people are sending a bulk e-mail to all the users, they might see that the mail is not useful. We have to change the mindset of every user.

Second, it should be the top-driven approach. If the seniors, such as the chairman, the CSOs, are sending an e-mail to the users, there is weightage to the mail. The top-down approach is the second most important activity in this.

Thirdly, we have to keep ourselves updated to the latest cyber threats, which are coming up in that market, and how they are behaving. What are their mitigation technologies that are arising in the market? The challenge is to create something offensive for any organization, and the whole world is working on that. To defend that, a very limited set of people are working for them.

We have to keep ourselves updated and see what all technologies are available in the market. To deploy those technologies, there are a lot of challenges in terms of getting budgets from the seniors to make them understand what this technology is, what kind of attack it is. Even after getting the budget, it takes time to deploy those technologies. We will not be able to defend using technologies that we have recently deployed. We have to make sure that we are going to defend our organization in the best possible manner.

Critical systems

Asif Iqbal touched more on the challenges that he sees as a solution provider, particularly when proposing a solution to customers. There are numerous challenges. Typically, the IT industry has matured over time. We have an answer for those challenges from the IT side. There are critical systems, as well. These are systems designed for 30 years lifespan and even 50 years lifespan. The safety and reliability of those system is the crucial aspect. When we deal with the customers coming from the ICS and OT verticals.

The first challenge is they cannot get a downtime to implement security solution. How do we installed the solution, or how do we position this solution? We need to understand critical aspects of the process in the manufacturing industry. It's the automation industry, or the energy, oil and gas, industries. Since they cannot get a downtime, how do we implement security controls? The moment we are going to implement security controls, the general perception from the engineering side is that it's going to disrupt the communication, and disrupt all the processes.

From the CIO perspective, they don't want to get any downtime, because they will be questionable if the security solution proves to be incompatible. Or, it can prove to be destructive for the operation. So, they will be asked questions like, why he did not do a value engineering exercise, or the POC in a backup system. The first critical aspect is downtime reliability or the safety aspect that comes in the mind when we deal with the ICS/OT customer.

The second aspect is, when you give a good example of defence in-depth, in the traditional era, the defence in-depth, was fine because those systems were owned by the king, or by the administrative body. Here, the system is divided, such as IT and OT. You bring a firewall. There is a discussion like who will operate and manage this system? Is it going to be IT team or the OT team?

Is it going to be the only firewall, or are there going to be more components like the management solution that is integrated? Who is going to manage all this portfolio? This is more of an integration challenge or management challenge. First, being the compatibility with the ICS environment, and second, being the integration aspect and management aspect from the security operations point of view. These are the two biggest concerns that we see as a solution provider.

Concerns with IT and OT

Parth asked what are the 2-3 key concerns that you have, with respect to IT and OT?

Kamal Dhamija, Apollo Tyres, said that IT and OT are re-assured and segregated. We have to take them very seriously. Because we have something, with respect to IT, what best can happen? The machine is not going to work. But, if something is going to impact the OT network, it is going to cost the lives of human beings.

For example, the machine might malfunction. If the program has been designed in such a manner that it is going to perform its purpose or in a negative manner, then it might cost the life of a human being. We have to take these things very seriously.  Being from the manufacturing industry, security, a top concern for us. We take everything very seriously. If we are going to enter into the plant, you won't be allowed to enter the plant without adhering to the safety issues.

The problem with the OT is that the coding, which people are using on PLCs, they are very old. It might be we have not been receiving any kind of updates on the latest purpose. The objective here from the plant guy is that, the machine is working perfectly fine. He is able to give the production, whatever is expected from them.

But, the mindset of cybersecurity needs to be there in that picture. If something goes wrong, as this machine is connected to the network, even though it is not connected with the Internet. If that machine is going to be accessed, it can create any disaster, which is not just going to impact the brand value of the organization. It will also create a sense of uncomfortable among the labels, as well. If the machine is not going to work perfectly fine, how are they going to work and feel comfortable, while working with those machines?

The problem is with the management, as well, in terms of branding and the problem with the labour, as well, while working with those machines. We were only focusing on IT earlier. For example, lot of companies, like one in Norway, like giving a very good focus. Apollo Tyres is also doing the best.

To begin with the OT journey, they need to have V-LANs among the plants. The V-LANs should be tight so that nobody should be able to access those devices, which are back in the V-LAN. In case of any kind of network breach, those machines should remain intact. It should not be a scenario that the machines can be compromised very easily, even though they are available on the Internet. They cannot be accessed via the Internet, and we need to keep those machines in isolation.

This needs to be reviewed every six months, because sometimes what happens to that machine is that, the codes or the routes on the V-LAN might be changed. On the sixth-monthly review, we can see the things that have changed. Accordingly, we can take an action against those routes or ports. That's another perspective I have for the OT.

Going forward, whenever we are purchasing a new machinery, we have to think about the vendor from whom we are purchasing those machines. We can receive timely patches with regards to those OT. Because it is not going to stop like this. There might be the scenarios that the machines are going to be connected to the Internet. The machines can be accessed from anywhere in the world. Those are the vendors who should be reliable.

We should not purchase machines from vendors about whom we are not sure that the vendor is going to be there in the near future. If we have a reliable vendor, we can make sure that the patches are going to be delivered to us on a timely manner. They have their strong IT infrastructure that works on developing them in a very good manner. It is not only about software. It is about the firmware as well by dealing with those.

CIO's changing role

Parth next asked Anand Sengupta to touch upon how are the organizations evolving? OT is also very specialized area. How is the CIO's role changing?

Anand Sengupta, Carrier Aircon, said that obviously, the CIO's role is evolving. In the normal scenario, for the OT to work in a manufacturing organization, and, we are not in the process manufacturing, but into discrete manufacturing. We have IoT connected devices in the environment.

Now, what usually happens is we are the first point of contact for the business. We work on a solution.  We also faced similar situations. We used to buy devices or equipment, and the vendor would not support us. We have had instances before, with a desktop laptop, patch deployment, firmware, upgrade, etc. As Dhamija mentioned, we could not contact the vendor. There were similar issues. Now, we have a process in place. Before we deploy the solution, we involve the security team. We have an internal approval process, from putting the OT in place before it actually goes. We have evolved by issues, by facing problems, etc.

The impact was controlled as the Internet-facing devices are very limited. The first barrier to the network is very robust. The issues were not that high and the vulnerabilities were managed within time. Yes, we have changed the approach to deploy the solution.

As for the CISO's involvement, Kamal Dhamija, Apollo Tyres, added that currently, if you're going to procure in any kind of a manufacturing machinery or components, you will first see how is the machine behaving right now, in terms of giving the production output. We have to ensure that security by design should be the principle for them as well. If security by design is not going to be followed by them, well, it is good to have it.

At the time of designing the IT component, at the time of designing the software for those machines, they have to think about what can be done or what could have been done, if those components have not been embedded from the day, the machine was built. Suppose, if the communication between the PLC and the machine is happening in the clear text, what could happen?

Hackers can read those communication very easily and can modify those parameters, while the machine is communicating with the PLCs. Those are the things that needs to be in that mindset at the time of developing those machines. So, the IT team and the manufacturing team need to work very closely, while designing such kinds of issues.

Fortinet perspective

Presenting the Fortinet perspective, Asif Iqbal, said this is one of the aspects we look at. We call it supply chain security. The solutions that you are acquiring from the market and the solutions that you want to deploy: do they have the built-in security?

That was the original perception when people started implementing security on the OT. They will remove security controls, saying that it is impeding the processes, and is counterproductive for the operations. But, that's not the case right now today. We have sophisticated attacks and all that. We are looking at embedding security in the automation systems itself, as a turnkey solution.

We have alliance partnerships with a lot of automation vendors. That is a necessity now, as a lot of customers, even big organizations, who are running discrete processes, are running more of automation industry, they want cyber secure solutions as part of the automation system deployment. Any ICS or OT solution, they want to deploy, regardless of the PLC or HMI or whole DCS-sustainable SCADA system, they want security as part of the whole project itself.

This is one of the challenges we deal with. We have alliance partners and are trying to embed security within the automation systems itself.

Digital transformation

Parth asked the panel what is the most affected area in the digital transformation?

Anand Sengupta said there is one component that is just primarily not traditional manufacturing, It's more of IoT, which is connecting devices remotely and managing them through your remote connection. That is a very critical area. We have to ensure that we have right security in place.

A PLC machine equipment lying within my factory premises within my secure networks, and manufacturing will continue to happen. We are not the industry where people can remotely operate machines. People have to be there to manage.

My area of concern is, when we deploy major equipment outside our office, to the customer premises. How can we remotely manage the equipment? Earlier, that used to be a value add. Now, it has suddenly become mandatory. We may not even be able to visit that site. We need to ensure that we have proper intelligence.

Future manufacturing landscape

Asif Iqbal, Fortinet, presented on the future manufacturing landscape. It's a plethora of many solutions, many technologies that's going to form the future of the manufacturing enterprise. This is what the future looks like in terms of smart manufacturing. It's a connected and security ecosystem.

Today, the manufacturing value chain is getting digitized. It is part of the design process itself and moving on to the digitization and value chain, in the manufacturing sector. There are various verticals within the manufacturing industry. It is a connected ecosystem, which has design, innovation, engineering, prototyping, up to the corporate systems, and retail area.

In terms of technology, there are IT and OT system. On the IT side, we have various aspects. Order inventory management and retail websites are providing the solutions to the end users. Whereas on the OT side, smart sensors, production assembly, etc., are there. It is a connected ecosystem where we have IT and OT operating in a seamless manner.

Regarding the smart manufacturing drivers and trends, the drivers for the smart manufacturing is the increased connectivity, AI, and flexible automation. Whether it is a critical manufacturing, where we have the manufacturing of vaccination, manufacturing of critical utensils, etc., or critical components. Or, it could be a manufacturing company just manufacturing toys. Typically, we call them as asset operators or asset owners. This also has benefits on the environment.

Within trends, there is autonomous manufacturing, connection of value chains, and to supply chains. There are also new, value-added services and business model innovations. Customers can have access to products that are tailored to their needs. The manufacturing and product delivery times will get shortened. Factories will be reshaped and workers' capabilities will be strengthened in a much safer environment,

Key areas for smart manufacturing include security, technology, data, governance, process, and organization. Fortinet security enables you to achieve digital success. There are various technologies to enable and drive Industry 4.0. These include data analytics, wireless, 3D printing, AI/ML, robotics and automation, digital design, simulation, and system integration, advanced computing/cloud computing, IoT (networks and sensors), AR/MR/VR, etc.

Security is critical to ensure technologies deliver as expected. Using innovative technologies improves customer proximity and knowledge, and access to higher-order levels of data, etc. It increases the agility to scale up, outperform, and outcompete larger industry heavyweights.

He presented the benefits of technology via two use cases. Predictive maintenance can reduce the overall maintenance costs by 30%. It all goes back to optimization. Another is digital twins. The potential of digital twins will reach €75 billion by 2025. This is based on a study conducted by Siemens.

There is an increasing cyber security risk for manufacturers. There is low cyber awareness, digitalization, IT/OT convergence, complex ecosystem, new partnerships, etc. Cyber security incidents for manufacturers have increased by 147% over the past three years. And, 62% of the respondents were unable to detect all of their OT assets.

There are numerous edges expanding the digital attack surface. The perimeter is everywhere! There are users and devices, the network, and the compute. This can lead to phishing, malware, internal threats, ransomware, DDoS, and device vulnerabilities. 25% of the cyberattacks were DDoS attacks. Phishing was the top cyber risk for small manufacturers in 2018. The WannaCry and NotPetya were wake-up calls. For the first time, major manufacturing companies reported cyberattacks. Advanced threats are continuing to adapt. Ransomware is used to target critical systems. There are critical consequences of a cyberattack. Numerous edges need to be secured and protected.

Summarizing the manufacturing industry key challenges, cyber threats take advantage of the poorly secured networks and interconnectedness. There are sophisticated threats, digital attack surface, ecosystem complexities, and compliances. There needs to be a holistic approach to cyber security. There is the need to combine people and processes with an integrated technology platform.

Fortinet provides standards-driven security implementation. We embed security within the design process and follow a platform-based approach. It includes solutions that are compliant with industry standards, so organizations can achieve compliance with the standards, as well as internal compliance framework requirement. Likewise, it is based on defence in-depth approach.

NIST CSF has divided that into identify, protect, detect, and respond and recover. The more granular approach is available right now from the MITER, ATT, and CK for ICS is a very specific framework. They are known for enterprise cybersecurity framework, now they have released ICS and OT a specific framework. We need to have layered defence. The Fortinet Security Fabric is broad, integrated, and automated.