The rise of digital technologies brings a new level of cyber complexity to factories. The Fourth Industrial Revolution heralds an era of tremendous potential for innovation and growth. It also brings new risks and challenges. And this might be most evident in today’s manufacturing cyber landscape. Speaking at the Dataquest-Fortinet webinar OT Cybersecurity Best Practices in Manufacturing Industry Aasef Iqbal, Solution Architect, OT Cybersecurity, EMEA, Fortinet said that OT security solutions include a wide range of security technologies – from next-generation firewalls (NGFWs) to security information, event management (SIEM) systems, and identity access and management.
There have been several OT attacks on the infrastructure over the past decade. Iqbal spoke about two attacks, specifically. The first was on SolarWinds Orion, which faced a ransomware attack on Honda, Fresenius, at the end of 2020. There was also an attempted poisoning of the Tampa Water Supply in Florida, USA.
“There are major security concerns, especially for remote access. This is applicable for any ICS/OT infrastructure, which includes HMI, PLC/RTU, sensors, and CCTV, etc. In the current situation, where we have COVID-19 lockdown, a lot of engineers are working remotely.”
“The hacker accessed the facility and tried to add some chemicals via the HMI. There could have been poisoning of water and damage to the community. For the remote engineer, there is the remote desktop, as well as monitoring and diagnostics (M&D). The malicious actor can access those and cause potential damage to the systems and the environment. However, there are several ways to protect oneself,” he said.
The second case was a little more complex. The attacker probably compromised the software distribution library using malicious code, making use of supply chain vulnerability.
The legitimate code was mixed with the malicious code. An engineer downloaded the compromised software distribution library, and that led to the attack. The attacker exploits the service provider/software vendor and manipulates the legitimate code. The digital certificates and trust are exploited and impersonate their legitimate code. It gave the attacker full access to the resources.
There has been an expanding digital attack surface. The perimeter is everywhere. There are various devices and users in the network, across the campus, branch, customers, etc. The access points will continue to grow. The industry outlook is of zero trust access. We need zero trust access across the network. There is knowing and controlling everyone and everything on and off the network. This ensures a consistent security policy across the on-network and off-network assets.
There is a need to deploy defense-in-depth cybersecurity. This is also known as deep or elastic defense. The multi-layered security approach is also known as the castle approach, layered security, layered defense, etc. It is similar to how microprocessors and OSs utilise protection rings architecture. This is very common in the IT and information security domains. We can have multiple systems having multiple security layers.
How do we apply defense-in-depth planning in ICS/OT? We first need to identify the threats and vulnerabilities. We need to secure the ICS operations, personnel, and technology, with physical controls, perimeter defenses and monitoring, internal defenses, policies/procedures, training, have situational awareness and supply chain security. We can have proactive security as an iterative process.
We need to have vulnerability management, leading to incident response, and lessons learned. There are security controls, asset identification, and management, threat and risk assessment, and training and awareness involved.
There are five key security countermeasures that make defense-in-depth doable for industrial control systems (ICS) and operational technology (OT), as the US Department of Homeland Security (US-DHS). These are:
- Identify, minimise and secure all network connections to the ICS/OT.
- Harden the ICS and supporting systems by disabling the unnecessary services, ports, and protocols, enable available security features and implement robust configuration management practices.
- Continually monitor and assess the security of the ICS/OT, networks, and interconnections.
- Implement a risk-based defense-in-depth approach to securing the ICS/OT systems and networks.
- Manage the human — clearly identify requirements for ICS/OT, establish the expectations for performance, hold individuals accountable for their performance, establish policies, and provide ICS/OT security training for all the operators and administrators.
We need to combine the people and process with an integrated technology platform. The people’s point of view should cover the security governance, security awareness, and security culture. The process should cover the risk assessment, security architecture, and compliance audits. Technology should cover visibility, control, and actionable intelligence.
At the CISO level, we need to manage the risk. At the engineering level, we need to automate the operations. The challenge lies in the complexity, cost, and slow response. As per a study by Ponemon Institute, organisations typically deploy on an average of almost 47 separate security solutions and technologies. This may also lead to multiple point products, too many alerts, slow response, and trained staff shortage. About 75% of the organisations state that their security teams struggle to respond to the security incidents within 24 hours.
Fortinet offers a broad, integrated and automated platform. The Fortinet security fabric provides a broad image of the entire digital attack surface to better manage risk. The integrated solution reduces management complexity and shares threat intelligence. The automated self-healing networks come with AI-driven security for fast and efficient operations.
In summary, it is wise to follow a risk-based approach so that defense-in-depth is doable for ICS and OT. Balance your cybersecurity investments, across the people, process, and technology. Cybersecurity automation is key. There is a need to adopt an integrated and automated cybersecurity platform.
This was followed by a panel discussion that was joined by Ranganathan Iyer, Group CIO, and EVT-IT, JBM Group, and Srikanth Subbu, CISO, TVS Motor Co, besides Iqbal.
First, there are a lot of operational risks due to the convergence of IT and OT. What is the CIO’s take on these? Iyer said that OT security issues are there. Manufacturers have not been exposed to the outside world so far. Due to pandemics, the physical availability of a person has been eliminated.
Now, we are vulnerable, and it has created some fear. We were doing machine management for a limited level. Intelligence has been helping us, which are pandemic related and security related. We have certain areas where security has also increased. The mindset change has happened. We have understood we have to do remote machine maintenance, and monitoring, going forward.
Srikanth added that there are some challenges. “We have to see the environment. The IT area is protected. The OT area is gearing up. The OT areas typically have some old systems. Recently, some IoT-related systems have come in. We need to look at their vulnerabilities,” he said.
Iqbal noted that connectivity has increased. There are interconnected global plants. There are also several critical infrastructures, as well. Hackers are looking to exploit such plants. The hacker may attack a toy manufacturer so that it damages that company. We need to ensure that the security controls are in place. We also need to educate the people regarding the vulnerabilities.
Regarding an awareness structure in place, Iyer said having the right mindset is very important. We have various facilities for security. We have insurance for all the machines. We are trying to get funds for security. We are working on protecting our data.
We are working with many OEMs, and some NDAs are already in place. We also need to have the history of activity. Data is also moving to the cloud. For the visibility of the whole process for management consumption, we bring that to the cloud, as well. We are focusing more on, who is doing what, how is the data being handled, and how it is being managed. Bringing on the latest security, along with the existing security will be done in a phased manner. We are still vulnerable, despite all of this.
Srikanth said the IT/OT architecture is important. We need to have proper architecture in place. We need to be aware of the technologies involved, and proper insight into the industries. We need to prepare proper governance and control, also for the OT side.
Iqbal added that there needs to be balanced. You need to have adequate security in place. From an IT point of view, there are mature, top-down approaches. In manufacturing, there are many concerns, including data classification. You need to optimise the cost. You need to assess your environment, develop your framework, and implement, as per the maturity of the organisation, and maintain and secure your environment.
As for the importance of tracking and reporting on compliance to security standards, Iyer said, we are not yet like the OEMs. We are on the exploration side. With respect to OT, we need to do a risk assessment. We are creating a framework. Multiple CIOs are also involved. We are now finding the right balance. We will be deploying security in a phased manner in the future. Risk assessment has been helping us, and we are also learning from the internal and external discussions.
Coming to the security best practices that manufacturers can adhere to, Srikanth said that we need to identify the key areas and provide security. We need to build a strong security culture across the organisation. Vendor risk assessment also needs to be done on the OT area. There should be continuous threat detection and vulnerability management, as well, for IT and OT.
Iyer added that they are concentrating on OT. Awareness is required, along with risk assessment. Educating the manufacturing workforce around security is also needed. People are more bothered about production. They need to be aware more of what is being said to them. There should also be some improvements in the third-party ecosystem. Acting at the right time and getting the right inputs are also very important.
Iqbal noted that there are value additions. We need to implement security on the controls. We need to follow hygiene. We can also disable systems that are not operational or needed at any given point in time. If there is a greenfield deployment, there is a need to look at automated solutions. Look for a solution where security is embedded within the platform. There is also a need to have some detection technology that can provide you with actionable intelligence. We need to have centralised visibility with zero trusts.
“There is a need to deploy defense-in-depth cybersecurity. This is also known as deep or elastic defense.” — Aasef Iqbal, Solution Architect, OT Cybersecurity, EMEA, Fortinet
“Manufacturers have not been exposed to the outside world so far. Due to pandemic, the physical availability of a person has been eliminated.” — Ranganathan Iyer, Group CIO, and EVT-IT, JBM Group
“The IT and OT architecture is important. We need to be aware of technologies involved, and proper insight of the industries.” — Srikanth Subbu, CISO, TVS Motor
By Aanchal Ghatak