As industrial control systems (ICS) merge with traditional IT environments and enterprise networks at increasing speed, many of these systems are left vulnerable to cyberattacks.
A challenge we often encounter with manufacturing organizations across industry verticals is the lack of a common vocabulary and goals. IT doesn’t “speak” manufacturing and operational technology, and manufacturing often doesn’t “speak” IT or security.
The risks of this misalignment are steep. Cyberattacks in manufacturing can disrupt operations of critical infrastructure, inconvenience customers, increase your operational costs, and introduce safety risks to your staff.
For example, consider a scenario we see far too often: a plant employee receives and clicks on a phishing email designed to mimic a reputable sender in order to gain sensitive information. This computer becomes compromised, allowing bad actors to harvest employee credentials and access the plant’s ICS network. From there, the hackers can move laterally throughout the network installing malware, exploiting unpatched vulnerabilities, and wiping all control stations to cause a production line disruption.
Attacks like these can be avoided with some basic security controls. It’s imperative for maintenance and operations teams to work with their IT counterparts to identify the greatest risks of this convergence and update their approach to security accordingly. When done effectively, security is manageable and helps plants remain reliable and productive.
A solid defense-in-depth strategy with multiple layers in case of failure is a proven method for protecting these critical assets as they become more digitized. Below are some recommendations on how to get started.
Implement an IT/OT segmentation strategy
An IT/OT segmentation strategy separates ICS networks from enterprise networks to prevent bad actors from entering enterprise networks and accessing ICS devices. This segmentation model can integrate with an IT/OT integration demarcation zone (DMZ) for management tools, security tools, and jump hosts, and can establish security zones to ensure devices are logically isolated to allow only required communications.
A good initial strategy begins with segmenting by system or device type using zones, conduits, boundaries, and security levels as described in IEC-62443. This will limit the reach of a specific device and prevent it from communicating outside of its system or device group.
For example, World Wide Technology worked with a large manufacturer to rethink its legacy flat network that housed more than 2,500 applications. These applications handle sensitive customer data, intellectual property, and production processes.
We started by analyzing and grouping applications by the type of data they used, how they were accessed and how they related to critical business operations. Then, we used these groups to develop a risk scoring system that served as the basis for selecting a micro-segmentation solution.
Implement network access control
Take segmentation a step further by using network access control (NAC), which requires a device to be authenticated and meet certain requirements (e.g., up-to-date patches and current antivirus signatures) before accessing the ICS network.
Use multi-factor authentication. While most ICS devices don’t have the capability to support the implementation of multi-factor authentication (MFA), it can still be a viable tool. A jump host that requires MFA can help prevent unauthorized access and direct connections from a lower security network into a higher one.
Automate asset discovery
Automated asset discovery in the ICS environment makes it possible to inventory, baseline, map, and continuously monitor ICS networks to detect changes. This also provides a way to monitor for security-related patches and firmware updates, allowing the system administrator to have a high level of awareness of the state of systems.
Use antivirus software
Antivirus (AV) software can be used on systems like supervisory computers or human-machine interfaces (HMI) that run standard operating systems (e.g., Windows). AV software typically works by comparing files to known malware signatures and/or performing heuristics (i.e., behavioral analysis) to identify code that resembles malware. Files identified as malware are then cleaned or removed.
Safe list approved applications
Safe listing allows a predetermined list of applications to run and prevents any application not on the list from running and introducing an attack vector.
Find potential security breaches using network monitoring, intrusion detection, and threat intelligence
Network monitoring provides anomaly detection and alerts system administrators and operators to take remediating actions. It can also be configured to automatically filter malicious or unauthorized traffic. Threat intelligence services provide identified threat signatures, indicators of compromise, and discovered zero-day vulnerabilities to aid in the detection and response to anomalies and threats.
Create a change management program
A good change management program ensures all changes are properly submitted, tracked, and approved, and helps in the correlation of changes with detected ICS network anomalies.
Tips for working with your IT team
Addressing cyber threats is essential to maintaining plant operations and revenue, as well as ensuring the safety of plant workers. This requires alignment from executives, business leaders, IT, and plant operations – teams that typically do not work together and have diverse backgrounds, experiences, expertise, and priorities.
When you need to solve an ICS problem, do you know who to contact on your IT team?
We often see engineering and operations teams bypassing their IT counterparts and purchasing and installing technology solutions without proper vetting from security and IT. This “shadow IT” approach can introduce risks that impact the safety and efficiency of plant operations.
To avoid this common pitfall, take control of the conversation. IT security team members are allies who can help plant managers identify risk and safely integrate technology to ensure the safety, availability, integrity, and reliability of plant operations. Here are some places to start:
- Identify key stakeholders. Ensure all relevant teams are included across IT, OT, and engineering.
- Have a clear understanding of business line requirements and consider critical system dependencies. These dependencies are often not well understood or discovered early in the process.
- Ensure frequent and clear communication between IT, OT, and engineering. Engineering input is key for success. Early buy-in from all areas makes for easier, more efficient engagement.
- Prioritize risk reduction and availability of critical processes.
- Strategize your approach to security. Not all controls can be deployed at once. Your planning should include tactical actions and milestones as well as long-term strategy. WWT recommends performing an assessment to determine effort prioritization. Organizations often have a framework that can be leveraged to accelerate control implementation.
- Think safety. Both physical and cyber safety must be the primary goal in any engagement in operational environments.
This story originally appeared in the August 2022 issue of Plant Services. Subscribe to Plant Services here.
This article is part of our monthly Tactics and Practices column. Read more Tactics and Practices.