IT/OT cybersecurity, part 1: Security challenges, trends and methods that don’t work

IT/OT cybersecurity insights

• The rise of cybercrime, particularly targeting industrial and manufacturing companies, is fueled by outdated infrastructure, IoT vulnerabilities, and a lack of cybersecurity personnel, costing an estimated $10 trillion annually.
• Traditional IT/OT cybersecurity measures, like firewalls and air gaps, prove ineffective against sophisticated cyber threats in complex control systems. A more holistic and systematic approach is imperative for defense.

The old adage is “crime doesn’t pay.” When that saying originated, no one had ever heard of cybercrime. The truth is, cybercrime pays – and often pays big. Cybercriminals are becoming the new bitcoin millionaires. Just watch the news — from phishing, hacking, scams, fraud, identity theft and ransomware — cybercrime is pervasive and lines the pockets of perpetrators.

The cybercrime trend is increasing across the board with no end in sight. Cybercrime software is so readily available and easy to use that anyone can download it and become a cybercriminal. They don’t have to be computer geniuses or even know how to write code. It seems like despite the time and money people spend on cybersecurity and preventive actions taken, cybercriminals stay one step ahead.

Why industrial cybercrime is targeting industrial, manufacturing companies

Industrial and manufacturing companies have become the prime targets for cybercriminals. One big ransomware payoff from a manufacturing company trumps any identity theft efforts and then some.

Many industrial and manufacturing companies are ripe for the picking. Legacy unpatched infrastructure, the use of the Internet of Things (IoT) and industrial Internet of Things (IIoT) platforms, insider threats and a lack of operational technology (OT) skilled resources create significant vulnerabilities for industrial and manufacturing companies.

Consider the legacy infrastructure many companies and facilities have. Most industrial and manufacturing companies have components so old and outdated they’re not getting security updates from Microsoft anymore.

It’s estimated that around 60% of all industrial and manufacturing companies worldwide have experienced some type of cyberattack in the past three years. Think about that. Everything these companies create for us – from coffee to the coffee cup, your toothpaste, car, computer and so much more are a part of our everyday lives.

Also consider critical infrastructure, which provides water and energy to businesses and people’s homes. Because a lot of these companies and utilities aren’t prepared for a malicious cyberattack, it’s estimated cybercrime will cost around $10 trillion this year.

Every manufacturing and industrial company is vulnerable to a cyber attack and most aren’t prepared for what will happen if they are attacked. Courtesy: Rockwell Automation

Manufacturing and industrial cybersecurity vulnerabilities

The bottom line is every manufacturing and industrial company is vulnerable and most aren’t prepared. On top of the old and unpatched legacy infrastructure making industrial and manufacturing companies prime for a cyberattack, there are several additional factors that contribute to their vulnerability.

As companies grow, particularly global companies, they become increasingly more complex. This makes them more vulnerable to cyberattack than other smaller, more efficient, and more easily streamlined companies. It’s quite common for industrial and manufacturing companies to grow by acquisition, particularly in recent years and in various parts of the world. This always results in a patchwork of different infrastructure solutions, ranging from very old to very new. Coupled with this is complexity, uncertainty, and doubt throughout their infrastructure. In fact, according to a survey by PwC, over 75% of executives think their infrastructure is too complex to manage effectively.

Cyberattacks are also becoming more sophisticated. Not only is malware, ransomware, and a variety of other cyberattack tools available for download, but ransomware as a service (RaaS) is now available on the internet. Threat actors can subscribe to a ransomware service as easily as we subscribe to our favorite streaming service. Once their subscription commences, they can log on and attempt a ransomware attack on whomever they please. In fact, it’s now estimated that about two-thirds of all ransomware attacks on industrial manufacturing companies are facilitated through RaaS.

Ransomware has gained a significant amount of traction. When cybercriminals attack industrial and manufacturing with ransomware, they don’t ask for thousands of dollars. They ask for millions, tens of millions and hundreds of millions. We’re not that far away from the first billion-dollar ransomware attack, and it may well come at the expense of an industrial manufacturing company.

As cyber threats become more common, more companies are investing in cybersecurity personnel. The problem is it seems the skills gap is widening and there aren’t enough trained and skilled cybersecurity people. Most estimates suggest more than 30% of the job openings in cybersecurity will go unfilled this year due to a shortage of people with the right training and skills.

When talking about cybersecurity people who have information technology (IT) and OT experience and can navigate between the business world and the manufacturing world, the talent pool shrinks dramatically. There aren’t enough IT/OT cybersecurity people in the world to support the needs of the industrial manufacturing industry. This lack of resources increases the overall vulnerability of these companies and leaves them open for even more cyberattacks.

When we think about smart manufacturing, digital transformation, and Industry 4.0, we immediately think of all the cool technologies that are now available. The IIoT, artificial intelligence (AI), digital twins, digital threads, collaborative robots, advanced identification systems, augmented reality, virtual reality (AR/VR) and more. They are all great technologies, but they all open new avenues of attack for the more sophisticated cybercriminals.

There is much discussion and debate about how AI should be used in the world of industrial manufacturing, and how it specifically should be used in the IT/OT world.

Cybercriminals aren’t having this debate, though. They know how to use AI in the industrial manufacturing world. Cybercriminals harness AI to help themselves create bigger and better cyberattacks and extort even bigger ransomware payoffs from global industrial manufacturing companies.

Every manufacturing and industrial company is vulnerable. Most aren’t prepared for anything beyond the simplest of cyberattacks. If anything, they’re prepared to tackle the last cyberattack, not the next one.

IT/OT cybersecurity approaches that don’t work

We can see now why IT/OT cybersecurity is so important. The steps required to get out of this quagmire will be covered in part 2 of this series.

For now, it’s important to focus more on IT/OT cybersecurity approaches that don’t work to provide a little more context when it comes time to focusing about a more holistic approach to mitigate cyber risks.

For years, the most popular IT/OT cybersecurity solution was to install a firewall between the business network and the controls network and then stop there. It looks good on paper, and it helps – but it doesn’t really work.

Another popular approach was the air gap, which is a physical gap between the control network and the business network. The air gap is an attractive idea because digital information can’t cross a physical gap, so bad things will never get into the control systems.

However, that didn’t work either because the reality is that control systems both consume and produce a lot of data. People need to have access to the control systems and the data they produce. Consider these examples:

• The engineering team sends some new logic that addresses a manufacturing change and helps reduce asset downtime.

• An update for a possible vulnerability in PDF reader software is sent.

• The research and development people send a new recipe that supports a new product and helps improve overall product quality.

• The IT people send patches for the computer operating systems.

• The IT people send updates to the anti-virus software and send new whitelists.

• The equipment vendor must access the system remotely to help troubleshoot a possible mechanical problem.

• Production data must be analyzed to provide insights into the process and products produced.

The bottom line is there are too many pathways into the control systems and into the controls network so that the air gap or the firewall approach just doesn’t work. There are too many ways in which something or someone can get to the control systems.

This air gap or firewall approach is a flawed defense. It is too simplistic and unrealistic. Modern control systems are too complex. They have too much data, and require too much data, for a simplistic approach to work even a little bit. There also are too many pathways from the outside world to the control systems. Focusing cybersecurity efforts on a few of the obvious pathways won’t work. A more systematic and holistic approach is needed.

John Clemons is a solutions consultant, LifecycleIQ Services; Tim Gellner is a system integration consultant; Vicky Bruce is global capability manager for network and cybersecurity services; all with Rockwell Automation. Edited by Chris Vavra, web content manager, CFE Media and Technology, cvavra@cfemedia.com.

MORE ANSWERS

Keywords: Cybersecurity, IT/OT

CONSIDER THIS

What is the biggest challenge you face when it comes to cybersecurity?

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.