The convergence of IT and OT has long been a problem for cybersecurity teams as they grapple with growing interconnected networks that link to critical operations in manufacturing plants and other industrial environments. The arrival of COVID-19 last year has hastened the IT/OT convergence while heightening digital threats and putting manufacturers at greater security risk than ever before.
The pandemic brought a perfect storm of technology pressures that has pushed industrial firms to embrace digital transformation and IT/OT convergence faster than they would normally and without as much security preparation and controls as necessary. A recent survey of manufacturing decision makers conducted by The Manufacturer and sponsored by IBM found that 67 percent said their adoption of digital technologies has accelerated as a result of the pandemic. This included cloud-based and other remote work technologies, as well as Industrial Internet of Things (IIoT).
Remote Work and Automation Risks
When the pandemic hit, thousands of employees in manufacturing plants were sent home to connect remotely to company networks and even OT networks. Employees who use organization-owned devices in insecure home networks create an expanded attack surface for bad actors to target. And when employees finally return to work, they risk introducing threats into otherwise secure environments.
There are also risks that come with moving to automation systems set up to replace plant workers who shifted to remote work because of COVID-19. These systems are at risk of remote attacks because, unlike traditional IT, OT is notoriously difficult to patch. So, while many facilities have added automation to their environments, most systems have likely not been updated over the last six to twelve months while teams worked remotely.
Industrial facilities with systems that were shut down because of COVID-19 aren’t free from security risks even though they are quiet. OT environments that were left idle during the pandemic may be unmonitored and hiding threats. As employees return to work and the systems are brought back online, security teams could be overwhelmed by an influx of data, leading to overlooked vulnerabilities that snuck in during the shut down. The inevitable adjustment in workflow as employees return to plants can lead to mishaps that open the door for attackers.
Attackers exploited the chaos during the pandemic. While there aren’t good public figures for cyberattacks on OT systems, there are a few that have recently emerged. The most significant to date is SolarWinds, which put critical infrastructure and other OT networks at risk because of backdoors that were hidden in a software update of the company’s Orion network management software.
In February, there was a cyberattack on a Florida water system that allowed a bad actor to briefly increase the levels of sodium hydroxide. While it fortunately was detected and thwarted before more harm could be done, this is precisely the kind of attack security experts have warned about for years. Reports of cyberattacks on vaccine makers, including Pfizer, also made headlines this year. The pandemic was a big motivator for attackers in general -- a Forrester study sponsored by Tenable found that 41 percent of decision makers reported that their companies had experienced at least one business-impacting cyberattack related to COVID-19 as of April 2020.
Among the threats facing OT systems during the pandemic have been recent vulnerabilities that attackers can exploit. For instance, the Ripple20 vulnerabilities that were discovered in a TCP/IP software library that exists in IoT devices, such as those found in industrial control applications in manufacturing, power grids and elsewhere. Vulnerabilities in manufacturing and other OT environments can allow attackers to remotely command OT devices to perform unauthorized actions and even disrupt production lines. This can lead to downtime, lost revenue, damage to reputation and brand, and lost sales and customers.
To help avoid these problems, manufacturers can ensure security and uptime for distributed and complex industrial environments with some best practices. I recommend the following:
- Train employees on security. Untrained employees are a weakness in any environment, but particularly those connected to OT systems. They should be trained on common attack vectors, such as phishing attacks, suspicious links and attachments and unknown files and devices. All of those can lead to malware and then remote code execution and attackers moving laterally and hopping into more sensitive OT systems.
- Enable IT/OT infrastructure oversight. Security teams need to have a bird’s-eye view across IT and OT networks, as well as more granular insights into serial numbers, operating systems and firmware to really see where the vulnerabilities and threats are. This will enable teams to have full visibility into anomalies and changes to assets and devices.
- Create an audit trail. Configuration-control capabilities can capture snapshots of changes in critical OT devices including Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) so security teams are able to follow the breadcrumbs of users on the network, see what actions were taken and be alerted to any resulting OT interruptions.
- Conduct active and passive monitoring. Teams need both active and passive monitoring to eliminate potential blind spots. Active monitoring queries devices to ensure they are working properly and takes dormant devices into account, while passive monitoring provides insight into network traffic.
The arrival of COVID-19 led many organizations to understand that they must have a proper structure and logging in place to ensure security for their systems — particularly newly-converged IT and OT infrastructures. Security teams need access to the black box that sits in the manufacturing environment and is constantly listening to devices on the network. That way they can see the status of all the devices on the networks, where the vulnerabilities are and what systems should be prioritized.