Industry 4.0 is introducing connectivity to previously isolated networks. It means that Operational Technology (OT) networks are now connected to the resource planning system.
As a result, this exposes the OT network to cyber attacks that will shut down OT operations. In fact, according to our latest Global Threat Intelligence Report (GTIR), the last few years have illustrated how cyber attacks can have a profound impact on critical infrastructure.
When a security breach occurs, the affected organizations normally suffer significant downtime. Recently, for example, a global manufacturer in North America suffered one week of downtime which was caused by a security breach through remote access. We estimated the event costed the company one quarter of its financial target.
Sadly, the nature of this story is echoed repeatedly, and it is very common to hear of security breaches caused by malicious remote access. This includes remote access from trusted third party contractors or even internal users. Securing remote access is usually difficult because of static password or shared credentials.
We are also seeing malware infections from IT into the OT network. The digital transformation of the OT network will continue to connect OT into IT. And we expect the IT-to-OT infection to get worse.
There are also challenges around security remediation. Companies are finding it very restricted when installing patches. The main reason is usually around a patch not being certified for the SCADA System which leaves organizations with two choices – accept the risk of a possible breach, or spend millions to upgrade to a newer SCADA system.
As a trusted advisor to organizations securing their OT networks, we recommend security teams ask themselves these five questions when embarking on the Industry 4.0 journey:
1. What is the current OT network security posture? (The CURRENT situation)
This question focuses on understanding the current situation. This is a foundation question because it will give you an understanding of the current challenges, how secure do you need to be, and how to get there.
Security posture typically inventories all OT assets, including listing:
- Physical characteristics (make, model, function)
- Security characteristics (vulnerability, risks)
- Network communication (remote access, internet connection, Purdue network modeling)
2. What is the cost if the OT system unexpectedly shut down for 12 hours? (The IMPACT)
This question focuses on implication and helps to identify a common goal between IT and OT teams.
This question can also help to identify relevant stakeholders and financial funding.
It is helpful to keep in mind that securing for Industry 4.0 is about making sure processes and systems are highly available, and that the data collected is accurate. Therefore, the cybersecurity strategy should focus on making sure the process continues to operate flawlessly.
3. How early will you know if the OT network is compromised? (The DETECT strategy)
This question focuses on detecting and preventing OT network from been compromised.
Today, almost all OT systems do not have any form of cybersecurity threat detection. The only way a cybersecurity breach is known is when a system stops.
New development in OT cybersecurity allows threats to be detected in all stages of a cybersecurity attack. For example:
- Predict a possible attack using threat intelligence
- Analyze risk exposure based on information from routers, remote access, and firewall
- Detect an attacker gathering information for a future attack
- Hunt for the silent attacker that is already in your network, but not doing any harm
4. What can be done to stop a cybersecurity attack? (The PROTECT strategy)
This question focuses on increasing resiliency of your OT network during a cyber attack.
Despite all the connectivity between IT and OT, risks for OT can still be contained. For example:
- Macro-segmentation between IT and OT. This will help to reduce infection from IT into OT.
- Secure remote access. Verification, authentication, and real-time activity monitoring for remote access.
- Micro-segmentation for critical processes. This will keep critical processes running during an active attack in the OT network.
- In an optimum security operation, the DETECT strategy should be aligned to this PROTECT strategy. This will allow effective blocking/protection after a threat has been found.
How are you planning to manage your cybersecurity investment on an ongoing basis? (The OPERATIONAL strategy)
This question focuses on operationalizing and keeping your cybersecurity investment running.
A lot of organizations focus on planning and procuring technology to detect and protect. Equally important is to make sure there is a process that continues to:
- Keep the technology tuned and updated. This is especially important for detection technology.
- Integrate and update protection technology to quickly block and isolate threats.
One of the biggest changes we expect is that IT cybersecurity teams will manage cybersecurity for OT networks (in addition to managing IT networks). This is exactly when IT and OT convergence for cybersecurity. Due to this convergence, organizations will also need a working IT/OT risk management plan to actively identify and close risks.