Securing OT in manufacturing environments

Industry 4.0 is revolutionising the way companies manufacture, improve and distribute their products. As manufacturers strive to keep pace with adopting new technologies that come with the next phase of the industrial revolution, it has resulted in manufacturers digitising their environments.

However, while this has its benefits, from increased automation, process improvements and new levels of efficiencies, it is exposing critical operational technology (OT) to security vulnerabilities, while presenting new windows of opportunity for cybercriminals. 

Since last year, there has been an 88% increase in OT vulnerabilities, which are used to attack critical infrastructure and expose vital systems to potentially devastating breaches. More specifically, 89% of electricity, oil & gas, and manufacturing firms have experienced cyberattacks impacting production and energy supply over the past 12 months.

With OT systems supporting high-level control systems and other essential industrial equipment, attacks on these vital assets can inflict severe economic damage and even endanger public health and safety.

Manufacturers are aware of the threat and the cybersecurity of their networks is being prioritised in response. In fact, cyber security is an urgent priority for 63% of UK manufacturers, with almost half (43%) investing in security, firewalls and anti-virus precautions. However, one of the biggest challenges is that not all OT assets can be easily patched or run anti-virus and other endpoint protection agents. Industrial control systems in OT environments often use legacy or outdated equipment and software that no longer receives security updates. Scanning the systems may disrupt operations and applying patches requires taking these systems offline for maintenance, which is not only expensive but disruptive to critical operations.

So, what is the solution? How can manufacturers secure OT and protect their systems against security risks, even when patches cannot be easily applied?

OT security challenges facing manufacturers

Traditionally, security was not as critical a consideration because a manufacturer’s OT network was designed to be isolated, running less-known industrial protocols and custom software. Those systems had limited exposure, whereas, today, OT environments have converged and are often no longer air-gapped from IT networks, meaning that the lack of security measures poses a critical risk.

Unfortunately, this connectivity has not gone unnoticed by threat actors. ICS and OT-specific malware such as Industroyer, Triton and Incontroller are evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking ICS and OT facilities, resulting in many serious incidents.

Furthermore, recent research has revealed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products that demonstrate significant “insecure-by-design” practices. These vulnerabilities impact devices from 10 different device manufacturers including Siemens, Emerson, Honeywell, Motorola and Yokogawa.

Of the sectors observed, manufacturing is at the top (26%) with almost a third of affected devices still in use. Alongside this, the research has found affected products to be prevalent in industries such as Oil & Gas, Chemical, Nuclear, Power Generation & Distribution, Water Treatment & Distribution, Mining, and Building Automation.

Most OT devices are insecure by design where vulnerabilities stem from unauthenticated protocols, insecure firmware updates and unsafe native functionality. For instance, 38% of the vulnerabilities discovered allowed for credential compromise, and 21% gave attackers a way to introduce poisoned firmware into the environment. In addition, 14% of the flaws stemmed from native functionality — such as logic downloads, firmware updates, and memory read/write operations — that gave attackers a way to execute malicious code remotely on OT systems.

In fact, one of the biggest issues facing OT security is not so much the presence of unintentional vulnerabilities, but the persistent absence of basic security controls. These devices often lack critical controls needed to authenticate users and actions, encrypt data, and verify whether firmware updates and software are signed and verified. When these mechanisms are present, they are often weak and easily hacked or seriously undermined by other issues, like the presence of hard-coded and plaintext credentials on the device.

The research also found that many insecure-by-design devices have security certifications, which often results in a false sense of security, and can lead to significantly complicated risk management efforts. The testing requirements of these certifications are sometimes limited to functional verification of features rather than stress testing of defensive capability; so as long as the feature is present, it is assumed that it is secure.

Another issue is a general lack of common vulnerabilities and exposure (CVE) reporting for industrial control systems. Issues considered the result of insecurity by design have not always been assigned CVEs, so they often remain less visible and actionable than they ought to be. Vulnerabilities in supply chain components also do not have a great track record of being reported by affected manufacturers.

While in many cases these feature-abuse issues cannot be patched out, there are practices to address the weaknesses such as visibility and asset management, segmentation, and specific monitoring of network traffic.

Laying the security foundations

Visibility and asset management lay the foundation for network security. You can’t protect what you can’t see so manufacturers must ensure they have visibility to all the connected devices on their networks. This is quickly becoming imperative for manufacturers that have introduced connectivity, digitisation, artificial intelligence (AI), machine learning (ML) and cloud-based infrastructure, among other technologies.

To improve efficiency, network visibility solutions should be able to span across IT, OT and IoT devices, enabling the discovery of vulnerable devices in the network so that proper control and mitigation actions can be applied. In addition, these solutions should also continuously monitor the network for new devices, automatically detecting new connections, so there are no visibility gaps that could put the organisation at risk.

Vulnerable devices will always exist in OT environments because many of them are too old or fragile to be patched. When a device falls into this category, the focus must be on giving the connected device the minimum amount of privilege. This means if an attacker does gain access to it, they will have a limited ability in what they can do, how they can spread across the network and what they can gain access to. It is also important to segment it from mission-critical systems or essential plant machinery as this will prevent lateral movement attacks.

Segmentation is a fundamental control that enforces proper network hygiene to mitigate the risk from vulnerable devices. Segmentation restricts external communication paths and isolates vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.

While device manufacturers address fundamental issues with insecure-by-design firmware and protocols, asset owners can monitor for progressive patches released by affected device vendors and apply these in their own networks. To further mitigate against risk, manufacturers should monitor networks for malicious packets that exploit insecure by design functionality, isolate OT/ICS networks from corporate networks and the internet, limit network connections and focus on consequence reduction, where possible.

Preparation and collaboration go hand in hand

The best way to overcome challenges all comes down to preparation. Carry out site assessments to understand inventory and what kind of assets are connected to the networks, their risks and required connectivity. In many cases, the number of known internet-connected devices inside an industrial framework is only a fraction of the network reality.

Collaboration between IT, security and OT site teams is crucial for the ongoing success of secure industrial operations. Digitalisation has helped transform the industry and provides the opportunity to standardise security policies and put in place automated asset and network monitoring. This in turn provides better insights into systems so that manufacturers are constantly aware of their security and operational risks. This then enables the implementation of risk-based segmentation and least privilege access, so that if any cyber incident occurs the impact will be minimal.

While OT security is gradually improving, there are still security gaps that exist in many manufacturing plants. The rapid expansion in the number of connected devices exponentially increases the risk posture. By connecting OT to IoT and IT devices, vulnerabilities that once were seen as insignificant due to their lack of connectivity are now high targets for bad actors. As dependence on OT and IoT grows across industries, the need to tackle cybersecurity risk, including every connected device, is imperative.

- The author, Daniel dos Santos, is Head of Security Research at cybersecurity software firm Forescout.

Back to Homepage

Back to Technology & Innovation