There is no question that cybersecurity has become a top priority for organizations across all sectors, and none more so than those in manufacturing. In 2021, approximately 90 percent of manufacturing organizations had their production or energy supply hit by some form of cyberattack.
Enhancing operational technology (OT) cybersecurity is challenging, as it presents barriers in multiple areas: technical (such as legacy and remote solutions), operational (such as the decisions on which parts of the process the IT and OT teams own), and investment (such as a shortage of the trained skill set). However, as the world is becoming more digital, industrial organizations are making progress in securing OT environments by following three key principles:
- Strengthening technological foundations. Organizations are securing OT environments with proper accesses and standardized controls through today’s technology.
- Assigning clear responsibilities. Clarifying role responsibilities for OT and IT teams, along with external partners, enables a quick response to cyberincidents.
- Increasing risk-aware capabilities and mindsets. By applying the proper incentives, organizations can proactively involve all stakeholders.
Effects of cyberattacks on OT environments
OT cyberattacks tend to have higher, more negative effects than those in IT do, as they can have physical consequences (for example, shutdowns, outages, leakages, and explosions). Of 64 OT cyberattacks publicly reported in 2021 (an increase of 140 percent over the number reported in 2020), approximately 35 percent had physical consequences, and the estimated damages were $140 million per incident. Geopolitical risks in 2022 resulted in an 87 percent increase in ransomware incidents, with 72 percent of the overall rate increase over the 2021 figures coming from Europe and North America (40 percent more in North America, 32 percent more in Europe, and 28 percent more in other continents, compared with 2021 data).
Cyberattackers often use ransomware and less-secured third-party connections to hijack OT devices, an action that can stop production and operations. Industrial organizations typically face technical and operational challenges, including the following, when trying to protect against such attacks:
- legacy systems, which can be 30 or more years old, with old vulnerabilities and limited security controls (for example, attackers can infect 2008 Windows servers using a specially crafted font to execute malicious code)
- limited ability to implement security controls on legacy OT devices supplied before cybersecurity became an issue and managed by OEMs (for example, sensors installed on valves and connected to a network without internal hardening procedures)
- third-party remote connections to control OT devices connected to an internal network (for example, attackers can strike a vendor-created network and use it to infect other devices)
- unclear ownership between OT and IT teams that makes it difficult to centralize, manage, and govern OT cyber operations (for example, integration of manufacturing execution systems with enterprise resource planning without the introduction of a 3.5 demilitarized zone).
- risk awareness versus risk tolerance leads to competing business priorities for OT decision makers who need to decide between increasing productivity and securing devices (for example, increased production versus patch management that could cause interruption in operations)
- shortage of combined cybersecurity and automation skills with the required cybersecurity and automation-control-system-specific experience (for example, an expert in OT cybersecurity but lacking automation and process expertise)
- business, operational, and technical restrictions that mean a continuous process may run for three years before a planned shutdown, which limits the ability of OT teams to patch devices and implement time-sensitive solutions (for example, stopping an energy supply to update an operational server with a security patch)
Key factors to succeed with OT cybersecurity
Considering the challenges, enhancing OT cybersecurity demands a combination of technologies, processes, and capabilities across an organization. Our work with industrial organizations has helped us identify nine key factors to succeed in enhancing OT cybersecurity that center around three principles: strengthen technological foundations, ensure value-driven OT operations, and increase cyber-aware capabilities and mindsets.
Strengthen technological foundations
Secure-by-design, implementation, and configuration for OT environments define the proper access and have standardized controls to ensure that risks are mitigated properly based on criticality of assets, including the following:
- Segmentation of OT networks from other networks and within. Services such as real-time data acquisition, remote support of OT networks, and integration between OT systems and ERP systems increase the need for secure convergence between the IT and OT environments through the implementation of security controls (for example, design secure network reference architecture for the industrial plants and the use of strictly configured security controls, such as firewalls, between the OT and IT networks and within the OT networks). Security solutions should be well configured and certified by automation vendors.
- Asset, threat detection, and cybersecurity controls and capabilities. Understanding which assets are in the plant and their applications, vulnerabilities, and missing patches is key to realizing how well the assets are protected (for example, by deployment of threat detection solutions with OT asset management capabilities to establish a clear understanding of the cybersecurity posture within a plant’s assets). This is as important as implementing security controls and measures within the OT networks and systems.
- Configuration of security solutions. Implementing security controls and security updates are important. However, how well they are configured, managed, and administered makes the difference for an effective security control (for example, improper configuration of a firewall could lead to compromises of the OT systems).
Ensure value-driven OT operations
Standardized security procedures help align IT, OT, and external partners to respond quickly to cyberattacks and avoid physical consequences that affect operations (for example, loss of plant operations and production). Successful value-driven OT operations include the following:
- Rightly configured OT and IT teams. OT and IT operations are becoming increasingly connected because of advances in technology and shortages of skilled workers. This can lead to unclear responsibilities for certain devices (for example, smart meters and digital twins). Strengthening cybersecurity governance and operating models across OT and IT teams helps clarify ownership, roles, and responsibilities related to protecting plant assets and fostering collaboration and coordination.
- Risk-based operational approaches. Diverse OT assets have varying levels of criticality for business continuity (for example, energy supply) and safety requirements (for example, emergency shutdown systems and fire and gas systems that need a higher level of security, thus requiring a different process). Creating methods to identify the value at stake and criticality of OT assets allows an organization to prioritize business continuity and plant continuity of operations while enhancing cybersecurity.
- Standardized processes across sites. Differences among sites, OEMs, and devices make it difficult for organizations to standardize OT processes (for example, network architecture and firewalling rules). Mapping standards for architecture and controls facilitate the implementation of new OT cybersecurity initiatives.
Increase cyber-aware capabilities and mindsets
Proper incentives are key to ensuring that stakeholders (IT, OT, and business teams) are aware of cyber risks and have the expertise to identify and reduce threats proactively. Such incentives include the following:
- Expert-driven internal OT capabilities. OT roles require knowledge of both cybersecurity and specific systems, which isn’t easy to find. Reinforcing internal upskilling and incentivizing compensation packages helps attract and develop the required OT cybersecurity capabilities.
- Well-incentivized set of vendors. Organizations typically have a long tail of vendors for OT environments because of the complexity of systems, making it difficult to safeguard cybersecurity. Establishing mechanisms to control vendors and define KPIs for their services helps optimize the tail and enhance accountability in disaster recovery situations.
- Programmed cybersecurity awareness. OT cybersecurity goes beyond OT and IT. Understanding cybersecurity in manufacturing, like safety, is everyone’s job, so enhancing training programs across business, IT, and OT stakeholders helps raise the awareness of cyberthreats and mitigation actions.
Where organizations can start to secure OT
Industrial organizations are at a turning point in their OT cybersecurity journeys. Approximately 96 percent of business leaders indicate the need to invest in OT cybersecurity, and approximately 70 percent of those who have invested in it are facing implementation challenges.
The nine key success factors for enhancing OT cybersecurity can help solve critical challenges, and organizations need to understand their opportunities for improvement. A crucial aspect for improvement is assessing OT assets and operations. Combining top-down, organization-wide operational assessments with bottom-up, asset-by-asset analyses helps organizations understand the relationship between OT maturity and specific risks at the site level. This allows them to link risks with business impact to develop actionable recommendations for thwarting attacks.
Taking a dual approach (consisting of both top-down and bottom-up elements) to assess OT cybersecurity allows organizations to identify critical risks to OT environments and operations quickly. This is a key starting point for industrial organizations in their journeys to ensure protection against the cyberattacks that present a risk to their operations.