Managing OT cyber-security threats in smart manufacturing: best practices
The advent of Industry 4.0—the transition to network-based industrial operations, as well as the use of a wide range of artificial intelligence and machine learning, big data analytics, and cloud computing—has necessitated a tighter link between organizations’ IT and OT realms, which had been traditionally managed and operated practically as separate entities.
This tighter link greatly increased the threat surface of industrial (OT) networks. Data security in the manufacturing industry is critical – in addition to protecting the IT network against ransomware and phishing attempts, which may expose customer PII (Personal Identifiable Information) and other confidential corporate data, hackers could use the breach to establish a foothold in the OT network for the purpose of disrupting industrial operations (e.g. by altering the command values sent to a controller to change the output of the controlled machine).
To make things even more challenging, the multitude of assets from many different vendors that compose today’s manufacturing floors each introduces its own set of vulnerabilities. This exposes the entire network to vendor-specific supply chain attacks, in which a provisioning payload sent via the vendor’s remote access is embedded with a malicious payload.
This “new normal” threat environment requires a broader view of how organizations structure their IT/OT cybersecurity, the level of control and visibility into ICS operations, and how to maintain an optimized cyber-security expenditure strategy.
You can’t monitor what you can’t see, and you can’t protect what you can’t monitor. The first step toward installing an effective manufacturing security system is ensuring full network visibility, including all topology and communication links, devices, device groupings, and all device properties and known vulnerabilities.
Full network visibility is especially important for understanding the cybersecurity interplay between multiple business units, and the possible lateral attack vectors between business units/zones. For example, improving manufacturing operations by installing an internet-connected energy regulation subsystem may pose a downstream threat to a specific vendor’s PLC installed in another business unit. The ability to visualize the inner-network connection and analyze possible attack vectors is especially important in preventing supply chain attacks, in which a malicious payload is injected into the network via a device provisioning package and makes it way to vulnerable devices through inner-network connections.
OT network segmentation
The convergence of IT and OT networks has made it far easier for cyber criminals to use the IT network as a “back door” into the manufacturer’s OT system. Network segmentation can help contain a breach if it occurs, and also makes it easier to monitor traffic. Network segmentation allows one-way traffic (using an OT-specific data diode) from the high-security OT to the lower-security IT network for supervisory purposes, while blocking all traffic in the opposite direction. Upon detection of an infected device or network segment, it can be quarantined to protect further propagation of malware.
Protection of multiple OT operational levels
Different cyber-attacks can originate in different operational levels of the industrial network. Some, such as supply-chain attacks (which use a malicious payload embedded in a 3rd-party vendor’s provisioning and maintenance packages sent via remote access directly to a Level-1 device PLC on the manufacturing floor) originate in the high-security process level, while other attack target higher OT levels. As each operational level uses different communication protocols and commands, it is imperative to ensure threat detection in all levels and prevent malicious payloads from flowing between levels and on to the IT/OT DMZ and enterprise network level.
Industrial Threat Detection
Beyond protecting the industrial network’s perimeter, cyber-threat detection involves analyzing all communications, within or across the network perimeter, for any anomaly that may indicate a breach attempt. Radiflow’s iSID threat detection platform uses multiple detection engines for different types of OT network activity, from breach detection, (based on vulnerability CVE reports from multiple sources) to detecting anomalies in operational commands and provisioning packages sent to devices.
Radiflow’s IDS employs Smart Collectors, installed at distributed networks’ remote sites, to collect, compress (to prevent network overload) and send over GRE all LAN traffic from the local switch, using port mirroring to a centrally installed iSID over VPN tunnels.
Ongoing OT network monitoring
Rapid response to alerts on early signs of breach attempts can make the difference between continued operations and total shutdown and heavy losses. Depending on network size and complexity, local regulations and availability of resources, manufacturing organizations may opt not to operate a full-fledged security operations center but rather hire the services of a cloud-based managed security services provider (OT-MSSP). This saves the need for a large initial outlay for setting up the SOC and training staff, while providing enterprise-class network monitoring by highly trained professionals.
Radiflow’s IDS and OT risk management platforms were designed for all monitoring settings, both in-house and cloud-based. MSSPs are able to instantly access IDSs and assets at multiple locations, operated by multiple entities, through map-based dashboards, for responding to alerts, provisioning or maintenance.
Minimize risk and optimize IT/OT security expenditure
As the OT security industry matures, the mindset of CISOs and financial decision-makers alike is steadily shifting from mitigating all known threats, regardless of the actual impact of a materialized threat on the organization, to minimizing OT network risk. The latter approach looks at which threats are more, less or not at all relevant to the target organization, and examines the impact (in the form or financial, safety or other harm) caused by an attack on each and every OT business unit.
Radiflow’s OT risk assessment & management platform does this by simulating numerous breach and attack scenarios (using multiple threat intelligence sources) as well as already-installed and proposed mitigation controls, to discover and prioritize the threats that pose the most risk to the organization and their corresponding mitigation controls (based on the IEC 62443 security standard). These findings are translated into a continuously-optimized OT protection plan that focuses on the effectiveness of mitigation controls to minimize the damage to the organization, thus ensuring the highest-possible ROI of the manufacturing security system.
Cyber security in manufacturing facilities requires a protection system that covers all attack vectors, including all industrial operations levels and human network activity, and provides full network visibility for efficient asset lifecycle management and preventing inner-network attack vectors.
OT cyber-security has transitioned in recent years from all-out threat detection to targeted risk reduction (that accounts for the impact of an attack on the organization, so that low impact threats are prioritized much lower than high-impact one). This allows for optimizing OT security expenditure, by ensuring that preventing high-impact threats and protecting high-criticality business units take priority in budgeting.
Radiflow provides a comprehensive security solutions suite designed specifically for industrial organizations of all sizes that ensures early detection of breach attempts, efficient alert handling, and ongoing risk monitoring toward maximizing the ROI of the OT security operation.