By Dave Purdy, Regional Vice President of Sales, North America, TXOne Networks
Though it’s often treated as a borrowed approach from the information technology (IT) world, cybersecurity for operational technology (OT) is best tackled as its own unique challenge. The pain points, protocols and tradeoffs to be balanced are fundamentally different in OT than in IT.
Perhaps in no industrial environment is this distinction more clear than in discrete manufacturing, where the pressure is most extreme to maintain unit volumes while, at the same time, protecting the safety of machines and the lives of the people who work with and near those machines. Discrete manufacturing offers an unusually delicate balance of factors and forces that OT managers must constantly maintain in cybersecurity.
What are the particular requirements and characteristics of OT cybersecurity in discrete manufacturing, and how do these weigh into decisions around implementing effective solutions for this environment?
The Distinct OT Cybersecurity Environment
OT cybersecurity is not IT cybersecurity applied in a plant-floor setting. The protocols and network languages that drive operational automation are totally different than what are common in IT environments. OT protocols are highly specialized, and there are hundreds of them.
Many of the technologies are several decades old. The electric grid, for example, is driven by technologies that were invented in the late 1940s and ‘50s. Modbus is a client/server protocol that is commonly relied upon for communication among industrial electronic devices in a tremendous range of domains, and it was originally published in 1979. These protocols were conceived and grew up in a climate without IT concepts of, for example, encryption and cybersecurity.
Plus, because today’s high-speed manufacturing environment is so hypersensitive to networking latency, OT protocols cannot have the tremendous number of lines of code that are often found in sophisticated IT protocols.
The Distinct OT Needs in Discrete Manufacturing
Discrete manufacturers produce distinct unit volumes that can be disassembled, such as a car, a bicycle or a piece of furniture. Asset owners in this manufacturing sector are very focused on production volume, product quality, production uptime (availability) and, most importantly, human and asset safety. In the context of cybersecurity, the challenge for the asset operator is to implement solutions that impair none of these sometimes-competing priorities.
It’s not uncommon for security solutions to be implemented in the OT space which err on the side of caution. The problem with such an approach is expensive overkill—they kick up alerts for relatively innocuous network events, and, in some cases, shut down production (and revenue streams) based on false positives.
The Growing Issue of OT Cyber Threats
Because adopting protective capabilities without jeopardizing revenues, operations and quality has proven so challenging, many discrete manufacturers have chosen and continue to simply “roll the dice” and do nothing to safeguard their OT environments. Or they might have a false belief that plants are “air gapped” from the threats found in IT and the internet. Or they rely on upstream IT security solutions with the false hope that threats will be blocked from reaching their production lines.
Until recently, they might’ve gotten by because the threat probability in OT historically has been low. There’s very little debate, however, that the OT cyber threat landscape today is growing substantially—a fact borne out by the skyrocketing cyber insurance rates that many companies are confronting. In the wake of high-profile incidents like the May 2021 ransomware attack on the Colonial Pipeline, the cybersecurity insurance industry is increasingly asking very specific and tough questions around what cybersecurity mechanisms that a company has put into place in the OT space.
Driven by the cost to be insured or the ability to be insured at all, the cost of downtime because of attacks and the potential lasting brand damage in the wake of attacks, more and more discrete manufacturers are taking a fresh or even first look at OT cybersecurity.
What Can Be Done? What Must Be Taken into Account?
OT attacks are often missed by traditional IT cybersecurity tools, which fail to address risk vectors such as industrial control system (ICS) protocols, infected equipment getting installed into a production process or third parties entering a factory to perform maintenance.
Discrete manufacturers require OT-specific endpoint solutions. The endpoints to be protected in a production facility tend to be a human machine interface (HMI), a remote terminal unit (RTU), an engineering workstation (EWS) or supervisory control and data acquisition (SCADA) for overseeing machines and processes around critical and time-sensitive materials or events. IT cybersecurity tools typically are not predicated on the understanding of such endpoints and, therefore, fail to sufficiently safeguard them.
Because OT networks tend to be flat—all network elements connecting to and communicating with each other—OT cybersecurity demands a micro-segmentation capability so that attacks are isolated and unaffected manufacturing lines are kept open and firing. Plus, the system must be able to recognize OT protocols from other traffic that doesn’t belong on the OT network through real-time inspection and act intelligently and swiftly to avert or mitigate the damage of attacks.
Insider threat is another important threat vector in OT cybersecurity. The individuals that come into a plant setting to perform maintenance can introduce malware in a non-malicious manner from a USB drive, for example. There have even been cases of brand-new equipment coming into a manufacturing setting that’s been pre-infected. Repurposed IT tools are not built to recognize or act on these threats.
Finally, IT tools tend to be built to protect confidentiality, integrity and availability of assets and data in that order. OT cybersecurity demands the opposite approach. The individuals who run these plants are rewarded for how many widgets of a sufficient quality that their plants produce. The OT cybersecurity tools at their disposal must, consequently, emphasize availability over integrity and then confidentiality.
Conclusion
No company wants to be shut down because of a ransomware attack, but nor can a company afford to implement a complex security solution that hinders operations and generates false positives resulting in unnecessary interruptions. This is the vexing challenge in which OT managers for discrete manufacturers find themselves with regard to cybersecurity.
Simply extending IT security products and approaches into industrial settings, however, is insufficient for the emerging threat landscape. To safeguard assets, revenues, operations and revenues, discrete manufacturers require cybersecurity solutions built from the ground up for the unique requirements of OT.
About the Author
Dave Purdy is the Regional Vice President of Sales, North America at TXOne Networks. He is a veteran technology practitioner with a career-long focus on critical infrastructure protection and downtime avoidance. Dave’s industry experience has had a central focus on business and operational resiliency spanning global financial services, power generation, utilities, defense contractors, and manufacturing. Prior to joining TXOne Networks he held various leadership positions at AWS, EMC Corporation, and IBM Corporation. Dave can be reached at Dave_Purdy@txone.com and https://www.txone.com/?utm_source=CyberDef.