Introducing IIoT to your manufacturing means better connectivity and improved productivity. It also increases the number of gateways into your OT systems. More gateways mean more points vulnerable to OT cyber security attack.
Whilst your IT systems department routinely expect hacks and exploits, it is not an area that has greatly affected operations (OT). Where cyber security for IT was traditionally concerned with information confidentiality, integrity and availability. OT is different as priorities often include safety, reliability and availability, and physical dangers associated with OT failure or malfunction.
Until recently, management of production line control was largely by dedicated controllers or PLCs. They also enjoyed an ‘air gap’ between the automation control system and the outside world. That is no longer the case.
Lack of awareness also brings its own dangers. In their 2019 Global report on the state of operational technology security, CyberX identified several common issues. Their study analysed real world traffic to 850 industrial operating networks across six continents and multiple industries. It identified that over 84% of sites have some form of remote access devices.
It showed that OT networks are a soft target for adversaries, with cyber-security gaps in key areas such as plain-text passwords (69%), direct connections to the Internet (40%) and weak antivirus protection (57%) and WAPS (16%)
Their downloadable report suggests eight steps, based on prioritisation of the issues is key. Many problems exist, but not all of them need solving at once. The report outlines a series of eight steps towards strengthening OT security to protect the most essential assets and processes. They include:
- Continuous OT network monitoring to immediately spot attempts to exploit unpatched systems — before attackers can do any damage
- Automated threat modelling to prioritize mitigating highest-consequence attack vectors
- Compensating controls such as granular segmentation
Does your IT dept protect OT cyber security
Automation systems are vulnerable for some different reasons then IT systems. They are designed to interfaces with the physical world of Industrial Control Systems, SCADA and Distributed Control Systems.
With IT systems defences comprise of layers on the technology stack, with software provides producing regular updates, patches and virus protection. This is not the case with industrial automation control where the environment remains relatively static. The problem is also exacerbated by the increased number of reported vulnerabilities built into some OT manufacturers’ proprietary hardware.
The UK’s National Cyber Security Centre (NCSC) recently published guidance to help regulators and operators of essential services adhere to the requirements of the new EU Network and Information Security (NIS) Directive. This guidance can help OT managers ensure that any connectivity between their OT cyber security environments and their wider enterprise networks or the Internet is managed securely. The NCSC will soon publish guidance outlining best practice for secure system design, containing more detailed advice to help mitigate these risks.
