5 Key Cybersecurity Practices That Help Protect Networks

In February 2022, a system administrator at an auto parts manufacturer rebooted a file server to resolve an unexpected file error. The administrator didn’t see the normal boot screens one might expect, but was instead greeted with a threatening message, providing the first sign that an active cyberattack was underway.

The attack would continue to ripple through the automotive supply chain for days. By the time the attack's full scope was discovered, this global automaker was forced to suspend operations in 28 production lines across 14 plants — cutting global capacity by one-third, which represented hundreds of millions of dollars in losses.

Industrial networks are increasingly connected and vulnerable to operations technology (OT) cybersecurity threats. The costs of a cyberattack come in many forms, including expenses to restore lost data, repair or replace damaged equipment, compensate victims, and pay fines or legal fees.

In industrial settings, however, the largest cost typically comes from operational downtime.

Cyberattacks and Cost of Downtime

For plant owners, unplanned downtime costs related to cyberattacks can add up fast. A small-to-medium business might lose $8,000 or more per hour of downtime, while for a large industrial organization, the losses can easily top $1 million per hour.

Meanwhile, the frequency of cyberattacks on industrial operations is increasing, driven heavily by phishing or spear phishing exploits that start in IT and migrate to OT infrastructure; or through removable devices, which abound in industrial settings and can carry malware.

Bigger dangers are on the horizon. The use of artificial intelligence (AI) to find and exploit vulnerabilities is growing, and critical infrastructure is increasingly targeted by adversarial nation-states intent on disruption.

Combine the high cost of downtime with the rising frequency of cyberattacks, and it’s clear the risk calculus is significant for industrial firms. Improving defenses can reduce plant downtime from cyberattacks and therefore significantly impact the bottom line, making it a top priority for anyone managing production operations.

Let’s explore key industrial cybersecurity practices using the five NIST Cybersecurity Framework categories that can help reduce risks and duration of downtime during a cyberattack.

NIST Category 1: Identify

When a cyberattack strikes, defenders usually have more questions than answers. But it’s important for incident responders to answer specific questions early on to quickly scope and respond, including: “What’s affected?” and “Where are we vulnerable?”

Answering these crucial questions requires a complete, up-to-date inventory of assets that are most critical to production environments. In typical industrial firms, assets number in the thousands to tens of thousands. Manufacturers, for example, have production-line equipment and controllers, smart devices, sensors and a host of other connected assets.

This volume, which also is frequently changing, can make asset inventories challenging to assemble. And collecting this information after an attack can cause massive delays, contributing to extended downtime: Ad-hoc asset inventory scans can take hours or days of waiting for a maintenance window to avoid additional disruption.

What’s more, many manufacturers infrequently perform asset analysis in the first place, contributing to a higher vulnerability to cyberattacks.

A key step in reducing downtime from cyberattacks is to implement a robust asset and vulnerability management program. Regular, automated asset inventories performed as often as daily, hourly or in real time, confirms that defenders are always prepared with an accurate picture of the landscape.

Gaining this visibility, users can determine if rogue assets have appeared on their networks, and also if legitimate assets are exhibiting behaviors that point to threat actors. This brings fast focus to efforts to prevent and respond to cyberattacks, ultimately saving downtime.

NIST Category 2: Protect

Implementing certain proactive measures also can minimize downtime from cyberattacks by blocking threats before damage can occur.

One defensive priority for any organization is network segmentation. Network segmentation creates strict boundaries between systems, controls the flow of traffic and minimizes the risk of an attack spreading to other parts of the network.

In industrial organizations, a demilitarized zone (DMZ) is an architectural boundary between IT and OT networks, providing a critical air gap. With most industrial attacks starting in IT and migrating to OT, DMZ deployment is a key network segmentation strategy to limit IT attacks from gaining access into plant operations.

Microsegmentation then provides another layer of defense. Threat actors tend to exploit the easiest pathways to achieve their ransomware and disruption goals. With a microsegmentation approach, protected segments are built around key data, applications, assets and services, with firewalls and strong access controls applied.

As an added benefit, these measures also are key strategies in Zero Trust Architecture, which is an emerging compliance directive in the United States and other regions worldwide.

NIST Category 3: Detect

Once an adversary has breached a user's digital infrastructure, the race is on. Attackers know response times are slowest at night and on weekends and use this tactic to get a head start.

Many recent, well-publicized industrial attacks began over holiday weekends. For example, malicious threat actors deployed DarkSide ransomware against Colonial Pipeline over Mother’s Day weekend, and food processor JBS experienced a REvil ransomware attack over Memorial Day weekend.

Defending against modern industrial threats isn't just a "first shift" problem. It requires designing around-the-clock vigilance via network security monitoring to confirm that users are never giving the adversary a head start.

Fortunately, organizations can beat the clock by deploying 24/7 network security monitoring using threat detection systems that let security teams leap into action in a matter of minutes. Continuous network security monitoring helps manufacturers that want to limit downtime from cyberattacks.

For manufacturers that find it difficult to staff a 24/7 security operations team, which is the required counterpart to detection, managed services can fill the gap and confirm defenders are always in place to detect and respond to threats quickly.

NIST Category 4: Respond

Responding to a sophisticated threat requires specific skills and experience. An incident response framework can help. Most organizations bring in OT incident response specialists to handle an entrenched threat. That’s a particularly important process in industrial organizations, given the implications for production operations, worker safety, equipment and supply chains.

Finding an OT incident response specialist with the right expertise can be time-consuming — vetting consultants, negotiating contracts and developing an incident response framework or plan can easily take weeks, especially for highly regulated industries.

To avoid the risk of prolonged downtime from a cyberattack, users can establish a relationship with an OT incident-response provider before one is needed. An incident-response retainer agreement helps users start strong from the moment an attack is uncovered, minimizing the damage, reducing downtime and helping prevent further destruction.

NIST Category 5: Recover

In some industrial sectors, such as life sciences, ransomware has become one of the leading sources of unplanned downtime.

Restoring systems and data is an exacting process, which can take hours or days under perfect conditions. Unfortunately, conditions are rarely perfect. Incomplete backups, incompatible software and untrained staff can introduce complications and delays, adding days or weeks to recovery time.