The cybersecurity landscape has evolved significantly over the years, with sophisticated ransomware becoming one of the most prominent cyber threats in manufacturing. The evolution of ransomware has also bypassed Information Technology (IT) systems into Operational Technology (OT) systems, raising concern among manufacturers as attacks on these critical infrastructures can bring far more significant implications beyond financial losses.
We sit down with Inbavanan Rathinam, Regional Vice President, Asia Pacific, Lifecycle Services, Rockwell Automation and Dawn Cappelli, Director of OT-CERT (Operational Technology - Cyber Emergency Readiness Team) at Dragos to discuss the threats posed by ransomware, and why setting up a cybersecurity program for manufacturers, particularly in today’s digital world, has become a necessity.
Inbavanan shares that manufacturers today carry a much greater risk than before regarding cybercrime. When ransomware affects the OT platforms, organizations may face more than monetary loss.
Pipedream is one of the first known Industrial Control Systems (ICS) malware to target OT protocols. Pipedream is designed to exploit five OT protocols used by hundreds of OEMs across thousands of devices. It is a versatile, all-purpose malware that can be deployed globally against many devices in any sector. Its immunity to traditional patching approaches complicates mitigation, and the only way for organizations to be a step ahead of this malware is by having a comprehensive OT cybersecurity program.
Keeping up with an ever-evolving landscape
Malware like Pipedream is only the tip of the iceberg.
As technology continues to evolve, so will the cyber threat landscape. One example of this evolution is where hacktivists in the past used to carry out simple DDoS attacks but are now aligning themselves with state actors to carry out more sophisticated attacks. Organizations must stay ahead by ensuring they have the appropriate security measres if they do not want to be vulnerable.
Cappelli shares that the rapidly changing cyber threat environment in OT has a significant impact on the risk and resiliency of operations. All too often, organizations put a plan in place for OT security but then neglect to remain vigilant to the changing threat environment and its impact on their risk management strategy.
The convergence of IT-OT brings a new dimension
British mathematician Clive Humby’s quote, “Data is the new oil”, holds in this technology-driven world. However, nothing comes free, and just as organizations can reap many benefits through data, they are also laden with greater responsibility to protect that data so that it cannot be stolen or manipulated to impact the reliability and safety of their operations.
Unfortunately, as technology evolves, IT and OT convergence becomes inevitable. “From ERP systems to using the cloud for analytics and advanced manufacturing for productivity, organizations can no longer airgap their platforms for competitive reasons,” says Cappelli.
There’s also the issue of greater risk and regulatory compliance, adds Inbavanan. Data collection used to be a manual process. However, as companies today take advantage of the convenience and business advantages of the cloud and digital systems, they must ensure that their security teams remain on top of the evolving threats and vulnerabilities associated with cloud environments. Teams must constantly stay informed about the latest security tools and know best practices to mitigate risks and respond effectively to potential attacks.
Cappelli adds that sometimes, the risk comes from trusted third parties. For example, businesses utilize service providers and systems integrators for new and ongoing plant operations. Unfortunately, some of these trusted third parties often do not understand OT cybersecurity and may put operations at risk. For example, malware can be transferred into the plant via their USB drives, or when they remotely connect with the plant using mechanisms that are not secure. In fact, often they are the ones who implement remote access to the plant, without ensuring that access is configured securely. Such instances could magnify cybersecurity risks.
Why traditional IT security practices don’t apply to OT environments
Just as increased connectivity boosts operational efficiency, it opens up new pathways for cyber attackers to infiltrate OT and Industrial Control Systems (ICS). Industries face the challenge of balancing day-to-day operational reliability and efficiency against the threat of cyberattacks, which can have devastating consequences.
Unlike IT systems, where software and hardware are regularly updated to address security threats, OT systems pose their own unique challenges, requiring a unique approach to infrastructure security. This is largely due to the need to maintain continuous plant operations, limitations of legacy equipment, and complexity of the OT environment. As a result, OT devices and operating systems tend to become outdated over time, creating vulnerabilities in critical infrastructure that cybercriminals can exploit.
Cappelli suggests that organizations should consider the SANS Five Cybersecurity Critical Controls for Industrial Control System for a preventive cybersecurity program. The five ICS controls, she says, are critical to any industrial organization:
Tips for employee security training:
Secure leadership buy-in for long-term success
Cybersecurity is all about prevention, and upfront costs can make stakeholder alignment challenging. However, it is important to note that every cybersecurity program is a continuous journey. Inbavanan says that businesses cannot just take a dollar perspective on cybersecurity; they need to measure the cost of potential risks to find the right balance.
Having the know-how is also crucial to ensure success, which is why having partners like Rockwell Automation and Dragos can be a game-changer in navigating the complexities of OT cybersecurity. Understanding that many organizations may struggle with resources and expertise to address cybercrime, Dragos developed an OT-CERT program with more than 60 free resources to help businesses get started in their cybersecurity journey. These resources are also aligned with the SANS Five Critical Controls for ICS.
Cybercrime happens when organizations least expect it, which is why businesses should not delay in developing and implementing cybersecurity measures. Learn more about the cybersecurity solutions tailored to OT and ICS here.
