Cybersecurity for food and beverage operational technology (OT) environments
It's critical to realize the importance of cybersecurity in food and beverage manufacturing, an infrastructure that is often over looked.
Much of the attention that cybersecurity gets is on the IT or office network side of things, but recently people have begun paying more attention to operational technology (OT) systems that make up our critical infrastructure. When people think of critical infrastructure, they automatically think of oil & gas, power generation and maybe water. People don’t realize that there are sixteen critical infrastructure industries.
One of the easily forgotten, but critically important infrastructures is food and beverage manufacturing. A cyber-attack on a food and beverage company might not result in the lights going out or clouds of toxic gas, but it could result in tainted food or other serious food production issues.
We need to start paying more attention to cybersecurity in the food and beverage industry. Imagine a cyber-attack on the control system at a frozen foods distribution facility. The attack could raise the temperature in the freezers, thaw the food and then refreeze it. Unfortunately, the operator’s station reports that everything is fine the entire time. This could result in food poisoning for hundreds or thousands of people. Bad actors can do a lot of harm by targeting this sector.
The evolving roles of IT and OT
Many companies are pushing to combine their IT and OT departments, but you need to first understand that IT and OT have different goals and priorities. The first thing to understand is the organizational structure. You will typically find that both IT and OT report organizationally to the CEO or CIO. Senior management commonly believes IT owns the responsibility for Industrial Control System (ICS) networks and security. This is true primarily because IT owns support, maintenance and the operational budget for network, IT and OT security.
The primary goals of IT are Confidentiality, Integrity and Availability; the CIA Triad. As part of their role, they also make it possible for users to access the network from any location that they’re working from using whatever computing device they have access to. The goal is to make it as easy to work from an airport, hotel room or coffee shop as it is to work in the office itself. Technology is updated and replaced often. Service packs are loaded, new software releases are loaded, and bugs are fixed.
OT’s primary goals are Availability, Integrity and Confidentiality, a complete reversal of the IT CIA Triad. OT strives to keep production running, whether it’s an electric utility, an oil rig or a clothing factory. OT is all about what works, commonly a “we’ve always never done it that way” mentality. OT is typically reluctant to make any change that might bring down the production line. This is driven by their measurement metrics of widgets per minute or production efficiencies. However, regardless of the differing priorities; trust and open communication between IT and OT is paramount if things are going to work properly.
When we’re talking about OT cybersecurity, we usually use terms like ‘secure’ or ‘prevent,’ when we really should be thinking about things like ‘containment.’ Securing the network and preventing attacks is important, but at some point; an attack will get past your defenses. It then becomes a matter of containment; how do we keep it from spreading to other networks?
IT and OT cybersecurity best practices
One thing to definitely avoid is the desire by IT to have bi-directional communications between the IT and OT networks. This should never happen. You should also avoid the desire to connect the ICS to the internet in order to allow remote access and management. If the control system is going to be connected to the internet, it should only have out-going unidirectional data transmission to allow monitoring of the system.
Best practices for creating a solid OT cybersecurity program should include three things:
- C-Level support and buy-in for necessary changes
- Communication with stakeholders and vendors
- Decision making as a team, making sure all IT, OT, and engineering stakeholders are involved
After you’ve set up the structure and started communicating, you need to begin cybersecurity awareness training for the OT staff. This training should be focused on educating plant personnel on what cybersecurity is, both at work and at home. Protocols for how to respond to or escalate potential threats, need to be in place. OT personnel should be trained on what needs to be dealt with immediately and what can wait.
Consider doing tabletop exercises where you practice response scenarios when various incidents occur. This can act as a stress test for your Incident Response plan and help shine a light on any vulnerabilities in your escalation procedures. These tabletop exercises should involve C-Suite individuals as well as people from the plant floor, so everyone understands their part in a cyber-attack response.
Velta Technology is an expert at detecting and preventing cyber-attacks. We’re here to help you and your organization, no matter how big or how small. Our team of experts draw on extensive knowledge and experience across key areas including risk management, operations and human factors. This helps ensure that all testing and mitigation measures are tailored to the specific needs of your organization.