Manufacturers realize cybersecurity risks, taking steps
Denial can be a very perilous state of being, and admitting there is a problem is the beginning of the journey to solve any issue facing anyone.
While that may sound like a psychology 101 class, in actuality that can be considered the mindset for those in the manufacturing automation sector these days. After years of denying they had any kind of attacks or any kind of security issue, users today are at least acknowledging what they are facing.
“When we meet with clients it is far more common to hear these days, ‘yeah, we had an incident.’ In most cases it is malware that got into the environment,” said John Cusimano, vice president of industrial cybersecurity at aeSolutions. “When we do a cyber risk assessment, one of the things we talk about is the likelihood of certain incidents occurring it is far more common today to hear people say ‘yeah, that happened here.’ They are not publicized events. At least they are aware they had an incident.”
Admitting there is a problem and looking to fix it looks to be other security outlooks for the coming year. Combining that, along with the issues mentioned last week of more teamwork with a mandate to mesh all segments of an organization so boards, IT and OT can work together, are elements the manufacturing automation sector is working on in the coming year. With attacks and sophistication levels of all kinds on the rise, the stakes are high to succeed to the point where manufacturers will be able to fight off assaults to increase uptime and productivity.
“The definition of resiliency is going to change. It will change to how effective you are in being able to detect threats,” said Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens. “Resiliency is going to be more proactive as an approach. It used to be ‘can I withstand an attack?’ We are living in a world where users have to withstand up to 12 attacks a years in OT. Then the question is how do you do that? You have to understand how an adversary moves through your environment and then visibility becomes a key. The other piece that is key is organizing yourself in a way that allows you to build layers of defense.”
Technologies on rise
In thinking about layers of defense, there are technologies on the horizon, or are already out there, that could see greater use in the coming year.
“One of the technologies we are seeing is software defined networking, where you can define not just this layer will talk to this layer, but having the ability to define this specific device can talk to this specific device with this specific protocol at this specific time and have it completely granular is absolutely critical,” said Eric Byres, chief executive at software security validation provider, aDolus. “Use of containers and cloud-based container-based technologies are really starting to show up. The nice thing about containers and the whole container model is it doesn’t matter where the target container is if you don’t want to run it in the cloud, you don’t have to. You can take what somebody wrote for the cloud and put it on the plant floor.”
“We are moving, and this started in 2019, to the deployment of anomaly detection tools,” Cusimano said. “In years prior, there was a lot of kicking of the tires. There were more deployments in 2019 and more planned for 2020 and beyond. The actual adoption and implementation is still in its infancy. There are some large corporations starting the deployment.”
Anomaly detection tools are the rage in the industry right now, but that is not the only answer to the security issue.
“On the positive side, it means the company is doing something. They are taking some action and making some investments in OT cybersecurity,” Cusimano said. “The negative side is some companies think that is all I need to do. There is a false sense of security. These tools have a lot of value identifying and reporting anomalies, they effectively are alarm systems. But if you have not implemented fundamental ICS security you are putting a fancy alarm on an insecure structure. There are some companies that are trying to buy their way out of a security issue. There are some that are taking the easy way out.
“None of the anomaly detection tools out there are prevention tools. Firewalls are prevention tools, network segmentation is a prevention tool, hardening of the OT environment is an effective prevention tool. Hardening switch configurations, controlling access, local and remote access controls are all effective tools. You go to any of the standards, there is no shortage of information on prevention tools,” Cusimano said.
It all comes down to having a grasp on where your company is with its security program.
“A lot of companies have put in the prevention tools and they are becoming more mature and going to the next step by putting in detection tools,” Cusimano said. “That makes perfect sense. It is the other way around when people put in the detection tools first, or only, and don’t do the fundamental protection measures, they are trying to buy their way out.
“You can’t just go out and buy a tool and think you are secure. There is a place for tools. It is not meant to excuse you from doing your basic cybersecurity protections. It is important to have an complete overall program. Nobody would expect to implement the program overnight, but at least if you have a frameworks and a roadmap and a plan and use risk management to prioritized to see what you should do first,” Cusimano said.
Looking at other technologies on the rise Simonovich thinks artificial intelligence will gain more strength in the come year.
“One jarring statistic for me (from the Siemens-sponsored Ponemon study) is only 18% of utility organizations adopted artificial intelligence (AI) in their ability to do detection,” Simonovich said. “With machine-speed attacks and with ransomware in the OT environment, artificial intelligence can help, but we have to make it practical. There are two applications where AI will become useful. One is around contextualization. A combination of domain expertise and AI will become powerful. The second is solving a practical problem is patching. Artificial intelligence can create a backstop against known vulnerabilities.”
Manufacturing in the cloud may have a future.
“People say there will never be control in the cloud, but I don’t know,” Byres said. “I was sitting in a meeting with some really senior people that gave me a use case that was really compelling. You won’t put control in the cloud every day, but there may be cases where it works.
Another growing “technology” is not a technological problem at all, said Joel Langill, director of ICS Cyber Security Services at AECOM – Management Services. “I think it is access to and the ability to respond to threat intelligence. Actionable intelligence. What is missing, and needed, and will be the game changer, is global threat intelligence. It is a global economy now, what is being done to share actionable intelligence to all countries? There is a lack of global actionable intelligence and I just don’t see that being solved.
“I am starting to see microsegmentation. (Microsegmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually.) People know the concept and principals of least privilege, but they fail to use it. One example is a domain controller represents one of the greatest asset targets in an architecture. If you own an active directory server, you own domain enterprise credentials. A domain controller never initiates communications, it always is the receiver. Why, then, do we not lock down active directory boxes so they can never generate a single byte of outbound traffic. You don’t see that because people don’t understand microsegmentation,” Langill said.
Technology will help move security forward, but it will all come down to people.
“The biggest roadblock to me is the lack of staff, a lack resources, that is holding things up,” Byres said.
“I think once this becomes a board level priority, and once ownership is assigned, then it is a question of understanding priorities and then assigning resources against those priorities,” Simonovich said. “People and talent will become scarce, so who do you assign it to? Scarcity will continue that could be the linchpin or the Achilles heel that could slow down our ability as an industry in the catch up game against the rapidly evolving threat environment.”
Security in the manufacturing automation sector is getting stronger and it all starts with understanding, and admitting, the problem and starting to deal with it. There is no denying it.