Adnan Ahmed, Head of ICT and CISO at Ornua
Adnan Ahmed is the Head of ICT and CISO at Ornua,
Synopsis: Industrial organizations are moving rapidly to take advantage of IT technologies in their operational technology (OT) environments to become more competitive. Security is becoming a priority in industrial IT and Operational Technology (OT) as connectivity to external networks grow and attacks on Operational Technology increase. Failing to take proactive security measures could affect production and major financial losses. Adnan Ahmed, the Head of ICT & CISO at Ornua has discussed these challenges as well as ways to detect and mitigate complex cyber-attacks.
Cyberattacks can cause devastating business disruptions and lead to financial losses reaching hundreds of millions of dollars. The World Economic Forum’s 2019 Global Risk Report ranked cyberattacks disrupting operations and critical infrastructure among the top five global risks.
As part of the business and digital transformation, interconnected systems and data analytics, Supervisory Control and Data Acquisition (SCADA), Industrial Control Systems (ICS), Industrial Internet of Things (IIOT) and smart sensors are added into the manufacturing process. Along with the benefits of increased efficiency and shared data comes with mounting OT security risks to the infrastructure. Many companies are still not aware of the threats that cyberattacks pose to their OT assets. Moreover, their measures for cybersecurity are usually not tailored to operational technology.
According to Gartner, Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. OT Security is commonly used to protect Industrial Systems and networks from attacks. ICS are typically mission-critical applications with a high-availability requirement in manufacturing sites. In most cases, the high capital and running maintenance cost of these systems cannot justify having a parallel non-production or failover environment. In the absence of failover systems, site operations cannot afford to bear the cost of systems downtime as it can be catastrophic to the survival of the manufacturing site.
IT and OT Convergence
An unwelcome effect of IT/OT convergence is the expansion of the attack surfaces and threat vectors across the organisation. This provides more opportunities for hackers, malware authors and criminal groups to take advantage of this environment. Given the plethora of attacks and breaches, cyberthreats are now top of mind for discerning Senior Executives and Board Members. This awareness has resulted in increased funding becoming available for the IT environment, but not necessarily for the OT environment, where cybersecurity is still more an afterthought than an integrated part of the business plan.
As a result of IT/OT convergence, we are starting to see significant security challenges for the overall organisation. These include a lack of security awareness across the IT/OT environment and fragmented security solutions that do not necessarily work in the OT environment. Furthermore, many forms of malware in the IT environment can impact OT. For fear of the potential consequences, the organisation itself might intentionally shut down operations due to a malware attack or even just the threat thereof. This sort of self-denial-of-service was exemplified by Honda and Renault when they halted manufacturing at their respective plants to prevent the spread of ransomware in their systems, even though there were no alarms on the factory floor. The IT and OT environments have different views about security as they have usually had different reporting lines and business needs. Consequently, misapplications of IT security in the OT environment arise, which in turn lead to self-denial-of-service and other complications. For example, applying IT resources such as invasive penetration testing and network mapping tools to the OT environment may impact OT systems such as legacy Programmable Logic Controllers (PLCs).
Industrial Internet of Things (IIoT)
The Industrial Internet of Things (IIoT) will revolutionize manufacturing by enabling the acquisition and accessibility of far greater amounts of data, at far greater speeds, and far more efficiently than before. Several innovative companies have started to implement the IIoT by leveraging intelligent, connected devices in their factories. Businesses that have embraced the IIoT have seen significant improvements to safety, efficiency, and profitability, and it is expected that this trend will continue as IIoT technologies are more widely adopted.
There is an exploding number of unmanaged and unprotected IIoT devices in use within companies, so the attack landscape is growing exponentially. Cybercriminals and nation-states actors are targeting IIoT due to the lack of security built into these devices. Because cyberattacks have the potential to cripple businesses, companies are recognizing the need to make security a priority. The proliferation of sensors and other smart, connected devices has resulted in a parallel explosion in security vulnerabilities.
Key challenges of cybersecurity in OT environment and recommended security measures to protect manufacturing sites
Most well-publicized attacks have been in traditional IT systems. But with attacks on critical industrial environments now becoming more frequent, people are starting to wake up to the operational, financial, reputational, and even human and environmental damage they can inflict. As awareness of the threat environment grows, however, many top executives at these companies are now sharpening their focus on cybersecurity. They are asking important questions like What does it take to transform our cybersecurity capabilities to protect us from cybersecurity threats; How do we benchmark ourself with our peers; Resource constraints and findings highly skilled resources in this area is a major challenge for every organization.
I have identified the top six technical issues that need addressing.
- Lack of awareness
Cybersecurity constitutes the biggest external threat to an organization. Encouraging and facilitating board-level engagement with cybersecurity is perhaps the most important thing any CIO or CISO can hope to do to improve an organization’s security culture at large.
The risks associated with OT networks also differ and they need to be understood by Senior Executives and Board of Directors (BoD). These include significant risks such as costly production outages leading to financial losses, catastrophic safety failures and environmental damages leading to potential liability issues, and theft of corporate IP leading to loss of competitive advantage.
Given the potential implications to the health and safety of human lives, environmental damage, financial issues such as production losses, negative impact to a nation’s economy, and in a worst-case scenario the very ability of a society to function, OT network security must be addressed in a manner like IT network security – including having board-level visibility.
Centralized leadership for both IT and OT security, combined with a security program that incorporates a cybersecurity framework designed specifically for OT networks, along with the appropriate ongoing monitoring and measurement of that program, will help enterprises manage and minimize their OT security risks.
- Legacy network
Despite the high-profile attacks on unpatched systems, many organizations don’t regularly apply patches or have patching policies and procedures in place for ICS. In many cases, these systems were developed years ago and are tied to older versions of Microsoft Windows. In the case of ransomware WannaCry, Microsoft issued a patch for Windows XP and other unsupported operating systems to limit the number of machines at risk from the attack. However, patching vulnerabilities is not an option in many industrial environments as these systems need to operate non-stop.
To overcome this barrier, make your OT networks visible to your security team. Start monitoring your network devices such as routers, switches, and firewalls, as well as control systems servicing your environment. By having situational awareness of what is attempting to connect to the OT systems as well as what is going on within the system, your security professionals can help protect the enterprise holistically. In short, even if you cannot patch Windows machines, be aware of them.
- Lack of Security Expertise in OT Environments
The inability to properly identify or act on risks that impact business operations is one of the primary hurdles in securing ICS. This challenge is compounded by the lack of security expertise with OT environments and increasing reliance on third-party vendors to provide SCADA/ICS infrastructure security, which grants vendors with high-level access to those systems.
Strategies focusing only on IT systems and excluding ICS, SCADA systems, and IIoT assets will only perpetuate an environment of risk that outsider and insider threats will eventually exploit. The attack surface will increase along with the level of digitization so business leaders must act now. If an organization suffers a breach, it must be able to quickly determine when it happened, what damages were caused and whether it has been remediated.
- Exposure to third-party risk
Cybersecurity vulnerability assessments typically find that an environment is never completely air-gapped. Assessments usually find evidence of unsanctioned external connections created by control engineers, most often for non-threatening, non-malicious reasons. These undocumented, unapproved network connections are usually created to ease an engineer’s system maintenance and/or troubleshooting responsibilities to avoid from having to sneakered a file or program to the control environment.
Cost and timing sometimes interfere with a company’s responsibility to assess vendor security compliance, both before the contract and on a regular basis. Sector-specific collaboration groups such as Information Sharing, and Analysis Centers (ISACs) have become important in reducing these costs. For instance, the health ISAC, which includes pharmaceutical and medical device manufacturers with large OT contingents, has implemented a tool that automates evidence collection and sector-specific risk assessments, to measure third-party vendors for security and data risk. This ISAC has also created a standardized vendor repository for evidence collected by others.
Compared with IT, the OT environment is highly customized, as it supports a process specific to a given operation. The proprietary nature of OT equipment means that companies rely on the Original Equipment Manufacturer (OEM) to maintain it and make changes. This equipment is often a “black box” to its owner, who has no visibility into security features or levels of vulnerability. Furthermore, companies are increasingly outsourcing maintenance and operation of OT or adopting build-operate-transfer contracts. These types of relationships require third parties to gain physical access to OT networks. Where remote maintenance is required, the owner needs to establish connections to the OEM networks. These remote connections are mostly unsupervised by the owner organizations, introducing a blind spot. Several heavy industrials have reported that third parties frequently connect laptops and removable storage devices directly into the OT network without any prior cybersecurity checks, despite the obvious dangers of infection.
Vendor assessments and contracts for OEMs often fail to include a cybersecurity review. This failure prevents companies from enforcing security standards without renegotiating contracts. Where they do conduct pre-contract security assessments, results are rarely pursued. OEM vendors that do have security features in their products report that operational buyers rarely want them. In some cases, even if security features are included by default, or at no additional cost, the buyer does not use them.
You need to develop a constructive dialogue on cybersecurity with suppliers/partners. Perform Audit on critical systems used and/or provided by suppliers. Clearly define the “Due Diligence”’ of suppliers liabilities concerning cybersecurity priority to an agreement. (including mergers and acquisitions (M&A) process).
- Identify your crown Jewel Processes
Protecting an organization’s most valuable assets or crown jewels is essential to protecting the organization from adverse monetary, reputational, and business continuity impact. One of the best ways to look at protecting the crown jewels is through the NIST Cybersecurity Framework (CSF), which provides a clear, prescriptive, and risk-based approach.
You cannot protect everything all the time, but you can protect the most important thing most of the time. Find out functions whose failure would threaten your organization very survival e.g. catastrophic safety incidents, revenue loss, lawsuits or compliance violations, brand reputation impacts, theft of intellectual property.
- Practice Cyber Hygiene
The objective is to reduce attack surface when vulnerability cannot be fixed by a patch due to ICS availability and safety context. Sometimes a patch is not possible in ICS. The concept is to define and implement several technical cumulative measures and remediation actions at the periphery of the system, combined with organizational and procedural ones.
- Hardening of Configurations
Install only the necessary software, protocols, and services. Perform an audit to check that no development tools are present on production servers or operator stations. Force the use of control by avoiding default choices. Systematically disable vulnerable and insecure protocols and features and disable automatic configuration & discovery protocols. Disable remote configuration and operation mode management on critical installations. The default password should be changed the moment device comes online.
To be able to recover rapidly the system in case of attack, define a backup policy including what data needs to be backed up to meet user needs, rebuild an installation or meet regulatory requirements. Perform periodic verification of the backed-up data by restoring part of them.
- Protection of Programmable Logic Controller (PLC)
Protect access to the automatons with a password. Hardware offers the possibility of configuring read-only access for first-level maintenance interventions. Protect access to source code and embedded code in CPUs. Disable remote configuration and/or programming modes when functionality exists. Lock the PLC cabinets with a key. On critical installations, install a dry contact when opening the cabinet.
- Management of removable devices
Laptop or USB devices that have not been cleaned or checked, must never be inserted into the Industrial Control Systems (ICS) network. Define a policy for the use of removable devices. Disallow the use of removable devices and use airlocks to exchange data if necessary. Restrict functionality or disable USB ports on systems.
- Account Access management
Define a policy for managing user and application accounts. Do not leave default accounts on devices and applications. Force the definition & use of strong passwords. Force the periodic change of account passwords. No worker should be allowed to surf the internet from within an ICS network.
- Create more manageable Operating System (OS) upgrade Schedule
ICS systems are more difficult to upgrade than corporate IT systems. Many ICS systems run 24*7 with limited maintenance window. There is no test ICS available to validate upgrade before applying the same on production. Legacy windows systems are extremely vulnerable and should be updated. If not possible then implement compensating controls such as continuous security monitoring and granular segmentation policies
Define a patch management policy (systematic, periodic, or punctual) adapted to the functional constraints and identified risks. For example, define patch deployment priorities, verify backward compatibility and interoperability. Systematically apply patches to engineering stations and nomadic stations. Periodically apply patches on operator stations. Apply patches to sensitive installations during maintenance