Into the breach: What IT-OT convergence means for your security strategy

Posted on 5 Oct 2020 by Jonny Williamson

The Manufacturer talks ‘rogue automation’, operational control and cybercriminals with Bharat Mistry, Principal Security Strategist at global cybersecurity specialist Trend Micro.

The Manufacturer: Almost all manufacturers have adopted some form of cloud service. Yet, the most common use cases are for non-core enterprise IT applications such as accounting, ERP, inventory control, email and file storage. 

Relatively few have taken their production environments on a journey into the cloud. Why is that? 

Bharat Mistry Courtesy Trend Micro
Bharat Mistry , Principal Security Strategist, Trend Micro.

Bharat Mistry: There is a scale of maturity in manufacturing; on one end you have those businesses who realise the benefit of getting telemetry from their legacy machines and equipment. They recognise the need to do something to modernise their operation and become more productive but have yet to take any meaningful steps.

On the other end, you have businesses who have an active programme to become more agile, competitive and responsive to customer demands but have realised the limitations of their in-house IT teams.

The reasons those limitations exist is because of a lack of data storage, high costs and the traditional cycle of IT procurement, i.e. it takes at least three to five years to sweat the asset out.

That doesn’t offer the dynamic scale and pull that you sometimes need in manufacturing. For example, you may need to run a complex report at the each of each month that requires intense compute power but only for 24 hours. Enterprise IT isn’t geared up for anything like that, whereas cloud absolutely is.

Increasingly, organisations want to launch digital transformation programmes now, but it takes 18 months for the infrastructure to be ready. To achieve the speed of execution demanded from today’s ultra-competitive landscape, more and more manufacturers are starting to migrate their whole operation to the cloud, not just back office applications.

Another significant driver for adoption is that as manufacturers replace and modernise their legacy equipment, they are realising that access to data and telemetry can be used to create new business intelligence and could provide a step-change in their efficiency, performance and business operation.

If there’s a maturity scale, which sectors are leading the charge?

Technology and electronics-led manufacturers are certainly ahead of the curve, as are those involved in petrochemicals. They typically have quite dynamic set-ups, handle large volumes and have varied product portfolios.

The laggards are those with static assembly lines, manufacturing fairly similar products in low volumes, i.e. heavy engineering or aerospace. The exception to that is automotive with their multiple different models and customisation options.

Trend Micro is sponsoring Digital Manufacturing Week 2020 – bringing together the people and companies redefining global manufacturing landscape

Click the image below to register and to learn more:

Digital Manufacturing Week 2020 - Email Banner1024

Given how volatile demand cycles have been in 2020, have you seen manufacturer’s interest in cloud increase?

Absolutely. The pandemic has heighted the need to become agile, flexible and responsive, and in-house IT teams typically aren’t in a position to affect change quickly. Cloud is.

Also, cloud effectively offers unlimited storage and the ability to consolidate data quickly and easily. For many manufacturers, that’s a capability they’re only just starting to take advantage of.

However, there does appear to be an underlying barrier, particularly among shop floor engineers; the idea that the moment you connect, you lose control. We frequently hear that concern.

The reality is that gaining a competitive edge requires your business to open up and take advantage of what a technology like cloud offers. That may mean losing control in some respect, but so long as you manage the risk carefully and in the right way, that loss won’t be detrimental to your operation. Quite the opposite, in fact.

What do you mean by ‘the right way’?

Don’t just blindly take a cloud service, dump your data in the cloud and assume the service provider is going to look after it for you. You have to take a risk-based approach supported with robust governance.

Ultimately, you’re responsible for your data, but you have to ask yourself does the service provider have appropriate security procedures? How reliable are they? Do they offer SLAs [service-level agreements]? Do they offer access control?

By asking those questions, you’re assessing the risk. Where possible, carry out your own independent audit of that cloud provider to ensure the right due diligence has been conducted.

Trend Micro’s latest report – Rogue Automation: Vulnerable and Malicious Code in Industrial Programming – highlights that much of the industrial automation currently in use is unable to detect when a security breach has happened.

If operators are also unaware, it can be quite some time before corrective action is taken. How do businesses start to address these vulnerabilities?

An ecosystem has formed around open-source repositories of code written by end-users, vendors and those who sit in-between. Businesses are blindly taking this code and applying it to their machines in the belief that it’s going to work, and it won’t cause them any issues.

A certain level of rigour is being applied to these ‘App Store-esque’ repositories to vet who is posting and exactly what that code does, but the onus of responsibility is on whoever downloads the code.

We are seeing a change in would-be cyber criminals, especially when it comes to industrial control systems. Five years ago, industrial cyberattacks would be conducted by heavily funded organisations, typically a nation state or someone with intent to either infiltrate, sabotage or steal IP or trade secret.

The Notpetya malware (2016) and WannaCry ransomware (2017) attacks opened cybercriminals’ eyes to a previously unexploited playground that was relatively easy to penetrate and exploit – manufacturing and heavy industry.

Rogue elements have moved beyond low-level fishing emails and are increasingly using software downloaded from these automation App Stores as a means of entry into a manufacturer’s systems.

Trend Micro’s Forward-Looking Threat Research Team, who wrote the report, are constantly monitoring the underground threat forums, listening to the back chatter and identifying potential threats. One of the things they are looking for is rogue automation software, who’s writing it, who’s selling it and how is it being released.

The team is also actively testing code and looking at new equipment and has established several global ‘honeypots’ [a digital version of a police sting] to identify who is attacking, what are they attacking, how they are gaining entry and what their goal is.

As criminals continue to increase the sophistication and intensity of their attacks, how can manufacturers ensure their cybersecurity keeps pace?

The biggest mistake I see is a business taking their IT security strategy and applying it to the OT world, it just doesn’t work because the priorities are the other way round. For IT, the priorities are first and foremost confidentiality, integrity and then availability. For OT, safety is paramount, then comes availability, integrity and confidentiality; it’s completely the opposite.

You need to identify what’s important in OT, look at your business processes and then take a risk-based approach to say where your critical assets sit.

Conduct threat modelling to determine what threats are out there, what risk they pose to your business and if a machine or assembly line did go down, what your exposure would be. Quantifying that enables you to formulate a strategy that ranks your assets and the level of controls you need to have in place accordingly.

The other mistake I see is organisations applying a blanket approach to security, they have one template and make everyone stick to it regardless of use case. That’s when people start to circumvent security controls and holes can start to appear. Don’t try and have all your business processes conform to one inflexible security model.

You also need to realise that security isn’t a one-time thing; you can’t make a single investment and that’s that. You’ll be secure at that instant of time, but the next minute you might not be. The threat landscape is constantly evolving and changing, you have to keep on top of it.

Read the bulletins that organisations like Trend Micro provide, have a programme in place for patching critical vulnerabilities and if you can’t handle that, look to a third party specialist who can help.

One last thing; businesses can often feel they are too small or unimportant to be of interest to a cybercriminal; but the reality is they could be targeting you to get into your supply chain. Simply assuming you won’t be a target is not a reason to ignore this.