For a long time, production facilities could not be attacked from the outside. But in recent years that has changed. Operational Technology (OT) connects the machines to the Internet. This offers many advantages, but also attracts cybercriminals.
Today’s OT networks power production areas built on an ecosystem of third-party services, devices, and infrastructure. These in turn build on third party services, devices and infrastructure, which also build on third party services, devices and infrastructure. This makes the OT digital supply chain a house of cards from a cybersecurity perspective. If you pull out a card, everything collapses. For this reason, OTORIO started and evaluated an investigation into OT security.
A gap in the OT digital supply chain can result in disruption to production, services, users, customers and even business continuity. Hackers know that, of course. As a result, they are increasingly targeting third-party OT infrastructure—rather than bothering to attack the target organizations’ security perimeters head-on. As demonstrated by the attacks on Solarwinds, Codecov, Kaseya, and most recently Transnet, the threats to the OT supply chain are serious, real, and growing rapidly. In all of these and many other attacks, hundreds of organizations were impacted by a vulnerability exploited at a single service provider.
So it was not surprising to learn that a majority (53 percent) of respondents to the most recent OT Cybersecurity Survey ranked supply chain attacks as one of the top three cybersecurity issues. 99 percent of participants reported a supply chain attack in the last 12 months. The question is not whether there is a problem, but rather what can be done about it.
Rethinking the OT cybersecurity supply chain
Even if operators, manufacturers and machine builders invest heavily in the cyber security of their own networks and plants, hackers have turned their focus to highly complex upstream and downstream production systems. The impact of this trend is exacerbated by the inherent complexity of securing operational environments.
Every company, whether service provider, manufacturer, machine builder or supplier, is only as strong as the weakest link in its supply chain. Given the dynamic threat landscape and ever-changing technologies, machine builders and service providers ultimately become part of the end customer’s supply chain. This means that the cyber responsibility of machine manufacturers and service providers can no longer end after the Site Acceptance Test (SAT).
Any actor with remote access to the production environment poses a potential vulnerability or threat to the entire supply chain. So what needs to be done? First of all, machine builders and service providers need to ensure that each machine or service is fully secured and compliant before delivery. Manufacturers are already demanding proof of this safety and conformity. In fact, 96 percent of the survey participants already require their suppliers to have a cyber certificate for their hardware or software. The rest plan to require this from 2022.
Machine manufacturers are now expected to rapidly perform automated checks and provide auditable reports during the SAT phase. Manufacturers and operators also demand constant responsibility for the cyber security and cyber resilience of the machines supplied. This requires a rethink of how machines are certified as cyber-secure.
To meet customer demands, machine builders must employ technology that enables the identification, tracking, and remediation of vulnerabilities in every machine at every customer site, including all built-in components from every manufacturer. They must also ensure that their machines comply with industry best practices, customer safety and other policies, warranty and service requirements, and constantly evolving international and local regulations. They must also proactively notify their customers in real time when new vulnerabilities are discovered and provide clear policies for real-time or near-real-time remediation.
What about the end users?
End-users, both manufacturers and operators, are increasingly aware and concerned about attacks emanating from their supply chains. In the aforementioned poll, 83 percent of respondents said they were “very concerned” and 17 percent “somewhat concerned” about this. This awareness is now being translated into action.
Manufacturers and operators not only proactively and continuously assess the risks and security gaps in their environments. They also require that every machine, system, device and service be checked for cybersecurity, legal and contractual requirements before delivery. To reduce risk and liability, these companies implement micro-segmentation technologies and restrict access to third parties based on the principles of least privilege and zero trust.
what to do
Specialized vendors help both end users and machine builders shore up the digital supply chain house of cards by addressing existing and emerging challenges related to the vulnerability of OT networks and assets.
For industrial manufacturing companies, assessment solutions help manage OT cybersecurity risks. These identify threats, instruct operations personnel on how best to mitigate them, and automatically generate an assessment of security controls, risk, compliance, and governance. All of this cuts audit time and required resources by up to 75 percent.
For machine manufacturers, new OT safety systems offer a complete overview of all machines and their assets, even if they are not connected to a network. They automatically identify security threats and warn before vulnerabilities become a threat.