Industry Insights
How Industrial Networks Can Adapt to Accelerating Cyberthreats
POSTED 07/22/2024 | By: Dan McCarthy, A3 Contributing Editor, TECH B2B Marketing
Industry is learning that greater connectivity introduces new risks as well as new benefits.
The Industrial Internet of Things (IIoT) was prompted by a desire for deeper and more timely insights into the equipment and processes unfolding on the factory floor. To gain these insights, manufacturing enterprises deployed waves of networked sensors, interconnected machine controls, remote management platforms, and centralized data analytics that fueled an increasing convergence between information and operational networks. Although this convergence introduced many new benefits, such as reduced downtime, smarter inventory management, and improved business agility, it also increased the exposure of operational technology (OT) networks to cyberattacks.
In fact, manufacturing represented 20% of all cyberextortion campaigns perpetrated in 2023, making it the sector most targeted by these attacks, according to Orange Cyberdefense.
Dave Bader, VP of business development at Eurotech, cited this unfortunate statistic during Automate 2024, where he gave a presentation titled “Designing for Tomorrow’s Cybersecurity Challenges.” In his talk, Bader attributed hackers’ new interest in disrupting manufacturing operations to several factors. Among them were the IIoT’s increased connectivity of legacy equipment, unprotected data sharing, and poor training on security protocols.
Bader underscored the trend by highlighting some of last year’s headline attacks, such as one perpetrated on Brunswick Corporation that knocked operations offline for over a week and cost the company $85 million. Applied Materials similarly endured a ransomware attack last year that originated at a vendor in its supply chain. The estimated cost of that attack, Bader said, was $250 million, which left a dent in the company’s quarterly earnings report.
If these events are not enough to alert IT departments and plant operators to the growing risk of cyberattacks on OT, then consider the more recent headlines sounding the alarm on Volt Typhoon, a state-sponsored advanced persistent threat group linked to the People’s Republic of China.
Unlike traditional malware attacks that deploy signature files, Volt Typhoon has reportedly already embedded “live off the land” (LOTL) exploits within networks controlling critical U.S. infrastructure. LOTL attackers forgo installation of detectable codes or scripts within a target system. Instead, they leverage legitimate code and software environments that are already present on a network, such as PowerShell, Windows Management Instrumentation (WMI), and password-saving tools. That allows the elements of a LOTL attack to lie dormant and unseen on a network until the attacker is ready to activate them.
Though Volt Typhoon is reportedly targeting critical infrastructure, such as electrical substations, water treatment plants, and transportation hubs, its focus on disrupting OT can easily be translated to the control layers of a manufacturing operation.
“The tactics will be the same, even if the tools and procedures are different,” said Chris Gibbs, chief revenue officer at Dynics. “Attackers can establish a base camp in the IT network, live off the land, and cover their tracks until they’re connected to the OT network and can maintain presence. That is going to happen.”
Additionally, the stakes for OT networks are arguably higher than those for IT networks in some cases. “If hackers take over your website, you can take the website offline in most cases,” said Marcellus Buchheit, CEO of Wibu-Systems. “On OT networks, your safety, signal, and control protocols may all be running in parallel with data transmission on the network. So if your OT network is compromised, your safety controls are down too."
The manufacturing sector is responding to the increasing risk of cyberattack. Organizations such as the International Society of Automation and the National Institute of Standards and Technology are updating and expanding standards for more secure OT networks. Groups such as the Industry IoT Consortium are publishing detailed frameworks for how to proceed. (Wibu’s Buchheit co-authored one such study.)1 But as Orange Defense’s report shows, the response from industry is not advancing in step with hacker interest.
As the demand for IIoT technologies in automation networks continues to grow, the attack vector will also continue to grow, along with the number of adversaries and the frequency and sophistication of the attacks, said Henry Martel, senior field application engineer at Antaira Technologies.
Hardening operational security can be disruptive. It costs money and can demand enterprise-wide training to shift the culture to a more cautious mindset. And the threat is at once abstract and too immense to easily comprehend. Where does one begin to defend an ever-expanding attack surface?
Here, the news improves. The message of Bader, Gibbs, Buchheit, Martel, and other industrial cybersecurity experts interviewed is that the sector might be powerless to stop cyberattacks but manufacturers are not helpless when it comes to hardening their OT networks against them; nor does security need to be costly or disruptive.
Define and Defend
As industrial control systems are increasingly linked to one another and ported to the internet, plant managers and engineers can no longer leave cybersecurity to the IT department. Similarly, folks in IT must extend their vigilance to how data travels through OT networks and beyond.
Defending an operational network is not unlike defending a castle. First, you identify the weak points. This exercise is no different for OT than for IT in some respects. It involves mapping all devices and interfaces on the network to understand their physical locations, interconnections, and potential to become access points to active or inadvertent risks.
Gibbs frames this network map in terms of compass points, with north/south representing the internet and plant floor, and east/west signifying connections between production cells, zones, and the overall OT network. From Dynics’ perspective, the biggest challenge to enhancing cybersecurity on OT networks is that manufacturers are not always considering the impact on security as they rush to deploy IIoT products that collect data from the plant floor and share it with outside networks.
Before joining Dynics as CTO, Jeff Smith had become familiar with the impulse to hop on the IIoT bandwagon, but he also understood the risks: “As an end user, I would think twice about putting something on my plant floor that needed to reach to the cloud. Because if I deploy 200 of those devices, then that’s 200 holes that I just punched into my network infrastructure.”
Mapping the assets and connections comprising an OT network also helps define what, where, and how specific security measures should be deployed.
This exercise was easier in traditional operational network architectures, which relied on centralized management and monitoring to ensure that everything functioned properly. With the IIoT, manufacturers have taken advantage of distributed computing to allow devices at the edge of their networks to make decisions autonomously. This reduces network traffic and enhances the latency of devices making autonomous decisions at the network edge. But without appropriate security measures, edge computing could enable hackers to access edge devices and prompt them to make incorrect or even catastrophic decisions.
Like IT people, OT system architects must ensure the integrity of their network endpoints. But OT networks require different solutions. Familiar IT security methods include antivirus software and two-factor verification to harden servers, desktops, and tablets against unwanted breaches. OT devices, however, do not run on Windows, Unix, or Linux environments, which limits their ability to deploy traditional IT security measures.
Nevertheless, OT network managers can borrow a chapter from the IT playbook by adopting a “secure by design” mindset. Secure by design treats a product’s ability to defend against a breach as something more than a value-added feature. It specifically includes products built to ensure robust security at the device level. The principle can further apply to the supply chain by documenting a clear chain of control over development of a software’s source code or the supply chain of microchips governing hardware.
In May, 68 software manufacturers voluntarily committed to following the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design Pledge. It challenges signatories to show tangible progress in integrating several security features into their products. Though the pledge is in no way binding and was largely signed by companies in the IT space, secure by design principles are entering conversations about OT networks. Bader highlighted its importance during his Automate 2024 presentation, where he discussed additional measures, such as implementing security throughout a product’s life cycle, using secure configurations by default, and leveraging certifications to ensure a solid security baseline.
On that final point, Bader proposed the ISA/IEC 62443 series of standards as one possible basis for certification. Addressing cybersecurity for operational technology in automation and control systems, the ISA/IEC 62443 standard provides direction for security processes, requirements, technology, controls, factory testing, product development, and security life cycles, among other things.
While ISA/IEC 62443 serves as a set of guidelines in the United States, the European Union is transitioning toward the EU Cybersecurity Certification (EUCC) framework. Although potentially related to ISA/IEC 62443, this framework may establish distinct or additional mandates for the development of OT products sold in member countries.
Segmentation and Trust
Even in the IT realm, security does not equate with safety. Even hardened networks are subject to breach by a determined attacker. So, if plan A is to prevent a breach, then plan B should involve containing the attack before it spreads. This is the aim of network segmentation.
A segmentation strategy simply partitions enterprise networks into metaphorical silos. That means hackers, once in, cannot carry an attack to adjacent nodes. Industrial security standards, including portions of ISA/IEC 62443, ANSSI, NIST 800-82 and others, all recommend separating networks into segments. Importantly, the strategy need not require a major disruption of operations to implement.
Software-defined network (SDN) solutions, such as what Dynics offers, often leverage existing switches to microsegment control of network endpoints and prevent packets from crossing between them. Compatible with standard Ethernet networks, such software-based solutions provide visibility into exchanges between nodes and allow network managers to control what network devices and segments can talk to others — all based on zero trust policies.
Zero trust is another cybersecurity practice. As its name implies, it eliminates implicit trust in any one element, node, or service on an OT network and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.
Dynic’s Smith put the principle in simpler terms: “Allow trust; deny risk.” Gibbs further framed how segmentation might be applied in practice: “This PLC [programmable logic controller] needs to talk to that HMI [human–machine interface] and that machine,” he said. “That’s a communication flow that we like. So we’re going to allow that flow and we’re not going to allow anything else.”
SDNs permit such control over data flows at the software layer. Hardware-based tools such as switches and unidirectional gateways, in turn, can add additional tiers of segmented security. In addition to controlling the flow of information, gateways can automate additional measures, such as filtering, analysis, or conversion of insecure data into encrypted protocols.
The Human Factor
The hardest thing to secure in an enterprise might be the people comprising it.
In the context of cybersecurity, the primary challenge involves personnel. “It’s always personnel,” said Antaira’s Martel. “Having a strong, unified front against cyberattacks for both IT and OT networks will create the synergy you need to ensure security policy, updates, training, and everything else you need for a well-secured, optimized network.”
In short, fostering network security should become part of the corporate culture. This can take the form of training and policies governing identity, access, or the connection of unsanctioned devices to network interfaces. But such measures are toothless without the means to monitor and enforce them.
Fortunately, many of these correspond to familiar IT strategies for endpoint access control, such as reliance on passwords, trusted platform modules, and two-factor authorization. Such measures can be further enhanced by endpoint detection and response (EDR) technology, which checks data packets and files entering a network access point against a database of potential threats. Some EDR solutions are now leveraging machine learning algorithms that can classify new threats.
As Buchheit’s co-authored framework asserts, machine learning and AI could become instrumental to enabling IT and OT networks to constantly adapt in real time to an ever-expanding attack surface. Conversely, any algorithm-based solution is itself subject to manipulation and corruption. Given OT network managers’ traditional reticence to adopt unfamiliar technologies, broader adoption of AI- and machine learning–based security measures is likely to advance slowly. This might be advisable as well as understandable until the mechanics of AI technology are better defined and understood by end users.
Until then, there is ample opportunity for industry to implement proven security strategies and technologies, such as network mapping, security by design, segmentation, and zero trust measures.
1. Keao Caindec, Marcellus Buchheit, Bassam Zarkout, Sven Schrecker, Frederick Hirsh, Isaac Dungana, Robert Martin, and Mitch Tseng, “Industry Internet of Things Security Framework,” Industry IoT Consortium, June 12, 2023, https://www.iiconsortium.org/iisf/.