Operational technology (OT) networks are a primary means of profit for manufacturers of a variety of products, from everyday household items to semiconductors and industrial-scale fabrications. Yet, these networks aren’t just critical for production. They are used in energy transmission, railroads, and other infrastructure elements that manufacturers depend on to produce or deliver whatever a company makes.
After long being neglected, OT network security is suddenly under the spotlight because adversarial countries and criminal consortiums are looking for ways to infiltrate and exploit these systems.
Small Number, Big Impact
For the uninitiated, OT network is a general term applied to networks that use industrial control systems (ICS), distributed control systems, supervisory control and data acquisition systems, programmable logic controllers and other specialized devices. The dark web of cyber-criminals seldom focused on OT networks, making them more secure through pure disregard. But that has been slowly changing for at least a decade.
According to The Hacker News, federal Cybersecurity and Infrastructure Security Agency’s (CISA) OT cybersecurity advisories for highly critical vulnerabilities increased by about 10% in the first half of 2023. But for perspective, Verizon’s respected latest “Data Breach Investigations Report” indicated only a few reported cyber incidents involved OT networks.
Industries like manufacturing, quarrying and utilities were each considered, yet few incidents of actual impact to any OT devices were confirmed, totaling just 3.4% of reported breaches.
So then, why the hand-wringing over such a small number of incidents?
The reason is straightforward. The effects of a successful cyberattack on manufacturing or manufacturing-adjacent OT networks, particularly involving critical infrastructure, could be safety catastrophes.
Imagine what would happen if a pharmaceutical company lost control of chemical additives, or an electric distributor couldn’t shut down overheated lines, or a manufacturer was suddenly unable to prevent volatile materials from contacting triggering compounds.
Keeping Up With the 'Bad Guys'
OT networks can also be disrupted by attacks on their associated information technology (IT) business networks. If an IT network is abruptly encrypted and a manufacturer’s OT network depends on it for billing or measurements, the company might be have to stop production until IT can determine what is being refined, produced, transported or distributed. This is fundamentally what happened in the infamous 2021 Colonial Pipeline attack.
OT network security isn’t as robust as IT, in part because it did not keep up with the technologies available to the “bad guys,” failing to register them as an existential threat. OT networks were usually not connected to the internet—and when they were, had safeguards to deter improper access. It helped that bad guys weren’t trained or sophisticated enough to appreciate complex OT settings, which comprised devices and software rarely seen in IT networks. But that is changing with Industry 4.0 devices to improve OT processes.
Researchers at Microsoft have discovered that some IIoT devices bring remote execution code vulnerabilities that could allow cyber-criminals to access OT networks. This summer, a senior North American Electric Reliability Corp. (NERC) official warned a congressional subcommittee about China’s “alarming” threats to the power grid. The New York Times claimed China has some unspecified capability to interfere with electric grid operations and pipelines near U.S. military bases. The State Department warned that China is planning cyber-attacks on critical infrastructure, including OT networks. And CISA, the nation’s cybersecurity watchdog, says traditional OT security approaches are not adequately addressing current threats.
Improvements Bring Challenges
For manufacturers, new IT devices connecting OT to the internet—a process known as “IT-OT convergence”—is both an improvement in efficiency and a cybersecurity challenge. OT devices often gather manufacturing data to perform tasks like measuring values (heat, flows, time, etc.), but often cannot analyze the data they collect. IIoT devices can process data and communicate findings through connections to the internet, creating efficiencies when “converged” with OT devices.
A draft report of the National Security Telecommunications Advisory Committee warns that IT-OT convergence makes formerly isolated OT systems “susceptible to the same risks of malware and threats that IT systems face.”
Frankly, OT networks are not designed to fight through persistent cyber-attacks. Nor do they integrate easily, and “visibility” into their traffic flows is rarely sufficient, making vulnerability patching more difficult. While IIoT is addressing these issues to some extent, the internet exposure it permits is replacing one security challenge with another.
OT networks, like IT, tend to have common problems. For instance, a 2017 DHS study of ICS cybersecurity concluded that boundary protection (usually where OT meets an IT) was a prevalent weakness. It also noted common flaws like improperly managing passwords, not securing employee accounts after they leave and unsecured access to field equipment. Adding IT makes the challenge steeper for the engineers and technicians who make manufacturing OT networks safe.
It’s a maxim of IT cybersecurity that you cannot defend what you cannot see. OT operators are no different. Network visibility, usually through devices placed within the network to provide internal sensing and monitoring, can identify irregularities or unusual activities on the factory floor that could indicate operational reliability, even an attack. In fact, the Federal Electric Reliability Corporation has directed NERC to require operators of some high- and medium-risk OT networks to begin internal monitoring.
Similarly, applying patches is more complicated in OT settings because OT network availability can be almost non-existent. Downtime for patching affects manufacturers’ delivery schedules and income, making patching a lesser priority. Even when downtime is scheduled, the process takes longer because OT operators often must perform regression testing (usually after having done so in simulation) to ensure the patch is compatible with often-fragile OT devices.
More Collaboration Needed
All these concerns are amplified by the historic lack of collaboration between IT and OT teams stemming from the minimal connections they formerly had. In some locations, the mindset is for each team to “stay out of the other’s chili.” That mindset must change once IIoT is introduced into an OT network.
If you’re a manufacturer, this shift in mindset is especially important. At a minimum, your company’s IT-OT teams should consult, prioritize and coordinate their respective efforts, particularly whenever they consider issues concerning their boundaries.
This new way of doing business will take time. You can expect setbacks and learn from them. But for critical infrastructure sectors—manufacturing included—collaboration between your IT-OT teams is so important that CISA devotes a section to it in its Cross-Sector Cybersecurity Performance Goals, meant as a set of common protections that should reduce the likelihood and impact of cyber-attacks.
OT cybersecurity can no longer take a backseat as the business and production side of manufacturing become more interdependent and bad actors are emboldened by successful attacks in other sectors. Now’s the time to shore up your IT-OT defenses, not separately but as a concerted effort.
Gene F. Price has substantial real-world experience in cybersecurity and data management. A member of Frost Brown Todd’s Data Security and Privacy team, his practice includes helping clients cope with their cyber risks.
