Manufacturing companies have long been popular targets for cybercriminals. Until recently, the reason for this was two-fold. First, manufacturers are home to a treasure trove of intellectual property (IP) and intelligence on new products, processes and technologies. If malicious actors can get their hands on this valuable information, they can use it to undercut the market by manufacturing knock-off products at lower prices, or they can simply sell IP and other intelligence to the highest bidder. Either way, cybercriminals yield a high return for a minimal amount of work—and, since cybercrime is a business just like any other, high return on investment is the guiding principle when selecting targets.
The second reason is that manufacturing companies typically have a robust supply chain. In the eyes of an attacker, if they can penetrate a manufacturer, they can also get their hands on data from that company’s suppliers and partners. Likewise, a supplier or partner with substandard defenses can be an easy way to infiltrate a manufacturer. In this scenario, we see the principle of “high return for minimal effort” play out again, as one attack can result in compromises of multiple companies. This is why third-party risk management is so important.
Today, we’re seeing a third reason emerge – the convergence of operations technology (OT) and information technology (IT) networks. Until the Industry 4.0 and digital transformation trends took the manufacturing world by storm, most OT networks were closed off from IT networks and the internet. Because of this, endpoints on OT networks—such as supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), controllers and sensors—weren’t exposed to the same malware threats that IT network endpoints face, and, therefore, weren’t designed to be patched or run security software.
As manufacturing companies increasingly rely on automation and data exchange to transform industrial processes, OT networks are converging with IT networks, and OT devices are becoming IP-enabled and part of the network ecosystem—but they still can’t be patched or run security software, which makes it challenging for manufacturers to secure them. This is appealing to cybercriminals because, if they can infiltrate a manufacturing company’s OT network, they can then move laterally onto the IT network—and vice versa. Attackers can penetrate two networks with one attack and reap multiple revenue streams, making the business case for this type of attack an easy one.
In an environment where attack surfaces are expanding thanks to newly connected OT devices, and cybercriminal attacks are increasing in frequency, how can manufacturers stay one step ahead of the bad guys? The answer lies in mastering the enemy perspective and taking an “inside-out” approach to cybersecurity.
Taking An Enemy Perspective
Manufacturers that do not understand threat actors and their intentions are at a much higher risk of a breach than those who do. This is why it’s so important for manufacturing companies to view themselves through the eyes of their most likely attackers. If they can identify threat actor intent and behavior, they can understand the assets that will most likely be targeted and the vulnerabilities that are most susceptible to exploit. Based on this valuable information, they can then build customized defense plans to pre-empt attacks.
For example, the way an organization should defend against a nation-state attack targeting IP is very different than how they should protect against an attack designed to halt production, which is very different than safeguarding against OT or third-party attacks. Taking an enemy perspective and proactively identifying cybercriminal motives enables manufacturers to concentrate resources on the most likely attackers and vectors, rather than taking the failed “defend against everything” approach.
And this brings us to the “inside-out” security model.
Adopting “Inside-Out” Security
Most organizations, regardless of industry, operate with an “outside-in” approach to cybersecurity, where external threats (nation-state attacks, ransomware, etc.) and compliance requirements dictate security strategy and spend. In other words, organizations continually switch their focus to the latest threat and then reactively purchase technology in an effort to eradicate it. Unfortunately, this approach has left companies with massively complex and costly infrastructures made up of disparate point solutions. As a result, security infrastructures have become extremely difficult to manage, and, in many cases, are actually introducing security and compliance risk, rather than mitigating it.
Rather than letting the threat and regulation landscape dictate security strategy and spend, manufacturers need to take an “inside-out” approach to security, where security strategy and spend is dictated by the manufacturers’ specific risks and business objectives. This approach starts with the development of an enterprise risk model, which incorporates the elements previously discussed: understanding the ecosystem of likely attackers, the assets they are most likely to attack, and the techniques they are most likely to use. With this information, manufacturers can prioritize risk and make more strategic decisions relating to the infrastructure, technology and operations required to mitigate it.
Taking this approach, which considers people, processes and technology, transforms complex infrastructures into streamlined environments that are much more manageable, affordable and effective at reducing risk. And with simplified, yet strengthened, infrastructures, IT security teams can stay focused on projects and priorities that deliver business value, rather than getting tied down with busywork.
Putting It All Together
Cybercriminals’ motives and attack methods might be constantly changing, but by mastering enemy perspectives and adopting an inside-out approach to cybersecurity, manufacturers can dynamically adapt their risk strategy to keep pace with the changing risk environment. Ultimately, this enables manufacturers to take full advantage of the Industry 4.0 and digital transformation trends without introducing potentially catastrophic enterprise risk - and that’s a good thing, from the inside-out.
Brian Wrozek is a seasoned cybersecurity executive with 20+ years of experience in IT and information security and management. As CISO at Optiv Security, Wrozek oversees all corporate security functions including cyber operations, incident response, vulnerability management and security governance activities.