Low Hanging Fruit
© Michael Cacioppo |

OT Is Low-Hanging Fruit for Cybercriminals: What to Do about It

Cybersecurity continues to be a significant issue for operational technology leaders. While the majority of organizations have been implementing IT security measures for years, OT security is a different matter. As the growth in the Industrial Internet of Things (IIoT) and subsequent IT/OT convergence have expanded, manufacturers have lost the “air gap” that protected their OT systems from malicious actors.

underlines the need for cybersecurity to be an integral part of the daily work of OT leaders and their teams. Seventy-one percent of OT pros who responded to an April 2020 survey (sample size was under 100 respondents) say they’re regularly involved in IT cybersecurity strategy, a huge jump from 15% last year. However, many cybersecurity solutions are impeding success and creating greater complexity for at least 50% of OT professionals. In addition, there’s the division of priorities between OT and IT that has caused some miscommunication and ruffled some feathers.

Despite the improved focus on cybersecurity, cybercriminals are exploiting OT environments and seeking to disrupt operations and take advantage of heightened workforce stress. The business impacts and challenges have been amplified since the onset of COVID-19, so OT leaders need to keep up with recent industry changes and find ways to provide the best possible protection against cyber threats and vulnerabilities. 

When Worlds Collide

With the air gap disappearing, cybercriminals have increasingly been targeting OT systems to disrupt operations, steal proprietary information or commit acts of cyber terrorism. This negative trend is in part driven by bad actors who naturally seek to gain from accessing the easiest and most economically viable targets. Far too often, existing malware works effectively against legacy systems deployed in OT networks that have probably not been updated or patched. The natural tendency of OT enterprise leaders is to favor continuous operations over disruptions driven by routine cyber hygiene.  As a consequence, OT systems often represent low-hanging fruit for cybercriminals.

Cybersecurity is essential, but what OT leaders are struggling with is how to balance it with operation efficiency and flexibility. The Fortinet survey revealed that at least half of OT professionals feel that their security solutions are impeding their flexibility and introducing greater complexity. Security analysis, monitoring, and assessment tools were ranked as the top three barriers that increased complexity. However, it is vital for OT leaders to stop perceiving cybersecurity tools as impediments to their work and to start seeing them as enablers instead.

Disruption Brings New OT Threats

The Fortinet survey found that 9 out of 10 organizations experienced at least one OT system intrusion in the past year. In fact, the share of organizations experiencing three or more intrusions increased from 47% to 65% over that same period. These intrusions often impacted operational efficiency and revenue.

History demonstrates that periods of social and global disruption often coincide with an increase in cyber-attacks, and the current circumstances are no exception. Recent hacking campaigns rely on less-complex techniques because of the perception that there is significantly increased human error during periods of high stress. Add to that the implementation of business practices designed to extend the remote workplace, and the attack surface expands yet further. 

The recent global increase in disruptive and malicious activity has simply reinforced the need for proactive cybersecurity practices that harden the OT environment, so that outmaneuvering the adversary is actually possible. 

Best Practices for OT Security

The first step in hardening the environment is recognizing the range of vulnerabilities that exist due to the convergence of IT and OT infrastructure. The expanded threat landscape creates a significant range of opportunities for cyber attackers to penetrate and establish multi-point presence on OT targets. 

Consequently, it is vital to implement best cyber practices that deliver security beyond just perimeter detection and protection, and focus on recognizing and analyzing any unknown and unusual behavior. That often starts with complete network visibility, combined with enforcing earned trust for all devices within the OT infrastructure. Strict identification of approved access and roles, and consistent enforcement of controls to limit movement within an environment, are equally important.  

These are not stunning new cybersecurity protocols. Instead, they comprise many of the basic practices of security hygiene: being proactive about security, working toward centralized visibility and control, and tracking and reporting basic cybersecurity metrics. As OT systems depend less on air gaps and become integrated with IT systems and with the internet, OT leaders will need to reinforce internal security awareness and strengthen their systems with security protections based on an inventory of what is presently deployed and the remaining security gaps.

Security Success within Reach

The 2020 survey statistics illuminate the struggle most organizations are experiencing as they try to secure their OT systems in the new era of OT/IT/IoT convergence. What’s more, cybercriminals never let a crisis go to waste and are leveraging the pandemic and current unrest as a smokescreen for their attacks. It’s never been more complex or more important to keep OT systems safe.

It turns out, though, that doing so does not require radical new measures. Instead, learn the lessons from IT security and enforce cyber hygiene best practices first and foremost. Then, take stock of what cybersecurity tools are already in place, how well they’re working and what gaps need to be filled. Doing so will enable proactive detection of an event that could threaten productivity. Adopting such a strategy can deliver the security services essential to sustaining safe and continuous operations. 

Rick Peters is the chief information service officer for operational technology, North America for, delivering cybersecurity defense solutions and insights for the OT/ICS/SCADA critical infrastructure environments.

ID 103769813 ©
Tero Vesalainen |

Manufacturing Cybersecurity Needs a Government Component—Here’s Why

State and federal governments, along with the private companies that make up the manufacturing sector, should prioritize cybersecurity through training programs, policy initiatives and communication channels. The future of the industry relies on new technologies that can, and have, created the risk of catastrophic breaches.

It’s not just financial companies with piles of confidential data that are falling victim to cyber-attacks in this new era of connectivity. The manufacturing industry is a for sophisticated ransomware and phishing schemes that can shut down entire operations, leaving firms vulnerable to extortion or worse.

Advancements within this sector require the prioritization of cybersecurity measures to combat new, ever-evolving sophisticated means of attack. Public-private partnerships can ensure the safety and well-being of a targeted manufacturer as well as their customers and vendors.

Manufacturers in the Crosshairs

Mondelez International, Inc., a U.S. multinational food and snack manufacturing company, was just one of several companies nicknamed NotPetya in 2017. The attack wound up costing its targets more than $10 billion in total damages when accounting for business down time and repair. The severity of the damage left some of the companies obligated to report the damage to the SEC.

Another example came when Norsk Hydro, an aluminum company headquartered in Norway, was attacked by a strain of ransomware called LockerGoga. The virus infected multiple systems across the organization.*

With the growth of the IIoT, the situation will only get worse if this industry doesn’t prioritize robust cybersecurity hygiene.

Cyber Priorities for Manufacturers

Statistics that most often cyber-attacks are based on human error. Employee training is a simple and cost-effective way to ensure that firms of all sizes are adequately enforcing best cybersecurity practices from within.

While cyber-attacks ought to be seen as a risk that must be primarily managed at the company level, there can also be a role for both state and federal governments.

While most pieces of legislation that have been enacted or introduced to help mitigate these types of issues , most notably the General Data Protection Regulation in the European Union, such as the offer incentives such as a legal safe harbor for meeting certain cybersecurity thresholds.

Incentive-based legislation can be a win-win for both the government and the manufacturing firms that must remain compliant. For instance, setting minimum thresholds—such as the completion of baseline training programs geared toward the manufacturing industry in exchange for a tax credit or legal safe harbor—will help to protect the advancement of local economies while giving firms a competitive edge.

Other avenues for constructive government involvement can include government grant programs that could provide either financial assistance for cyber-awareness training programs or government experts who visit manufacturing firms to provide tutorials on best practices to provide insight that goes beyond the standard employee training programs offered today.

For example, representatives from the National Institute of Standards and Technology could conduct site visits at manufacturing firms not only to explain cybersecurity trends that the government is privy to, but also to answer questions that companies might have on compliance.

A well-managed government grant program can yield strong public outcomes when manufacturing firms are able to protect themselves from attacks that can directly influence state employment rates and tax bases.

National security is yet another argument for government support. Foreign adversaries have on numerous occasions attempted to on private companies in the U.S. as an attempt to garner access to the government information they hold.

The industry itself has opportunities to strengthen cyber defenses among members. Manufacturing firms can share their experiences regarding cybersecurity with others in their industry in a productive way. Whether at organized forums or conferences, these types of communication channels are essential to helping the industry work together to anticipate the ever evolving cyber threat landscape.

For instance, the Illinois Manufacturing Excellence Center has held Cybersecurity Forums presented by the National Association of Manufacturers. At these forums, CISOs, CIOs, CTOs and manufacturing technology leaders come together for a day of learning around the cyber-threat landscape and cybersecurity trends.

Investors and operators need to have confidence in the manufacturing industry and its ability to protect themselves from potential attacks—leading to growth for the individual company at one level, and the American economy at another.

Lessons need to be shared within the industry, support needs to be offered where it can, and most importantly, one of our country’s most important sectors needs to be protected.

The manufacturing industry of today isn’t the same as it was five, 10 or 20 years ago, and that’s a good thing. However, the risks that accompany that growth can’t be ignored.

Rick Lazio is a senior vice president with alliantgroup, serving on its Strategic Advisory Board. He is a former U.S. Representative from New York serving in Congress from 1993-2001, where he became a strong advocate for small businesses by sponsoring the successful Small Business Tax Fairness Act. After Congress, Rick moved to the private sector, working for JP Morgan Chase as a managing director and then executive vice president. 

*Correction: A short passage in the original version with erroneous information about the Norsk Hydro attack has been taken out.