Digitalisation is disrupting the old structures. Through the increased networking of facilities and data streams, IT and OT (Operational Technology) – previously strictly separate worlds – are merging together. This necessitates new security approaches. Yet, how do companies go about constructing comprehensive cyber-resilience?
Today, the manufacturing industry in particular is faced with immense pressure to pursue digitalisation. The reasons for this include increasingly shorter product cycles, mounting competitive pressure and increasingly complex supply chains, which consist of many interlinked, precisely coordinated production steps. Under these circumstances, every company needs to develop and implement its own particular strategies for its digital transformation. However, all Smart Factory concepts ultimately share the same paradigm: Industry 4.0 is data-driven, networked and highly automated.
Production process, material flow and ERP all overlap with information, while the quantity of real-time data streams and connections are growing exponentially – but so is the number of potential security flaws. The risk is particularly great for structures that have grown organically, the reason being that when modern automation technology began to be introduced, networking in the industrial environment was still in its infancy. At the time, no one seriously considered the possibility, or indeed the need, to connect production environments with IT, let alone via new Industrial Internet of Things (IIoT) systems over the Internet.
Back then, Industrial Control Systems (ICS) were perceived as isolated units operating off-line. Security functions such as authentication, data encryption, password management or access control were consequently unnecessary and, at the ICS protocol level, simply not envisaged. Today things are different. More and more industrial control systems are linked to the Internet via a gateway. This meets the requirements of the digitalised economy for dynamic and highly efficient automation processes with cross-organisational data transfer, but it also makes Industry 4.0 vulnerable to attacks.
Even if more and more ICS systems are being integrated according to the current requirements, there still exist many of non-secure ICS components. The fact that this can be a highly undesirable condition for the seamless operation of a production environment has lately become clear with the appearance of Stuxnet and of other malware variants that specifically target industrial networks.
For operators of critical infrastructures, too, the threat level today is on a whole new level from just five years ago. Energy providers, water companies, IT and telecommunications companies, along with organisations in the health, finance and insurance sectors, are increasingly the focus of targeted attacks. Given their importance to the common good, they present attractive opportunities for cyber criminals, whose profits can vary from four to over ten times more than the relatively low cost of attack.
Digital transformation needs OT security
The fact remains that both in production environments and ICS systems, the "classic" IT security measures no longer suffice, since with OT (Operational Technology) and, in particular, the introduction of IIoT, a raft of new players are stepping up to the security stage. For the monitoring, control and regulation of automated processes, industrial facilities and systems are becoming increasingly interconnected. For the collection and intelligent assessment of production data in real time using sensors, these data flows are then transferred – directly or via IIoT connections – to IT systems. This data helps companies to, for example, optimise their manufacturing processes or anticipate maintenance, thus helping them make operational decisions.
The increasing networking and rapid expansion of IIoT applications and technologies are bringing the fields of IT and OT ever closer together. Security concepts need to react to this, and come up with an integrated approach. Only through the convergence of IT security and OT security measures can companies generate holistic protection. While technologies for protecting office IT have long been established, the protection of SCADA, DCS, PLC and other ICS systems must now also be addressed in a focused manner.
OT environments, however, pose major challenges for the security industry. Due to the many different aspects and priorities of the IT and OT fields that need to be taken into consideration, protection is a very complex issue.
As is known, for example, patch management and regular software updates are among the most important preventive cyber protection measures, and would also be necessary in industrial networks, since the software components in closed systems are often dated. However, one problem is that, according to the latest findings, more than 75 per cent of companies still have no comprehensive oversight of the existing OT systems and of the status of the software installed on them. Another challenge is that software in OT – unlike for IT – is not quite so easy to update. In addition to their operational safety, the availability and real-time capability of facilities must also be guaranteed. For the processing industries and energy providers in particular, even a short interruption for an update would have serious consequences.
Furthermore, the production network often deploys very specialised individual solutions, which are not compatible with standardised IT security systems.
In short, OT cannot be protected in the same way as IT. Nevertheless, OT security is an urgent prerequisite for the successful implementation of manufacturing automation and Industry 4.0.
For the comprehensive protection of heterogeneous OT architectures and IT components it may be advisable to call upon the requisite professional expertise due to the complexity of the issue. Some security providers are integrators in both fields, combining the expertise of their IT and OT specialists while supporting industrial companies along partnership lines to build a robust resistance to modern cyberthreats.
With the OT security solutions as the central component of the service portfolio, close cooperation with technological partners and industrial control systems providers, and in-depth practical experience from its own industrial background, these solutions can help enterprises to plan and implement targeted security measures, and thus to establish sustainable cyber-resilience.
It’s ideal to find a security provider that has integrated its own dedicated OT Security Service and its solutions portfolio into a 3-phase model: Assess, Protect and Manage. Due to rapidly changing cyber-risks, these phases are nonetheless to be understood as is a continuous, recurrent cycle or process. The objective is to achieve the requisite specific security level for the respective industrial companies through concrete measures, and then to maintain these over the long term through appropriate continuous optimisation. When establishing the security measures, it is particularly important to taken into account all human, process and technology dimensions with a holistic approach.
In the "Assess" phase, for example, critical vulnerabilities in the security concept are detected by means of taking a root and branch inventory of the security technology and/or a comprehensive assessment of possible security risks (via OT Maturity Check, Asset Discovery & Analysis and Risk Assessment Services). From these results, it is possible to derive, for the second "Protect" phase, the priorities for a given company, so that concrete protection measures for OT can be planned and implemented (via OT Policies & Framework, Design & Integration and Training Services). The third phase "Manage" focuses on the sustainable maintenance and supervision of all pillars of the security concept. This is achieved by deploying a SOC and/or Managed Security Infrastructure Services and, if required, through other specific services.
SOC as security centre
A Security Operations Centre can be considered to represent the command bridge from where the technologies, processes and human expertise are coordinated. Sound know-how and many years of experience in the detection of network anomalies, malware analysis, digital forensics and the corresponding incident responses are indispensable for being able to operate an SOC.
To meet the specific security requirements of the manufacturing industry and of ICS operators, many security providers offer SOC Services for IT and OT environments. A central component here is the risk-based method in the planning and implementation of preventive security monitoring. The objective is – for the entire value creation chain of central business processes – to identify the critical IT and OT processes and assets, and to monitor them with the appropriate sensors, using automated SOC processes and SOC analysts.
Incidents in the recent past have shown that if ICS operators and industry wish to benefit from the advantages of digital transformation, such as faster production times, more efficient processes and enhanced competitiveness, the active construction of durable cyber-resilience is a fundamental prerequisite. Only by means of an integrated, supra-organisational and risk-based IT and OT security approach, combined with continuous readjustment, will it be possible to counter future cyberattacks with a sufficient degree of robustness.
Jörg Schuler, OT Security Portfolio Manager, Airbus CyberSecurity