How's Your Posture? Securing Today's Manufacturing Environments is Exhausting But Necessary
Outside of the two water treatment breaches in the Bay Area and in Florida, the recent cyberattacks that have claimed headlines are still occurring primarily within enterprise networks. However, the shift from retail and financial institutions towards manufacturers is a disturbing trend, especially as connected operational environments have become the norm.
The tilt towards manufacturers has reached the point where one in five manufacturing companies in the U.S. and UK have been victims of a cyberattack in the last 12 months, according to a report released by Morphisec. And, unless manufacturers take action, hackers will soon set their sights on operational technology (OT).
According to Yaniv Nissenboim from Vdoo, “The fact that manufacturers are an increasingly appealing target for threat actors should come as no surprise, and manufacturers' concerns are not misplaced. This increased interest means it is more important than ever that those in the sector introduce a policy of security by design into all of their products, ensuring that they meet the highest security and regulatory standards at every stage of the SDLC, from design and development to post-deployment,” said Nissenboim in a statement. “It is also crucial that manufacturers ensure that vendors in their supply chain adhere to the same security standards and that they can audit their vendors' security even with no access to their source code. Security issues might cause devastating consequences for manufacturers, so a multi-layered approach that starts with the product is the best strategy moving forward.”
While the current administration has taken multiple steps to better involve and empower law enforcement to address the ongoing issue, such policies only go so far when hackers are often foreign entities including nation state sponsored groups. Unfortunately, as Shawn Taylor, senior systems engineer, Forescout Technologies tells IndustryWeek, inadequate security posture including the lack of meaningful visibility into the many devices central to ongoing digital transformations adds an additional wrinkle to this disturbing trend.IW: As manufacturers continue to build upon connected environments, what do you see as the keys to improving security posture?
Taylor: First and foremost, manufacturers must have a complete understanding of what is “truly” on the network. There needs to be a total view of every device, computer, widget, controller, valve or sensor that is connected to the network. Whether wired or wirelessly connected, there’s a reason the critical security controls call out HWAM, or hardware asset management as the #1 foundational requirement. I’ve seen on multiple occasions and not just in the manufacturing or OT spaces, companies that have non-domain member, networked computers that are provided, so the third-party entities can remotely connect and perform support and maintenance to the systems or machines. What is unfortunate is there is rarely awareness of these devices, as they are not manageable, either via Agents or more fundamentally, corporate GPOs, or group policies around configuration. Without a complete, real-time view into every connected thing, any attempt at improving security posture is flawed.
IW: What are the steps to integrating segmentation and Zero Trust across their entire network?
Taylor: After establishing a real-time view into everything connected, the visibility should be expanded to include the communications taking place. It is key to understand not just source and destination IP addresses combined with the associated port, application or service, but also the context of the devices themselves and the role they play in the company’s operations. Additionally, the device’s compliance, including potential vulnerabilities, as well as risk and operational criticality are all dimensions that need to be considered when looking at the communications. All of those pieces of data help construct an accurate picture of the current risk-based segmentation baseline. Then, analyze that baseline against the desired outcome to ascertain what changes with isolations, ACLs and VLAN changes need to be implemented.
IW: Why is it important that manufacturers have visibility into non-user devices?
Taylor: For starters, non-user devices, whether they are small, form-factor, simplistic sensors or very large, complicated systems with gears, rollers and motors, are inherently an attack vector when connected to the network and pose a risk that needs to be understood. That’s the only way leadership can acknowledge and accept the risk. And as previously mentioned, oftentimes there are vendor-provided computers connected to those non-user devices that are connecting to the internet and allowing remote support by the third party. Without complete visibility of all connected devices, the ability to discern between user and non-user devices is virtually impossible.
IW: What other mishaps or mistakes are manufacturers making?
Taylor: Seemingly, manufacturers are operating under the mentality of business as usual. They believe there are minimal risks to their operations as they have “air-gapped” networks or have adequate controls in place to segment or partition the communications traffic between the business or IT part of the network and the process control or manufacturing part of the network. Inherently, they lack foundational visibility into the communications between these systems. Additionally, I’ve seen critical pieces of the process manufacturing, such as distributed control systems, having direct communications to internet-based systems or resources without going through secure, managed gateways. When combined with the minimal visibility of the inherent vulnerabilities within these OT-centric systems, manufacturers are left with a perfect storm of factors, that if an adversary were able to hack and gain unauthorized access, a potentially catastrophic outage could occur causing revenue losses in the millions of dollars.