Cybersecurity

Attacks on water supply systems, manipulated mixing ratios of drugs at pharmaceutical companies, outages of public transport display boards: hackers are increasingly discovering operational technology (OT) and the Internet of Things (IoT) as a lucrative target for attacks. While most people now realize that they should not click on dubious mails full of spelling mistakes, machines and plants are often unprotected.

For a long time, cybercriminals had no interest in OT because production plants or supply systems for electricity, water and gas were not connected to other IT systems, so they could hardly cause any damage or attacks were very complex.

Networked production attracts criminals

The manufacturing industry is digitizing its business processes along the entire value chain, from virtualization in the product creation process to more flexible service and business models to new manufacturing processes such as additive manufacturing. The risk of malware and cyber attacks is increasing as a result of the connection of production plants and machines to internal systems for production control or, increasingly, to the cloud.

In the process, the cybercriminals try to disrupt a plant and extort a ransom or obtain trade secrets on behalf of mostly foreign competitors or states. Then, months later, copies of car spare parts turn up that not even a service technician can distinguish from the original.

The fact that OT security lags so far behind the state of IT is due to the fact that OT is planned by engineers who have to implement technical production requirements under cost pressure and in a short time, but for whom cybersecurity was never an issue in the past. They develop a plant purely according to functional aspects.

In the event of new risks due to cybersecurity, the software of the plants would actually have to be patched. But this is not normally provided for in OT. Never touch a running system applies even more in OT than in IT. There is usually no time to apply patches either. Even if the update only takes a few minutes, it can bring an entire production line to a standstill and result in a lengthy restart, especially since functional tests are usually also necessary.

So you have to switch to maintenance windows that are planned anyway, but they are rare. In chemical production plants, for example, it can take several years before the opportunity arises for an update including all functional tests.

Network segmentation is often the first recommended complementary measure. This involves separating parts of a system from other systems according to risk level and criticality. For this, the detailed structure and communication of the system must be known. It is also advisable to separate legacy systems, which can sometimes be decades old and for which updates are no longer available, from new parts and to apply separate security strategies.

But it's not just the manufacturer and operator of a plant that are required to ensure a high level of security; the maintenance staff must also be on board. During remote maintenance, they usually access a jump server via a VPN connection. From time to time, hackers use such connections to plant malware and spyware that can then infect entire plants and facilities, especially if access to the jump server or VPN authentication is only weakly protected.

To mitigate such risks, a better architecture is needed. Some security service providers recommend an audit with a penetration test to uncover vulnerabilities in the IT and OT infrastructure. You will probably find plenty of vulnerabilities, but the gain in knowledge is low, especially if no security has been implemented in the OT systems.

It is much better to implement measures first and then check them with an audit. The starting point for better OT security is greater visibility in the OT networks. Often, companies do not even know which detailed components they have in the systems, which software versions they use, which data they exchange, and which connections to the outside exist with third-party companies.

But you can't protect what you don't know. Knowing the software versions in use, communication relationships, external access, zoning in the network and more is the basis of any cybersecurity strategy.

Many companies asking for OT security support have already had a security incident or know companies in their environment that have had such an incident. Awareness has increased in recent years and companies are motivated to do more for security. However, companies often feel overwhelmed and don't know where to start. What is needed here is a structured approach that provides the company with orientation.