The escalation in frequency and sophistication of successful cyberattacks are raising concerns among governments, organizations and even the general public. By now, most people are aware of the attacks on Target, Home Depot and Sony Pictures — in which the adversary’s motives were centered on financial gain and reputational and financial harm. However, these incidents have cast a shadow over a more direct danger: attacks on the industrial control systems (ICS) of critical infrastructure, including manufacturing facilities, in which the physical safety, integrity of proprietary organizational assets and reliability of automated operations face unprecedented risk.
Advanced Persistent Threats (APTs) to the control systems of manufacturing equipment, in particular, are now a daily occurrence. In fact, cyberattacks against ICS, like supervisory control and data acquisition (SCADA) systems, those used to monitor and control industrial processes that cover wide geographic areas and remote manufacturing facilities, more than doubled in 2014, according to a recent Dell report. In addition, National Security Administration Director Adm. Michael Rogers predicts a major cyberattack on critical infrastructure within the next decade. It’s not a matter of if an attack will occur, but a matter of when.
The Proliferation of Attack Surfaces
Industrial control systems used to automate manufacturing processes are relatively new to being susceptible to cyber threats. Nonetheless, the recent increase in targeted attacks is a result of the access points now available for exploit, as modern information technology (IT) integrates with legacy manufacturing systems that were never built for connectivity. Operational technology (OT), such as SCADA and other forms of industrial control systems, are often found in industries that manage critical infrastructure, such as water, oil & gas, energy and utilities, but also in automated manufacturing, pharmaceutical processing and defense networks.
Historically, the expertise, culture, risk tolerances and approach to technology have been disparate, with IT emphasizing confidentiality and integrity of assets while OT prioritizing reliability and availability of equipment and services. But as IT continues to converge with OT to improve efficiency and productivity and reduce costs, complicated cybersecurity threats are being introduced into manufacturing environments once immune to a variance of risk.
Prior to convergence, for example, industrial networks were less directly connected to the outside world. With the introduction of IT, the systems are now interconnected with the ability to be remotely managed on any device from any location — exponentially expanding the attack surface. Even if a facility does not have wired or wireless connections, employees are plugging cell phones into USB connections and utilizing laptops and mobile media, unintentionally creating pathways into mission critical networks. As such, manufacturing facilities must secure their perimeters and the devices inside those perimeters as well.
Moving Beyond Convergence
The U.S. has not yet experienced a catastrophic cyberattack against the industrial control systems of critical manufacturing equipment, but the opportunity to cause monetary, operational, reputational and physical damage from such an attack is highly-motivating to threat actors around the globe. With this realization, research analysts expect steady and significant opportunities for growth in cybersecurity for ICS. In fact, according to the research firm MarketandMarkets, global ICS security is estimated to reach $8.73 billion in 2018.
While the benefits of IT-OT convergence are clear, the most significant challenges are in how best to bridge the divide between two workplace cultures that have never worked together before. There is no simple solution to overcoming the technical and organizational challenges of convergence, but there are a few ways IT professionals can aid in a smoother transition.
- Education - The lack of understanding between IT and OT is a constraint to integration, so education on both OT and the motivating forces behind the integration is key to a successful convergence.
- Innovation - As ICS cybersecurity continues to advance, it is important for manufacturing facilities to stay up to date on the latest technologies in order to best secure networks and equipment.
- Governance - Although regulatory compliance is industry dependent and not federally enforced, IT professionals should be aware of current and pending OT cybersecurity rules and regulations that are gaining momentum among lawmakers.
Manufacturing facilities must embrace strategies and best practices to streamline the convergence process if they are to be successful in preventing a disaster. It is the responsibility of those accountable for governance to implement strategies to protect assets; as both public safety and the reliability of manufacturing output depends on it.
Derek Harp is the co-founder of NexDefense.