Content
The complex IT landscapes of manufacturing companies are more difficult to keep track of and more costly to maintain than in other industries. If production has to be stopped as a result of a ransomware attack, there is a risk of high financial losses, penalties for not meeting delivery commitments and damage to the company’s image. The good news is that with the right mix of measures, the potential weak points of production and information technology (OT and IT) can be secured in such a way that cyber criminals no longer find attractive points of attack.
Multiple threats due to complex IT landscape
Whether state or commercially motivated: Why hacker gangs like to attack manufacturing companies is partly due to the sensitive data, which is well suited for blackmail or resale on the darknet, and partly due to the typical vulnerabilities of the evolved IT landscape with many legacy systems that were not developed with cyber security in mind or whose software can no longer be updated or patched at all. In addition, numerous internet and IoT interfaces have been retrofitted over time, the security of which requires regular updates.
Why air-gapping is so important
Without a proper separation between OT and IT (air-gapping), these vulnerabilities can easily be exploited, for example by hackers infiltrating malware from the office area via a hacked email account. Another popular route is via suppliers and partners, who are spied on using social engineering to phish access data. For example, an unsuspecting technician may be sent a link for a firmware update from a hacked account of a known service employee and transfer the disguised malware to the corresponding controller.
IT and OT require a cross-departmental security approach with different tools.
Acts of sabotage on the rise
To make such attacks more difficult, IT and OT should be physically and logically separated from each other. Regardless of air-gapping, production companies must also expect internal sabotage. Such “insider threats” are often used in hybrid warfare to manipulate or disable critical infrastructures. The perpetrators are often state-motivated and try to bribe administrators with high rights to equip devices with malicious firmware or change the programming of systems.
Concerted package of measures
Adequate protection of IT and OT is not just a question of technology, but rather requires a cross-departmental approach that orchestrates and synchronizes the measures. If the systems and devices to be hardened are in continuous operation, the usually small maintenance windows must be used for protection. Depending on the existing technology, there is often no available EDR client (Endpoint Detection and Response). Network Detection and Response (NDR) services with suitable network sensors are a proven alternative for monitoring device communication and alerting in the event of suspicious activity.
Effective risk minimization through MDR
Another challenge is that OT managers often lack the necessary security expertise. A holistic MDR (Managed Detection and Response) approach, which also includes the necessary NDR, is a good solution to this problem. The advantage: external analysts contribute their broad background of experience. In addition, a service provider can efficiently expand the time capacities for detecting specific risks and vulnerabilities – and distinguish real alarms from false alarms. This is all the more important as the number of reports is constantly increasing.
Better not save on monitoring
In order to make the MDR service as targeted as possible, both parties should jointly define the systems to be monitored and the intensity of the monitoring. The following applies: it is better to monitor more than less – including systems that cannot be monitored directly, such as legacy components and their communication. Unauthorized devices on a PLC controller or unusual data transmissions outside of operating hours are considered suspicious in principle. In the event of an alarm, trained security analysts can quickly assess the legitimacy and – depending on the MDR agreement – inform the responsible body, make recommendations or initiate immediate countermeasures.
Enhanced protection through 24/7 monitoring and expertise
Only with a holistic view of the entire IT landscape and 24/7 monitoring can production companies ensure that reciprocal attacks on IT and OT are reliably detected and dealt with in good time. If, on the other hand, cybersecurity is only concentrated on individual areas or islands, dangerous gaps in monitoring arise. As a result, once a gateway has been used and the subsequent spread of ransomware or other malware can hardly be traced – which makes it considerably more difficult to combat and limit damage in an emergency. In practice, however, every minute counts until the security vulnerability is found and eliminated. This is when digital forensics is sometimes required, which is also available at short notice as part of a comprehensive MDR offering.
MDR offer with the important NDR module for monitoring OT systems.
5 practical tips for more OT security in production
From an expert’s point of view, a comprehensive MDR service is certainly the best prerequisite for sustainable protection. However, IT managers themselves can also do a lot to prepare or supplement security in their production company:
1. create transparency and segment networks
A fundamental measure is the segmentation of networks into manageable units. This requires knowledge of the devices involved, when they are in use, how they communicate with each other and how the manufacturers can be contacted in an emergency. Previous security incidents such as Log4j or the SolarWinds hack show how important this transparency is for a quick, targeted response.
2. make OT procurement secure
Not every device is trustworthy – especially if it comes from non-transparent sources. Some devices even contain hidden access points (backdoors) ex works. Open source software should also be viewed critically and monitored by Network Detection and Response (NDR). If internal capacities are not sufficient for this, an MDR service provider with experience in the industry should be called in, who can also provide analytical expertise and preventive measures.
3. risk analyses and crisis management
Seamless patch management is almost unrealistic in the OT environment, as systems cannot be interrupted without further ado. This can be remedied by well-founded risk analyses that show which components can continue to operate safely without a patch and which require mandatory updates. In addition, tabletop exercises are recommended – interactive crisis exercises in which roles, reactions and emergency processes are realistically played out and subsequently optimized. This knowledge can in turn be used to create and test specific emergency plans.
4. zero trust and physical security
Digital security alone is no longer enough. Devices are increasingly being manipulated, read or stolen on site. This is why, in addition to digital measures such as a zero-trust architecture, companies should also actively incorporate the physical security of their systems into their protection concepts – for example through access controls, video surveillance and USB protection measures.
5 Regulatory requirements
Operators of critical infrastructures and system-relevant production are subject to increasingly strict legal requirements – such as the NIS2 directive, which requires an end-to-end security assessment of IT and OT. Companies should therefore check at an early stage whether they fall under the regulations and plan and document appropriate measures.
Conclusion
Attacks on OT are particularly serious. The risks range from financial damage to life-threatening situations. This is why no production company can afford to consider IT and OT in isolation. If a holistic security concept including NDR and monitoring cannot be implemented by the company itself or if it lacks the necessary expertise, SECUINFRA is happy to provide support with its broad industry experience and a customized offer.
Would you like to find out more about our MDR services? Inform now
