Risk and asset management must evolve in order to properly secure manufacturing plants, as inevitable digital transformation leads to increased risk and attack surface, and less separation between IT and OT, according to a webinar panel of chief information security officers (CISO) and other experts. And moreover, OT may also need to fall under the purview of the IT or infosec department, rather than be run separately by local engineering teams.
Dragos CISO Steve Applegate, moderator of the virtual event, noted that members of the manufacturing industry are confronting the “increased exposure [of] critical assets” as a result of ongoing digitization. Data or systems that once might have been largely isolated or even air-gapped are more accessible than ever as IT and OT operations converge — and companies are changing their risk management approach as a result.
Indeed, panelist Jeremy Korger, OT cybersecurity lead at Sub-Zero went as far as to call the notion of air-gapping “a myth.” Due to the increasing likelihood that an IT systems compromise could also affect OT systems, the kitchen appliance manufacturer created a system to prioritize potential threats by using a risk register to track and compare the likelihood of various cyber incidents versus the estimated severity of its impact.
“As we do more and more of this digital transformation, obviously [the] likelihood goes up of a partner being breached … that's going to impact your organization,” said Korger, citing SolarWinds as an industry example. “So we really have to balance that and adjust those likelihood scores … as they go up. And as things move around on that risk register, we know what we should be spending our time on — because all of us are probably very resource-constrained — and try to find out the most valuable things for our organizations to work on.”
James Destro, head of manufacturing industry products at cloud-based SaaS provider ServiceNow, said that because of IT and OT convergence, it is becoming increasingly critical that manufacturers establish a wholistic “unified view” of assets and their inherent risk, and practice and “unified user governance” of said assets.
Without this more comprehensive overview, remediation of anomalous events can become complicated. Applegate recalled one actual scenario where Dragos spotted a client’s suspicious log event that was registered through a SIEM solution. The problem was: “Nobody knew what this piece of equipment was,” he said. “We start digging and it took us six panes of glass and 20 or 30 minutes just to figure out what OT environment this was in. And then once we found it, it wasn't just as easy as pick up a phone and call somebody — because there's no emergency phone number” to reach the person in charge.
To avoid such problems, Korger said Sub-Zero provides its security team with enterprise-wide asset visibility across multiple manufacturing lines populated by dozens of engineers. This eliminated the practice of having to call multiple individuals whenever a vulnerability of security issue would pop up — an inefficient practice that would tie up resources and often result in inconsistent responses.
Now, “we have a single place to go and look,” said Korger.
As part of this effort to create a single, unified view, Destro said he’s also observed customers in the manufacturing space “shift from engineering or automation maintaining the technology on the shop floor to it becoming a centralized or standardized function that the CIO organization [or] CISO is now responsible for.”
Georgia Pacific is one of those manufacturers. “In the past, our engineering teams typically [ran our plants] independently,” said panelist Fran Cioffi, CISO of the paper and pulp manufacturer. “We've made tremendous changes and transformational shifts in how we operate IT within the manufacturing space. So today, instead of each plant operating independently, we now have our IT groups which coordinate that across our 130 manufacturing locations.”
“We put in those standards. We put in that oversight, and now it's a collaborative effort to put in those IT systems that are secure, but also enable… remote access, if you will, that enables that transformational activity of transitioning data back and forth,” Cioffi continued.
Under Georgia Pacific’s new enterprise-wide OT management model, the company now operates an enterprise special operations center (SOC) that monitors the various plants across the entire ecosystem and acts as a first responder to incidents. “That's one way we're trying to take some of that workload off of our plant and operating teams,” Cioffi explained.
For infosec leaders looking to adopt similar practices within OT environments, it is important to position cybersecurity to upper management as an enabler of digital transformation, rather than as an impediment or simply the cost of doing business. In fact, Destro said it goes even deeper than just enabling digital transformation, suggesting that cybersecurity is actually “foundational” to operating a trusted factory environment that is “secure by design.”
Cioffi said Georgia Pacific looks at cyber as an enabler “because at the end of the day, when we're doing… B2B transactions, our customers expect us to be a secure environment, a secure trading partner to do business with, so we actually use cybersecurity as almost a marketing tool to say, hey, we've got our ducks in a row. We put cyber first — it's an integral part of what we do.
“Cybersecurity enables you to build that digital trust with your suppliers, your trading partners, your customers,” Cioffi said. “It's something that if it's not part of everything you do, I think you're going to probably be left in the back of the pack.”
If nothing else, at least it seems that for many companies in the manufacturing space, the business case for cybersecurity has been made. All one needs to do is read the headlines.
“When you think about all of the recent news attacks of cyberattacks in the industry right now, it's gotten everyone's attention,” said Cioffi. “So [for] our advanced manufacturing transformation initiatives, cyber’s built in up front. it's not something that we have to push anymore … Our executives, our leadership team, our engineering teams, they realize… we can't put in transformational initiatives within the organization and make those investments without cyber being an integral part of that.”