When Verizon released its Data Breach Investigations Report (DBIR) last May, it found 381 of the 3,950 data breaches confirmed in the prior year occurred in manufacturing businesses. Hackers’ motivations were largely financial, although espionage played a part as well. Nearly a quarter of incidents in manufacturing involved ransomware, which is especially damaging to those needing highly available networks.
In February of this year, researchers identified a vulnerability in programmable logic controllers that help run manufacturing processes. The vulnerability allows attackers to make unauthorized changes to configurations and application code. The U.S. Cybersecurity & Infrastructure Security Administration rated the vulnerability’s severity a 10 out of 10 and said a hacker would only need low-level skills to exploit it.
Meanwhile, manufacturers everywhere are eager to realize the benefits of evolving technologies to address digital business transformation, including the industrial internet of things, robotic process automation and artificial intelligence, machine learning and blockchain. For manufacturing firms’ CIOs and CISOs, however, addressing vulnerabilities on their networks is a critical prerequisite to exploring these transformative opportunities.
An Exploitable Technology Landscape
Manufacturers haven’t historically been viewed as prime cyber-attack targets. Consequently, they haven’t focused on vulnerability management in the same way financial services or retail businesses have. However, as manufacturing companies’ networks of information technology (IT) and operating technology (OT) grow in complexity, their cyber risks increase. If manufacturing companies fail to address cybersecurity vulnerabilities, they are more likely to be exposed to major cybersecurity attacks.
Legacy OT control systems can create situations where networks are more vulnerable. Many of these underlying control systems are unable to address today’s cybersecurity risks. Unlike modern, feature-rich IT assets, OT devices are purpose-built, and many of them in use today lack modern operating systems and therefore cannot interact with conventional vulnerability management scanners. In addition, these devices must be secured in a way that minimizes downtime, which makes scanning and securing them more complicated.
A Skills Gap
Vulnerability management skills include knowing where weaknesses are likely to occur and how to prioritize and remediate them. They also include the ability to coordinate vulnerability management tasks with diverse stakeholders. It’s rare to find OT cyber talent and experienced leaders and engineers who understand the challenges with managing cybersecurity for OT as well as for IT; know how to secure devices in the office, the server room and on the shop floor; and can also communicate with IT and process operations stakeholders. Strong relationships throughout the organization are critical in vulnerability management leadership roles because patching systems and remediating vulnerabilities requires coordination to keep outages to a minimum.
This skills gap and a lack of a cohesive, continuous OT cybersecurity program involving people, processes and systems result in a reactive, rather than proactive, response to cyber incidents. But OT vulnerability management shouldn’t be triggered by risk events; rather, it should be driven by a commitment to regular engagement.
Where to Start?
Start by reviewing any current vulnerability management activity.
- Does the organization agree on risk tolerance levels for all OT devices which are core or critical to manufacturing operations?
- Are current vulnerability management practices aligned with the risk tolerance of the organization?
- Are vulnerabilities identified and prioritized throughout the IT and OT environments?
- Has the organization documented potential gaps in properly managing cyber threats?
- Are known vulnerabilities being remediated?
- Are IT and OT teams communicating regularly and coordinating their responses to new vulnerabilities as they emerge?
Strong sponsorship is essential for effective vulnerability management, especially when the program is first introduced. Sponsors must help with clearing obstacles and ensure that OT cybersecurity teams have access to experienced OT cyber engineering resources. There is ample evidence to suggest that when business stakeholders commit to regular, ongoing conversations about their organization’s cyber vulnerabilities they begin to understand and agree on how their operations need to be protected and they begin to anticipate future vulnerability risks.
Strong asset management will bring visibility to all devices and their vulnerabilities and should include IT and OT hardware and software. It’s critical to understand the unique vulnerabilities of each device on the network. Automating asset management tracking is central to mapping all of the network’s devices, uncovering where vulnerabilities are likely to exist, and closing cybersecurity gaps.
A risk-based approach provides the highest priority to those vulnerabilities for which code exploits exist and remediations are already available. Once exploit code is accessible to hackers, the likelihood of an attack increases dramatically. Then, even an inexperienced hacker could compromise a network.
Vulnerability Management as a Service
Vulnerability management for manufacturing is a complex capability but budgets are often stretched. Many manufacturing firms are subscribing to a “vulnerability management as a service” model so they can predict and contain expenses. These services may include a cost guarantee for a defined capability level to balance risk and expenditure. Providers can design a complete, custom vulnerability management program for a manufacturing plant and then operate the program day-to-day as well.
Manufacturers are becoming more aware of how vulnerable their networks are to malicious actors. The good news is there are ways to strengthen and even co-source vulnerability management programs. The most successful CIOs and CISOs recognize the unique characteristics of their IT and OT hybrid networks and give vulnerability management the focus needed to help mitigate cyber risks.