- By Lisa Graham
- Channel Chat
By Lisa Richter
Findings in Vectra’s 2018 Spotlight Report on Manufacturing revealed that attackers who evade perimeter security can easily spy, spread, and steal, unhindered by the insufficient internal access controls. (Full disclosure: Vectra sells a platform that uses artificial intelligence to automate cyberattack detection.) Intellectual property theft and business disruption are primary reasons manufacturers have become prime targets for cybercriminals, according to the report.
“Recent reports about nation-state cyberattacks against U.S. utility control systems show that cybercriminals are intent on surreptitiously taking inventory of critical industrial assets and intellectual property to disrupt manufacturing business operations,” says Vikrant Gandhi, industry director at the analyst firm Frost and Sullivan.
Other key findings include:
• a much higher volume of malicious internal behaviors, which is a strong indicator that attackers are already inside the network;
• an unusually high volume of reconnaissance behaviors, which is a strong indicator that attackers are mapping out manufacturing networks in search of critical assets;
• an abnormally high level of lateral movement, which is a strong indicator that the attack is proliferating inside the network.
“The interconnectedness of Industry 4.0–driven operations, such as those that involve industrial control systems, along with the escalating deployment of Industrial Internet-of-Things devices, has created a massive attack surface for cybercriminals to exploit,” warns Chris Morales, head of security analytics at Vectra.
Houston, we have a problem
So, what the hack (sorry) does that mean for system integrators (SIs)? To find out, I booked Rick Kaun, vice president of solutions at Verve Industrial Protection, for the Talking Industrial Automation podcast for a quick brain dump. Among other advice, here are his top four tips for proactive companies looking to step up to the challenge and create a cybersecurity program.
1. Make a centralized team. To the surprise of no one, there is a talent shortage. That means companies have to get creative, says Kaun. “One of the biggest challenges in this space is that there are not enough people,” says Kaun. “Now, try to find people who have a combination of IT [information technology] and OT [operational technology] experience or at least know IT security but have a healthy respect for the operational environment or vice versa, it’s a very short list,” says Kaun. “So, you need to be creative, and that can often mean creating a centralized team to be able to scale across multiple sites and provide a cohesive and agile solution.”
2. Make a list.Duh, okay, so this may seem obvious, but the first thing you need to do, according to Kaun, is compile a comprehensive inventory. “Inventory is key, because inventory drives all your other decisions,” explains Kaun. “Not all assets are equal, so we need to know what assets are where and what’s critical, because we can’t do full protection on everything, everywhere.”
3. Make a program plan. Wouldn’t it be nice if you could just go to the cybersecurity store and grab a shiny new package off the shelf and then put up your feet and enjoy a beer while you watch the game? Yeah, well, the cold hard reality is that there are no one-size-fits-all solutions—and definitely no silver bullets, says Kaun. That means you have to roll up your sleeves and think big picture. “If you don’t have a plan,” he warns, “you’ll run out and pull the trigger on a bunch of siloed solutions and create a punch list of accomplishments, but none of it necessarily comes together to provide comprehensive coverage . . . Security is a program, not a project, and it needs to be rolled out in a series of multiple phases.”
4. Make a maintenance plan. I bet you knew this one was coming: Cybersecurity is not one-and-done. Even after you have a plan and get it all implemented and sorted, you need to stay on top of it and have the people and processes in place to ensure someone has their hands on the wheel. “Spending all the effort on the program and then having the project team high-five and go home, leaving the day-to-day people—who haven’t had the training or the support or the bandwidth to keep it up—is an incredible waste of time and money,” explains Kaun.
To learn more about cybersecurity, including standards and events to get up to speed, listen to episode 24 of the Talking Industrial Automation podcast.
We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.