Chapter 6 – Operational downtime explained: A case for passive network security monitoring

In industrial environments operating 24 hours a day, unplanned downtime keeps plant managers awake at night. Avoiding onerous operational disruptions is a strong reason for manufacturers to consider the cyber implications of the convergence between information technology (IT) and operational technology (OT).

Here are the main takeaways from this article: 

• Downtime not only causes revenue losses and supply disruptions but also damages a company’s reputation.
• Traditional security tools do not address the unique challenges of protecting OT and can create further disruptions.
• OT leaders need to invest in real-time passive security monitoring solutions to minimize the risk of downtime caused by cybersecurity incidents. 

What causes manufacturing downtime?

Industrial downtime happens when manufacturers are not operating at their expected levels. Production interruptions can be divided into two categories:

Planned downtime

Planned downtime refers to interruptions scheduled in advance, usually for maintenance, adjustments or product changeover. Examples include planned periods in which the production stops to tune up machinery. 

Planned maintenance and equipment inspections are often considered crucial to reducing the chance of unplanned downtime. According to a study conducted by Forrester Consulting on behalf of IBM, unplanned downtime costs 35% more per minute than planned downtime.

Unplanned downtime

Unplanned downtime refers to unexpected incidents that can cause the production line to stop for an undetermined amount of time. Common examples include equipment or system failure, human error and cybersecurity incidents. Lack of personnel to cover shifts or materials can also contribute to interruptions in production.

In a manufacturing environment, accidentally unplugging a cable can disrupt production and lead to costly downtime. A single engineering workstation experiencing the dreaded blue screen of death can also cost tens of thousands of dollars in missed production. 

Take the example from the steelmaking industry, where a computer operates the spectrometer robot, which analyzes the chemistry of the steel batch. If the computer crashes, the whole production line goes down because the product quality cannot be assessed.

Consequences of downtime in manufacturing

Downtime is a common occurrence in all businesses and has a clear impact on their bottom line. According to a Vanson Bourne global study, 82% of companies have experienced at least one unplanned downtime outage over the previous three years. In the manufacturing industry, downtime disrupts the production line and causes a domino effect on the supply chain. 

Productivity and financial losses

As per another study, industrial manufacturers lose $50 billion annually due to unplanned downtime. The cost of downtime is often associated with the loss of production. 

Supply chain disruption and reputation damage

Manufacturers in sectors such as food, beverage and infrastructure often run 24/7. Stopping production can have consequences for business partners and consumers. Missed production can result in service disruptions, product shortages and price hikes. Those outages also risk the trust and confidence of customers and employees in the organization.

Cybersecurity is crucial to ensuring operational uptime

As Gartner notes in its Market Guide for OT Security, building operational resilience is a top priority for organizations in the post-pandemic world. Investing in OT security is critical to support those efforts and ensure industrial continuity.

The rise of cyberattacks against critical infrastructure and manufacturing operations has reinforced the need to strengthen cyber defenses to avoid downtime. According to a study conducted by Forrester Consulting on behalf of Armis, 66% of manufacturers had encountered an IoT-related security incident in the previous two years. The report also indicates that 84% of the surveyed IoT security leaders are concerned about external hackers, and 80% are worried about viruses, network worms, and other malware threats (80%). 

With IT/OT convergence and the proliferation of the Internet of Things (IoT) devices in industrial environments, there has been an increase in the threat surface. Attacks are growing in scope and sophistication.

These high-profile attacks, among others, show the importance of cybersecurity to operational resilience and business continuity: 

• Molson Coors. A hack took down the systems of this brewer, which is behind popular brands such as Coors, Molson, Pilsner, Miller and Grolsch. The attack forced the company to cease production and interrupt shipments.

Bakker Logistiek. The food-logistics firm was attacked and took six days to get their operations running again, causing cheese shortages in supermarkets across the Netherlands.

OT security challenges 

Protecting industrial environments from cyberattacks in the Industry 4.0 era has its own challenges. OT and IoT devices cannot be secured with traditional security tools because they are:

• Unmanaged, which means that they cannot take a traditional security agent to monitor and protect them from threats. Agent-based monitoring works for enterprise IT environments that deal with computers and servers. As per Armis’ commissioned study, 76% of manufacturing enterprise IoT professionals recognize their current security measures are inadequate for unmanaged IoT devices. 
• Sensitive to scans, which are notorious for crashing OT systems.
• Not designed with security in mind. For example, many devices do not have a method to receive security patches from the developer.

Security monitoring requirements to protect Industry 4.0

Armis’ research shows that companies only see an average of 60% of the devices in their environment. To ensure comprehensive asset and network visibility, industrial organizations need to deploy agentless monitoring tools that offer real-time passive monitoring. 

Your security solution needs to be always on. All communication pathways, including WiFi, Bluetooth and Ethernet, need to be continuously monitored. 

Methods such as network access control (NAC) are insufficient to secure industrial environments. NAC only decides what devices should and should not be on the network, but it is not designed to monitor the behavior of devices. In other words, it lacks context. Industrial environments also require a security solution that knows what is expected from each device and can take action if it starts to behave abnormally. 

The Armis Agentless Device Security Platform can discover all assets in your environment, both managed and unmanaged. It then performs a risk assessment to identify all vulnerabilities and threats – critical to developing policy enforcements as part of a mitigation plan. The Armis platform understands the context of each device and, thanks to our Device Knowledgebase, can identify if any anomaly occurs.

Asset discovery methods are divided into passive and active. It’s worth clarifying that there is no such thing as “passive scanning” because scans are active tools that probe your network, which can be dangerous in sensitive OT environments due to the risk of disruptions. 

The Armis platform doesn’t perform active scanning. Our approach is what we refer to as “passive listening” to emphasize that we are monitoring it quietly, only listening to traffic without causing disruptions to users, systems and machines.

Roadmap to preventing operational downtime caused by cybersecurity incidents

1. Security awareness and training

The first step to increased cybersecurity is to raise awareness and compliance with proper cybersecurity controls. Organizations need to better train employees about the cyber implications of their activities and minimize the risk of breaches with bottom-line impact. As per the Vanson Bourne study, user error is a more common cause of unplanned downtime in the manufacturing industry than in other sectors.

2. Agentless security monitoring

Asset discovery and inventory are critical to OT security because organizations need to know what devices and connected systems they have in their networks and what their vulnerabilities are. Your security solution should be agentless because OT and IoT devices cannot accommodate security agents.

3. 100% passive network monitoring

For effective threat detection, your OT security solution should continuously monitor the devices and traffic in your network. Do not deploy vulnerability scans because they are intrusive, and OT systems and devices are sensitive. The best approach to avoid crashes or any negative impact on performance is to monitor devices and traffic in your network or airspace with a passive tool such as the Armis platform.

4. Cybersecurity mitigation plan

Network segmentation is a good practice to prevent attackers from moving laterally in your network and causing more damage. It’s crucial to have real-time policy enforcement and automated remediation to isolate devices, trigger alerts and initiate software updates in case an anomaly is detected.

The Armis Agentless Device Security platform can automatically generate segmentation policies for certain devices to minimize risk exposure. Book a custom demo to discover how to detect and mitigate cyber threats with our platform.

Check out all IT OT Convergence Playbook Chapters:

1. Chapter 1 – Industry 4.0: OT Security Challenges
2. Chapter 2 – A Roadmap to Comprehensive ICS Security
3. Chapter 3 – The Urge for Infrastructure Protection
4. Chapter 4 – How to Secure Industrial Environments
5. Chapter 5 – Complete Network Visibility: Find All Assets
6. Chapter 6 – Operational Downtime and Passive Monitoring
7. Chapter 7 – Protecting industrial Assets with Network Segmentation 👈 you are here
8. Chapter 8 – ICS Risk Assessment 👉 read next chapter
9. Chapter 9 – Top Security Security Frameworks for OT environments
10. Chapter 10 – Zero Trust Security Framework for ICS
11. Chapter 11 – Armis Role on CIS controls
12. Chapter 12 – ICS/OT Mitre Att&ck Framework
13. Chapter 13 – 2021 The Year of Ransomware Attacks
14. Chapter 14 – Guide to I/OT Integration