OT at Risk: Is Industry Striking the Right Balance Between Operations and Security?

As ransomware attacks on manufacturers and critical infrastructure increase, it’s time to revisit the question of whether compliance with common standards is enough to protect operations. At Armis, we believe that compliance with security guidelines like the NIST Cybersecurity Framework is an important part of an organization’s security foundation, but it’s not the entire security structure.

Too often, operation managers focus their concerns  on physical risks to equipment and sites. And for good reason: equipment malfunctions, terrorist attacks, and insider sabotage all have the potential to harm employees, damage operations, and even put the public at risk.
Even physical threats to industrial control systems now have cyber components. For example, when digital intruders gain remote access to a power grid or a water treatment plant’s operational controls, they can cause physical harm from a distance. Preventing these attacks requires a commitment to cybersecurity that goes beyond punch-list compliance to embrace a digital security mindset, new practices, and security technology across the organization.

Modernizing OT Systems Poses Challenges

As more manufacturers and critical infrastructure providers modernize their ICS equipment and operations, they’re storing more device data in the cloud for faster, more accessible analytics and reporting, increased productivity, and better data security. However, nearly 60% of IT leaders say the biggest cloud migration challenge they face is maintaining security and compliance, according to a Lemongrass/Upwave survey.

Converging IT and OT also expands compliance requirements. For example, most global organizations must comply with GDPR standards for protecting customer data as well as ISA standards for data acquisition, tracking and reporting. U.S. government contractors must also meet and maintain FISMA standards for cybersecurity. Compliance with all of these standards requires comprehensive cybersecurity that includes all devices in the organization’s environment—including OT devices that legacy IT security solutions can’t see or support.

Cybersecurity is No Longer Just for IT and Corporate Networks

Why is OT out of the cybersecurity loop? For decades, ICS cybersecurity simply didn’t exist because it didn’t need to. Operational technology and information technology were separate domains with separate systems that didn’t connect to each other, and legacy industrial devices didn’t connect independently to the internet or to each other. This disconnection—the so-called “air gap”—was thought to be all the security that OT systems needed, aside from physical access control.

Now, though, IT/OT integration is becoming the norm. Connected devices stream data, monitor equipment and processes, and support line automation and other Industry 4.0 functions, so the air gap is no longer a reliable method of OT security. As OT and IT continue to merge, cybersecurity requirements now apply to ICS just as much as to corporate networks, but many organizations struggle to find the right approach to protect their operational technology.

For example, many operation managers are concerned about downtime and the impact of implementing more security for their OT, IIoT, and other ICS devices. That’s understandable because legacy solutions that are built to scan IT networks can knock these devices offline or cause them to malfunction—if the scan can detect them at all.

Facilities that can’t operate securely are at risk of going offline at any moment. A ransomware attack on an ICS facility can halt operations and leak operational and corporate data to the dark web—or destroy that data altogether. Just consider how lucky shipping giant Maersk was when NotPetya malware rampaged through the company’s systems. If it wasn’t for a random power outage that kept a domain controller backup offline, Maersk would have been unable to recover their server backup data.

Fortunately, organizations no longer have to choose between predictable uptime and ICS cybersecurity. A non-disruptive solution for quickly identifying and continuously monitoring OT and ICS devices is now available. And the risks of delaying implementation of OT security are too big to ignore.

ICS Cyberattacks Change the Risk/Benefit Calculation

ICS cybersecurity incidents can cause immediate problems such as operational disruption, financial losses, and risks to personnel and equipment, as well as longer-term problems like customer churn, remediation expenses, and regulatory penalties.

CISA, Recommended Cybersecurity Practices for Industrial Control Systems

Conversely, when organizations adopt security solutions that let them see, assess, and monitor all their devices, those security improvements deliver other benefits, including:

Savings on Unplanned Downtime and Shutdowns

McKinsey reports that in the materials and energy sectors, “outages typically consume between a third and half of the overall maintenance budget and can reduce annual production volume by 5 to 10 percent.”

Continued Access to Cybersecurity Insurance

As ransomware attacks and other incidents push insurers’ losses higher each year, they’re hiking premiums, reducing coverage limits and implementing stricter underwriting standards for organizations seeking cybersecurity coverage. The result is that “organizations will need a robust system of cybersecurity to even qualify for insurance,” according to an S&P Market Intelligence article from June 2021.

Proper ICS security also frees organizations to optimize their operations by protecting the data they collect from their equipment and process monitoring devices, so they can improve their service and products and drive growth.

Total Asset Visibility Secures and Supports Industry 4.0

Flex, a major multinational provider of electronics design, manufacturing, and supply-chain solutions, offers an example of how cybersecurity supports modern ICS. The company’s Industry 4.0 and IoT initiatives enable Flex to operate as efficiently as possible and leverage process data for continuous optimization.

However, the devices that Flex relies on to deliver these ICS benefits must be secure to prevent intrusions and disruption. “We have to think about how we’re going to discover those assets and protect those assets,” said Friedrich Wetschnig, Flex CISO and vice president of enterprise IT. Wetschnig notes that the challenge with most IoT devices is that they are not running on traditional operating systems, so agent based scanning simply won’t work. By implementing the Armis Agentless Device Security Platform, Flex is able to see every device in its global environment, monitor device activity, and react quickly if an issue arises.

Stronger ICS Cybersecurity, Lower Downtime Risks, Better Efficiency

Now is the time to reevaluate your ICS security scope, best practices, management, and cost/benefit calculations. The right device identification, assessment, and monitoring platform will enable you to move forward with minimal installation challenges and added administrative tasks.

Updating ICS protection is also the key to remaining competitive in a world where ICS is a major target for cyberattacks that can cause operational disruptions, data loss, compliance penalties, damage to vendor and customer relationships, and expensive remediation programs. Armis gives you the ability to manage the security complexities of modern manufacturing. Request your OT security demo today.