Smart Manufacturing and Digital OT Transformation Call for Updated Security Practices

Long before March 2020, manufacturers were pursuing digital transformation (DX) and other priorities  like implementing advanced analytics, automation, and data-driven optimization to improve efficiency. But when the pandemic hit, digitization efforts went into overdrive. Suddenly, organizations needed solutions for addressing new safety, remote monitoring, and hiring challenges.

ISG PREDICTS: Smart Manufacturing Accelerates Adoption Post-pandemic: 2020 – 2025

All along, DX has been a major driving force behind the OT/IT convergence. Today, smart manufacturing relies on this convergence, and industry leaders understand its importance for managing costs, controlling quality, and staying competitive. In the U.S., “86 percent of manufacturers believe that smart factories will be the main driver of competition by 2025,” according to a Deloitte report.

And while enterprise and plant leaders certainly recognize the need for smart manufacturing, many are struggling with how to ensure that OT security maintains pace. Historically, plant managers and security teams could rely on the “air gap” between OT devices and the organization’s IT network to keep OT devices and processes safe from remote attacks. But as manufacturers connect OT and Industrial Internet of Things (IIoT) equipment to IT networks and systems and cloud-based solutions, the air gap is rapidly dissolving.

The result is an exponential increase in cybersecurity incidents. A Forrester Consulting study commissioned by Armis found that “66% of manufacturers have experienced a security incident related to IoT devices over the past two years.” In 2020, the average cost of a breach was $3.86 million, so these incidents can quickly undermine the return on investment (ROI) from smart manufacturing technology.

To benefit from digital transformation without exposing your organization to additional cybersecurity risks, it’s important to understand the unique security risks and vulnerabilities of  IIoT devices and how to address them.

What Makes OT/IIoT Device Security Different from IT Security?

Connected manufacturing devices—whether they’re sensors that retrofit onto legacy equipment or brand-new smart equipment—generally don’t have the same attributes as devices built for the IT network environment.

OS Differences

Many legacy OT devices run on older operating systems that get few to no updates. VxWorks is a good example. We’ve described it as “the most widely used operating system you may have never heard about.” First released in 1987, VxWorks has changed hands several times since—all while growing in adoption to power more than 2 billion industrial, medical, critical infrastructure, and other devices worldwide. VxWorks is hard to update, so many users are running older versions on their equipment, with security implications we’ll cover below.

New IIoT devices present a different OS challenge: you can choose from dozens of different options. That flexibility may be great in some regards, but it can complicate security management of OS statuses, vulnerabilities, updates, and alerts, especially when organizations or plants run different devices on different operating systems.

Installation and Oversight Differences

In a typical organization, the IT department installs IT devices and should really oversee any device that is connected to a network. But OT and IIoT devices often fly under the radar. Part of the problem is that IIoT devices, such as environmental sensors, equipment vibration sensors, and remote video cameras, are often marketed as easy and fast to install with no wiring or coding required.

This ease of installation and use can be appealing to busy plant managers who want to start collecting data and monitoring processes quickly. It also can lead to the creation of IoT networks that are essentially “shadow IT” within the larger environment. That raises the risk that OS, app, or communication vulnerabilities and incidents will go unnoticed by the security team.

OT Devices are Often Invisible to Traditional Network Tools

OT and IIoT security is further complicated by the fact that many devices don’t appear on traditional IT network monitoring tools, and the use of scans can interfere with the way the devices work. That’s because IT scans are designed to look for and probe agented devices that are active on the network. However, most OT/IIoT devices cannot accommodate agents, and scans that probe their OS and apps can disrupt their functions or cause them to fail.

Why are Digital OT and Smart Equipment Such Common Targets of Cyber Attacks Now?

Organized criminals and state-sponsored attackers are well aware that smart devices can often act as points of vulnerability to compromise. For example, Armis uncovered 11 zero-day vulnerabilities in VxWorks that left devices open to remote code execution, data leaks, denial of service, and firewall bypass for access to the wider network. We worked with WindRiver, the current VxWorks steward, to release an October 2020 update to patch these vulnerabilities. However, as of December 2020, 97% of the affected devices still remain unpatched.

Vulnerabilities like these—especially if left unaddressed after they’re made public—put organizations at serious risk for theft of customer and business data, as well as sabotage of operations and databases, and ransomware attacks. Recovering from these attacks is costly and it can take months or years to identify all the damage and rebuild customer, vendor, and investor trust.

What are the Best Practices for Secure OT Transformation and Smart Manufacturing?

Securely managing your digital transformation starts with defining the goals of your smart manufacturing program. These goals will inform device selection, security needs, training requirements, and your implementation process. They’ll also shape your competitive footing and determine your time to ROI in the new smart manufacturing landscape.

Harvard Business Review outlines four stages of digital transformation. For a manufacturer, the stages might look something like the following:

1. Gain operational efficiencies by using sensors to gather environmental data, such as pressure, temperature, humidity, and machine speeds.
2. Include sensors and other smart devices  on products to collect customer-usage data for product improvements.
3. Leverage customer device data for new offerings, such as subscriptions that help customers work more efficiently.For example, helping farmers transition to precision agriculture.
4. Use customer device data to create digital platforms for customers to optimize their experience and generate more revenue. In other words, build a community for your customers where you can engage and listen in for product feedback and ideas.

Core Elements of OT and Smart Manufacturing Cybersecurity

For each stage of your plan, prioritize asset identification, monitoring, and security. At every stage, these priorities impact operational security and, for government contractors, support compliance with IIoT security regulations. As your smart manufacturing plan starts leveraging customer device data, security is critical for customer experience, brand reputation, and liability protection in the event of an incident.

A comprehensive smart device security program will include:

• Agentless and passive monitoring capabilities to see every device in the environment while protecting OT device function
• Continuous device activity and communication monitoring for rapid anomaly detection and response
• Risk assessment and scoring to help your security team prioritize responses
• Automated alert and update options
• Easy integration with IT security monitoring for a single source of truth

The Armis Agentless Device Security Platform makes it easy to secure your digital transformation, so you can maximize and protect the ROI on your smart manufacturing initiatives. Request a demo today and see why Fortune 100 companies entrust their OT security to us.