What Does Operational Technology (OT) Resilience Look Like Now?

The pandemic forced manufacturers and supply chain providers to make fast, often dramatic changes to their operations. In many cases, these changes simply accelerated digital transformations that were already planned or underway. In others, organizations may have thought of at least some of the changes as temporary.

Now, as industries adjust to a new landscape that includes ongoing supply-chain challenges and a shortage of talent in many sectors and roles, it looks like most, if not all, of the operational changes the pandemic pushed forward are here to stay. And that means that operational technology (OT) resilience looks different—and has higher stakes—than pre-pandemic.

Automation via smart equipment and robotics drove some of the biggest changes. Just consider that industrial robot orders from North American companies jumped 67% in Q2 2021, compared to the same (pre-pandemic) quarter in 2020. Based on International Federation of Robotics data, it looks like that growth in robot orders will continue for several years.

Some industrial operations were already at the forefront of automation before March 2020. During the pandemic, more industries and sectors, including healthcare and grocery stores, added automation  to help streamline tasks like COVID-19 test processing and gathering orders for curbside pickup and delivery.

Growing Threats to OT Environments Require New Cybersecurity Strategies

This rapid growth and expansion of automation and smart devices expands the attack surface and introduces new vulnerabilities. Given the changes to environments, organizations need to make simultaneous investments in IT/OT security integration to protect connected industrial devices from intrusion.

For example, attackers who breach an OT network might be able to exfiltrate operational data and intellectual property. This type of attack can lead to costly breach-remediation efforts, compliance penalties, and brand damage. The intruders may be able to gain control of equipment and change the way it works or shut it down. Either of those actions could lead to equipment damage, endanger workers, and possibly put the public at risk.

Consider VxWorks, the world’s most commonly used real-time operating system (RTOS) for devices that “require high accuracy and reliability, such as critical infrastructure, networking equipment, medical devices, industrial systems, and even spacecrafts.” In fall of 2020, Armis reported on 11 zero-day vulnerabilities, dubbed URGENT/11, in the VxWorks TCP/IP stack. The vulnerabilities gave attackers ways to get around firewalls and other security barriers. They could also remotely connect OT devices running VxWorks and broadcast to affected PLCs to “effectively take over the entire factory” even if they didn’t know beforehand what devices were in the facility.

Worse, one attack scenario allowed attackers to take control of the target’s firewalls through VxWorks-controlled devices on the network perimeter, effectively “compromising all of the networks behind them.” The vulnerabilities also enabled attackers who were already inside a target’s network to hijack VxWorks-controlled devices, without interacting directly with them.

These sorts of attacks could bring a facility’s operations to a halt, corrupt or destroy networks, and put sensitive data at risk. Armis and WindRiver worked together to build a VxWorks version that remediates all the vulnerabilities to protect users from these potential attacks.

These examples aside, the biggest security concern now for many manufacturers is ransomware attacks. Criminal and state-sponsored groups have been targeting manufacturing and critical infrastructure for years, and that trend only accelerated during the pandemic. To put the current scope of threats into perspective, consider the chart below. It classifies 193 ransomware attacks during April and May 2021 by industry and target revenue–and the impact on manufacturing is outsized.

Armis, The Ransomware Roll-up

Although manufacturing was hit particularly hard, no industry was immune to ransomware attacks. The implications on security are stark for companies adding new automation technology to legacy OT systems and organizations that are new to using OT systems. To protect their operations and revenue, they need to take a fresh look at the way they think about and plan for operational resilience, including how they assess and monitor OT assets.

Device Assessment Challenges and Solutions

Of course, if assessing and monitoring OT devices was easy, it would already be widespread across all industries. The challenge, however, is that OT and IoT devices don’t work the same way that most IT devices like desktops and servers do. The security tools that safeguard IT networks, such as agents, can actually crash OT and IoT devices and lead to a different set of frustrating operational challenges.

As a result, some OT security managers feel like they must choose between efficient operations and security practices. However, as attacks on OT increase, it’s critical that organizations can identify every device in their environment, know its physical location, see what software it’s running, and map its connections to other devices.

It’s also important to continuously maintain this visibility in real-time to identify problems with device software, communications, and function before unusual behavior on a device can contribute to a major incident. A platform that can identify OT and similar devices without requiring downtime or disrupting operations is a must for a resilient OT environment.

A Resilient Strategy for OT and IT Asset Management

With the right device security platform, you can also monitor and control every device in the environment, and see their connections to understand their position within networks and segments. This gives you the ability to see what device-to-device communication is taking place, when each device is communicating, and whether they’re encrypting sensitive data during transmission. With this visibility, you can quickly see if, for example, a new device from outside your network is connecting to your facility’s wireless cameras.

A platform designed for OT resilience will also give you the physical location of every device it identifies. This is important for:

• Identification of unauthorized devices in the environment for quick blocking and removal
• Quick physical removal of devices if they develop serious issues or are placed on a government blacklist

The platform you select should increase your resilience by assessing devices for new vulnerabilities and cyber threats as they emerge. This will help your security team prioritize threat responses based on risk level and give you the ability to automate device patches and updates.

The platform should also make ongoing management easier by:

• Unifying OT devices and risk data with IT asset management in one dashboard to avoid gaps in operational security
• Maintaining logs of all device activities for a certain amount of time for forensics and compliance
• Monitoring network changes to ensure that temporary adjustments to firewall permissions and segmentation don’t persist when they’re no longer needed
• Alerting your security team to any critical changes in your programmable logic controllers (PLCs), which could disrupt or shut down operations

Operational Resilience Starts With Device Visibility

In today’s complex IT/OT environments, operational resilience requires a comprehensive approach to device security. It starts with visibility and gaining a complete view of every device and a single view of your environment’s security status and risks. And it is made whole with the resources to quickly remediate issues to prevent attacks and keep your operations online and working safely and efficiently. Learn more about how Armis can help you manage your OT assets.