Close Menu

Navigating the Hidden Dangers of OT Security in Manufacturing

Staff WriterBy No Comments7 Mins Read2 Views

Summary Points

  1. Operational Technology (OT) Security Challenges: The manufacturing sector faces significant OT security risks from legacy systems, unmanaged access points, and human error, complicating overall safety and operational integrity.

  2. Growing Complexity of Access Management: The increase in mergers and acquisitions exacerbates visibility issues and complicates user access tracking, making it difficult to identify who holds critical system permissions.

  3. Shift in Focus from OT to IT Security: While IT security measures are more advanced, manufacturers often overlook the importance of securing OT environments, which are increasingly interconnected with IT.

  4. Rising Awareness Amidst Persistent Threats: Awareness of OT security vulnerabilities is improving due to high-profile breaches, but effectively measuring improvements in security remains a challenge as organizations struggle with evolving threats.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘OT Security Poses Inherent Risks for Manufacturers’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

From supply chain risks and breaches to employees’ physical safety, the manufacturing industry is no stranger to operational technology (OT) security challenges. The good news? Experts say awareness has increased among manufacturers. But whether that will lead to improvements is difficult to say.    

OT controls the processes and equipment necessary for manufacturers. It’s built to last, but that also means there’s legacy technology — unsupported and difficult to update — on the factory floor. A lack of visibility around an overwhelming number of assets presents heightened concerns as well. And then comes the human factor.  

“People are the biggest risk to computer systems, period,” says Almog Apirion, CEO and co-founder of Cyolo, which provides secure remote privileged access for industrial and OT systems. 

Abundant Access Points Equals Abundant Problems

Indeed, human risk leads to bad access. Manufacturing companies must secure a wide range of assets and access to them. The number of access points continue to grow with mergers and acquisitions, with acquired companies bringing in their own vendors and using their technology, Apirion says. For most companies, gaining visibility across access points is almost impossible now, he adds.

On top of those security headaches, it’s also difficult to keep track of users and who has or needs access to which technologies — especially when multiple users are granted permission to the admin account.

Related:Critical Claroty Authentication Bypass Flaw Opened OT to Attack

It makes incident response investigations much more difficult.  

“We hear from more and more customers that something happened during the weekend at 3 a.m., and it’s Operator 1 or Admin 1, but they don’t know who it is because they have so many different people associated with it,” Apirion explains. 

In another case, Apirion observed one user who had to perform seven logins to gain access. If users must do that to do their jobs, they’ll likely bypass the system, he warns.

Prioritizing IT Over OT

Another hurdle is how manufacturing companies operate in a variety of environments. Technologies can be connected to the cloud or even offline, requiring different security measures around identity and segmentation. The old perception that if technology is not reachable, it’s not “breach-able” is now obsolete, says Apirion, emphasizing how IT and OT have become hyperconnected.   

While effective OT security is vital, focus oftentimes revolves around IT instead. 

“Security around IT is more developed even though companies are making money off of manufacturing stuff,” Apirion says.

Related:Bombarding Cars With Lasers: Novel Auto Cyberattacks Emerge

Can Manufacturers Keep Up With a Growing Attack Surface? 

OT security problems often stem from pressures the industry faces to lower costs, increase supply chain efficiencies, and adopt technologies to scale, explains Kory Daniels, chief security and trust officer at LevelBlue.

“Organizations want to increase AI adoption, go faster, reach more markets, and be more competitive, and that’s putting a strain on security teams on keeping up with, ‘Do we know how are attack surface is evolving?” Daniels tells Dark Reading. 

That requires companies to keep a good inventory of their OT input, asset health, knowing what’s interconnected and corporate-connected, and how much open source is being leveraged to increase manufacturing capabilities. 

“Companies need to consider the manufacturing supply chain process of moving things from supplies and goods across an ecosystem of partners,” Daniels says.

But challenges exist on so many different fronts. First, OT means taking technology that was never designed to be Internet-facing and making it so. Second, certain skills are required to handle and support OT, but the skills of the workforce who understand those processes are shrinking. 

The ability to implement effective and timely patch protocols in very sensitive environments is another critical concern. Patching for manufacturers requires downtime — a luxury the industry cannot afford.

Related:The Fight Against Ransomware Heats Up on the Factory Floor

“Once you even identify the security risks, what do you do about them?” Daniels asks. “And how do you do it in a way [that] the company is making informed risk decisions versus just by default accepting the risk out of fear of what else you will disrupt or break?”  

Rising Awareness, but Security Stays the Same 

Despite burgeoning and continued OT security problems, Apirion has observed that awareness is improving. Recent incidents like the ransomware attack against Asahi served as a wake-up call to the industry, he says. On top of prolonged production disruptions, in the most recent update, Asahi warned that personally identifiable information “may have been subject to unauthorized data transfer” as well. 

The breach highlights both financial and supply chain risks.

“Supply chains are an attack vector but also the other direction is that they’re going to carry and suffer from implications,” Apirion explains. “If I supply Ashai goods, and they’re losing to the competition, I’m going to lose money and fire employees. Everything is interconnected.” 

Ashai isn’t alone. A recent LevelBlue report stated that 28% of manufacturing executives confirmed their organization has suffered a breach in the past 12 months. And thirty-seven percent said they experienced a “significantly higher volume of attacks.”

LevelBlue’s Daniels agrees that the industry has become more aware. Prominent attacks like the one against Colonial Pipeline or, more recently, Jaguar Land Rover highlights how damaging fallout can become. Now conversations around OT resiliency have become more commonplace in the boardroom or as an executive topic. Daniels would like to see that expand across the industry. 

Whether OT security is improving, however, remains to be seen. 

“I think one of the hardest parts with this, in terms of, ‘Are we getting better,’ is how do we measure better outcomes?” Daniels asks. “It’s difficult to quantify if we’re getting better, unless it’s based on how many breaches.” 

What Can Manufacturers Do?

An identity-focused security strategy is vital to curb OT security challenges for manufacturing because of the legacy systems, Apirion recommends. Governance should also play an important role to help ensure security is not excluded from project requirements as the board gets excited about new technology adoption to reach broader markets or to increase efficiency — especially as AI increasingly enters the mix, Daniels says. 

He calls for a strategy where employees know who to reach out to in any situation, roping in security, compliance, and IT teams.   

“Illuminate the entire OT estate because you cannot defend what you can’t see and what you don’t know,” Daniels urges.

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Stay Ahead with the Latest Tech Trends

Explore the future of technology with our detailed insights on Artificial Intelligence.

Access comprehensive resources on technology by visiting Wikipedia.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Comments are closed.