Operational technology systems require a robust Zero Trust strategy in 2024

Cyberattacks on operational technology (OT) systems are rapidly rising. In fact, manufacturing was one of the sectors most impacted by extortion attacks last year, according to Palo Alto Networks Unit 42, as reported in the 2023 Unit 42 Extortion and Ransomware Report. 

Attacks against OT systems can have a significant impact, including physical consequences such as shutdowns, outages, leakages, or worse. The Colonial Pipeline attack in 2021  is one of the most well-known examples of a major OT attack;  the attack prompted a temporary shutdown of nearly half the gasoline and jet fuel supply delivered to the East Coast. That led to fuel shortages and price hikes.​​

Why is this sector at such risk? There are several factors which we’ll explore in this piece. The good news is that a Zero Trust approach can go a long way toward helping organizations take back control and develop a more robust security posture.

How we got here

With the rise of digital transformation, we’ve seen the increased convergence of IT and OT systems. As a result, OT systems that were previously isolated are now connected and therefore accessible from the outside world, making them more at risk of being attacked.     

Another factor that has increased the security risks in this sector is that critical infrastructure often relies heavily on legacy systems. This means many systems are running older, unsupported operating systems. They weren’t designed with cybersecurity considerations in mind, and they can’t be easily patched or upgraded because of operational, compliance, or warranty concerns.

Manufacturers also face a lack of skilled employees who can manage these converged environments. An August 2022 survey by the National Association of Manufacturers found that three-quarters of respondents named attracting and retaining a quality workforce as one of their top business challenges. Finding people with cybersecurity expertise is an ongoing challenge – with ISC(2) putting the global cybersecurity skills gap at 3.4 million people – and finding people with both security and OT knowledge is even more difficult.

The rise of ransomware and increased regulations

Not only are manufacturers grappling with the above trends, but they’re also under constant pressure to keep operations up and running.  A ransomware attack on a factory can cripple a business’s ability to produce products, leading to days if not weeks of downtime, resulting in financial loss.

Bad actors are increasingly seizing this opportunity. In fact, manufacturing has become the second most targeted sector in Unit 42’s client base for ransomware attacks.

On top of being a target for ransomware and other cyber attacks, governments have noticed the exposure manufacturers face and have imposed more regulations. Most notably, as of December 18, the Securities and Exchange Commission will now require larger publicly traded companies to report a cyber incident within four days, a regulation that puts even more pressure on companies to be ready to understand and act fast. This doesn’t just apply to manufacturing companies, but rather, all publicly traded companies.

Starting with a foundation built on zero trust  

Manufacturers have multiple environments to protect that run on different operating systems and applications. There are OT devices and networks (for example, the factory floor.) There are remote operations. And there are 5G connected devices and networks at the cutting edge of deployments. Neither IT nor OT managers have tools that offer visibility into all of the different environments, applications, systems, and devices.

Without visibility, it’s pretty much impossible to know if there are vulnerabilities within any of these devices. This, coupled with the difficulties in operating excessively complex systems creates exponential risk from threat actors, often with the threats outpacing the ability of the technology teams to prevent attacks. The reason that ransomware works in manufacturing is because those Windows-based operation controls are largely identical to those found on the business side of the house.

A Zero Trust approach – especially at the higher architectural layers of a factory where OT and IT first converge – can help solve many of these issues. Zero Trust is predicated on a simple concept – trust no one. It’s a strategic approach that eliminates implicit trust and continuously validates every stage of a digital interaction to secure an enterprise. By implementing a Zero Trust strategy, you apply security to users, devices, applications, and infrastructure in the same consistent manner, across the entire organization. A Zero Trust framework makes it easier to secure all of the different environments within a manufacturer.

Think of Zero Trust as a framework that includes the following principles/steps:

1. Gaining visibility of all assets – and their inherent risks:  Broad visibility that includes behavioral and transaction flow understanding is an important step to evaluate risk and also to inform the creation of Zero Trust policies.
2. Applying Zero Trust policies. These include least-privilege access and continuous trust verification, an important security control that greatly limits the impact of a security incident. This must include continuous security inspection, which ensures transactions are safe by stopping threats without affecting user productivity.
3. Making it simple to operate. Don’t throw multiple point solutions at every environment. This creates more complexity, costs more, and can ultimately leave security gaps. You need to ensure a seamless experience and integration with your IT team.

A Zero Trust approach plays a central role in helping OT organizations remain operationally resilient, reduce the potential attack surface, and minimize new or expanding risks brought on by digital transformation. The reality is that OT is likely to continue to be a major target for bad actors in the foreseeable future. And for most organizations, there will be a constant struggle to find and retain talent with the right skills. These are almost inevitable factors, as is the continued convergence of IT and OT. IT leaders working in OT have a unique set of challenges, and it can certainly feel like an uphill battle at times, but starting with Zero Trust provides the foundation for creating a stronger, better security posture now.

To learn more, visit us here.