H Cybersecurity Button 63612f94b3075

The keys to knowing what OT assets you've got and how to protect them

Nov. 1, 2022
How maintaining your cybersecurity posture is akin to taking your car to the mechanic.

By Dino Busalachi, chief technology officer with Velta Technology

Maintaining accurate, up-to-date technology-asset inventories has always been a challenge in manufacturing environments.

There was a time when chief information officers (CIOs) were under the microscope concerning discrepancies over the number of Microsoft licenses they reported versus what they actually had installed. When Microsoft began periodically auditing these firms and made the discovery, they learned it had cost the company millions of dollars in potential licensing revenue.

Since those days, companies have come a long way in determining their licensing inventories using tools that help audit and monitor program usage. Today, plant floors face similar issues with automation technologies.

Many industrial organizations have developed manual methods of collecting equipment-inventory information. This is a time-consuming and costly activity that becomes immediately obsolete. What’s more, these manual methods of data collection usually can only be performed during downtime, which in some industries is a rare occurrence that may happen once a year. This manner of data collection, which requires all machines and networks to be offline, can be extremely disruptive.

The most relevant data—such as asset counts, serial numbers and firmware product-version information—can be elusive. Most manufacturers and their vendors usually make an educated (but imprecise) guess as to what they have deployed in the field.

Determining the annual operating expense budget for warranty, maintenance and support is also a guessing game in many cases. It costs organizations on both sides millions of dollars in overpayment or underpayment. Microsoft’s auditing branch has been spread out to third parties, which helps both sides maintain greater awareness and glean a more accurate representation of their true licensing inventories.

Asset-inventory initiatives are being driven by a multitude of factors including legislation, regulations, boards of directors, as well as risk and cyber-insurance. We’re already seeing asset-inventory collections being driven into critical-infrastructure organizations.

The US Department of Homeland Security Transportation Security Administration has established standing requests for updated asset inventories in the transportation and power sectors. This is apparent because investigations are being performed to document operational-technology (OT) assets in rail yards and power plants.

Contrary to popular belief, industrial environments are not static. They are very dynamic, which is why continuous-threat detection and monitoring are so important. Asset changes are logged immediately to record accurate information including make, model, serial number, firmware version and a host of other device information.

Insurance companies that provide cyber-coverage are waking up to the realization that their policies are woefully inadequate and are not covering the entire technology footprint.

Cyber-insurance does not currently cover cybersecurity technologies, strategies or bills of goods (IT inventories), despite the massive disparity between OT and IT assets (ratio of 25-to-1). Additionally, business interruption resulting from cyberattacks on industrial-control systems is not typically covered by insurance. Cyber-insurance clients are being dropped, denied coverage, or paying more for less coverage.

Legal disputes involving insurance companies have played out stemming from the WannaCry/NotPetya ransomware attack of 2017, during which billions of dollars were lost by companies that expected their insurance claims to be paid. Merck & Co. sued more than 20 insurers that rejected claims related to the attack, including several that cited a policy exclusion for acts of war. The cases will take years to resolve in court and could very well set a precedent over which party pays for damages resulting from a cyberattack attributed to a foreign government.

Boards of directors are beginning to realize the need for collaborative responsibility when it comes to their organization’s cybersecurity posture, which should transcend the CIO/CISO level. Because the OT field is so vast and unstandardized, IT does not have the ability to cover all the bases to completely safeguard industrial automation control system technologies.

Manufacturers need to look inward and ask themselves, “Have we begun the process of looking at security technology geared toward the OT space? What is our digital safety posture? Have we piloted anything? Have we discussed digital safety with our vendors?”

To walk down this path, it’s important to devise a strategy that supplements internal resources with external OT cybersecurity and digital safety experts. The journey is a marathon—not a sprint—which means safeguarding digital safety is a sequential process with the long-term goal of gaining visibility over the full scope of your industrial-control systems.

Most manufacturers have multiple facilities and may not have adequate awareness of how their plants are interacting from a digital perspective. At Velta Technology, we often hear comments that intrusions are isolated incidents, but we never find that to be the case. Even someone with a USB drive who’s allowed to plug in to your digital environment gains direct access to your physical systems.

Consider an automotive analogy: when a car’s check-engine light comes on, you take it to a repair shop. The mechanic connects to the car’s interface and runs a diagnostic test that analyzes functions and returns assessment data. The data gleans information such as how many hours the transmission has been running, which fluids need replacement, and any areas of vulnerability within the system.

When the mechanic goes in to assess your car, you don’t exactly know what they’re doing in there because you don’t have a direct line of sight on their activities. They just come back and tell you what work is required to fix the problem, and you take them at their word.

The same concept applies to machines on the plant floor that go unmonitored, in that you cannot verify user activity. If someone connects to the system and their activity goes unmonitored, then you have zero awareness of the data they could be viewing, extracting or inserting.

Having free rein makes it possible for bad actors to alter the firmware, shut down operations, steal IP, and a host of other serious actions. They may have added a new button to the human-machine interface (HMI), changed the color of a screen, or something more nefarious. This is where the asset owners need to better understand what’s occurring within their machine centers, which is outside the scope of IT.

This is a blind spot within industrial environments. When you take your car to the shop, you just want it fixed and may not be interested in knowing every step the mechanic took to make the repair. But if plant-floor personnel are indifferent with their approach to digital safety, it can become very costly to the organization.

The supply chain is another major area of risk that was brought to the forefront recently amid a potential rail system shutdown in September 2022. Although this conflict came to a quick resolution, it was a stark reminder of how heavily we depend on a reliable, uninterrupted supply chain for fulfillment and continued operations. With the supply chain teetering on recovery from the pandemic, just think of the impact a rail shutdown could have not only on your business operations, but also on the materials it would leave in limbo. For example, chlorine shipments en route to water treatment plants could sit idle and create a hazmat situation.

Manufacturing companies are only as good as their weakest link, and a hacking event on the supply chain will potentially cause a negative downstream effect. Therefore, it’s in their best interest to be aware of what vendors and supply chain partners are doing to secure their systems.

In order to move toward greater visibility of your OT assets, these conversations must take place on a broader scale within the organization. Supporting OT teams at the center of this effort to safeguard machine systems is a key step in the journey toward complete digital safety for industrial environments.