As a provider of industrial automation and test and measurement solutions, Yokogawa is familiar with the security risks facing users of operational technology (OT). But it’s not keeping its experience to itself. Instead, it’s attempting to ensure that potential customers in manufacturing and other critical infrastructure sectors remain adequately informed about cybersecurity threats – as evidenced by Industrial Cyber Threats: Processes & Protection for Industrial Control Systems, a report published last week.
The report is just 20 pages long, but it aims to provide readers with a quick, yet thorough overview of OT systems’ vulnerabilities. It defines these vulnerabilities, offers case studies of their consequences, lists the frameworks and standards used to guide cybersecurity teams’ responses to threats, and outlines its own approach.
Defining and explaining the problem
In its opening section, Yokogawa notes that manufacturing and critical infrastructure operators’ OT systems have become more vulnerable to outside attacks as a result of initiatives involving digital transformation and industrial internet of things (IIoT).
These innovations, known collectively as IT/OT convergence, are a double-edged sword, the company says. On the one hand, they have helped operators by allowing them to connect OT equipment to IT networks that use sophisticated analytical tools to cut costs and maximize efficiency. On the other hand, they have eliminated the “air gapping” measures that isolated OT systems from the outside world and protected them from outside threats.
Yokogawa then moves on to defining the nature of these outside threats and identifying potential consequences of security breaches. It explains the difference between information technology (IT) and OT, and it points out that violations of OT security can have consequences that go beyond the loss of confidentiality, ICSprivacy, and trade secrets.
“OT is innately tied to production environments and therefore breaches in this space can be profoundly dangerous,” it says. “When an industrial control system (ICS) is successfully targeted, serious damage to critical infrastructure and the environment are very real possibilities, as is threat to life.”
Examples and approaches
Yokogawa then moves on to providing examples of such harm. The report mentions real-life incidents such as a phishing email that led to the damage of a blast furnace at a German steel mill in 2014 and the power outages that hit Ukraine in late 2015 when hackers gained access to the supervisory control and data acquisition (SCADA) systems of a regional electricity supplier. It also goes into more detail in two short case studies – one examining Stuxnet, the worm that wreaked havoc on the Natanz uranium enrichment facility in Iran in 2010; and another examining the use of TRISIS malware that forced the temporary closure of a petrochemical plant in the Middle East by compromising the facility’s OT networks.
The report also lists some of the key frameworks and standards used by companies to confront cyberthreats, including NIST, IEC 62443, the NIS Directive, and OG86. It then concludes by Yokogawa’s own approach to addressing the vulnerabilities of its customers’ OT network. The company’s goal, it says, is to identify the technological, human, and circumstantial factors that facilitate or contribute to security breaches and then to draw up a comprehensive solution that includes training, risk assessment, policy-making, implementation, and maintenance services.
“It is difficult to stop bad actors gaining access, particularly as IT/OT convergence gathers pace, but there are measures that can stifle the opportunity to cause harm … [This] can only be achieved when an organization takes a holistic approach to cyber security, incorporating people and processes alongside technology,” it comments.
Making a case for holistic approaches
The company makes the case for this holistic approach by arguing that potential customers in the manufacturing and critical infrastructure sectors need information about and assistance with the proliferation of cyberattacks on OT systems.
“No system is impregnable and vulnerabilities will continue to be discovered across the OT domain,” it said. “Even with generous investment, no plant can completely eliminate its risk exposure. It stands to reason that a holistic approach to cyber security is the only way to keep pace with the latest generations of malware tailored to ICS.”
But the evolution of malware isn’t the only concern. There are other developments that support Yokogawa’s call for holistic approaches.
For example, Robert Ackerman Jr., the founder and managing director of AllegisCyber, said in a blog post on RSAConference earlier this week that the coronavirus (COVID-19) pandemic had created new problems for OT operators by expanding the definition of “critical infrastructure” to include the healthcare sector and the manufacturers that serve it, as well as key players in global supply chains. It has also relegated many employees to working at home on their own devices, which can serve as less heavily guarded points of entry for hackers seeking access to IT and OT networks, Ackerman said. These conditions serve as yet another argument in favor of Yokogawa’s holistic approach.