Security practitioners racing to secure the critical manufacturing infrastructure in Asia face a long list of challenges.
For the first half of 2021, The FortiGuard Labs Global Threat Landscape Report identified ransomware as a common threat to the manufacturing industry, reason being the convergence of operational technology (OT) and information technology (IT).
The drive towards achieving Industry 4.0 pushes organizations with critical infrastructure – such as those in the utilities and manufacturing sectors – to adopt new operational processes to stay afloat and ahead of the game, leading to an increased need for meaningful automated awareness that can address the scale of potential threats associated with the rise in connected cloud security environments within OT environments with Industrial Control Systems (ICS).
In addition, nearly 6 in 10 organizations using SCADA or ICS that were surveyed by Forrester Consulting in a study commissioned by Fortinet indicated that they experienced a breach in those systems in the past year — and many of these organizations are adding to their risk by allowing technology and other partners a high level of access into their systems. 97% said that many of these security challenges were the direct result of their OT-IT convergence efforts.
Security practitioners in Asia need to address a long list of challenges when deploying a solution strategy to secure OT environments and to boost the resilience of critical infrastructure. CybersecAsia discusses these security challenges with Jess Ng, Country Head, Singapore and Brunei, Fortinet.
What are the common security challenges for manufacturing companies in Asia, and why are they targeted?
Ng: Manufacturing companies are security targets because they belong to the critical infrastructure sector that provides vital resources to the population such as oil and gas, electrical generation and distribution, aviation, maritime, rail, and utilities. To boost operational efficiency and profitability, many manufacturing companies have been integrating OT infrastructure with IT networks. OT is the use of hardware and software to monitor and control physical processes, devices, and infrastructure. OT systems perform a wide variety of tasks ranging from monitoring critical infrastructure (CI) to controlling robots on a manufacturing floor.
OT is generally not secure, since it was originally designed with the assumption it would not be exposed to threats. Connecting a previously air-gapped (not connected to the outside world) OT network to the internet via an IT network immediately exposes the OT network and all connected OT devices to the entire threat landscape. At the same time, employees and their endpoint devices that are used to access the OT network remotely, inadvertently became security risks because they could potentially be exploited and become a gateway into the corporate network.
The momentum for OT-IT network convergence was already happening pre-pandemic, but the effects of the pandemic accelerated digital transformation and increased the need for connectivity. In a recent KPMG CEO survey, 80% of respondents suggested the pandemic had accelerated digital transformation, and 30% said that progress had put them years ahead of where they would have expected to be right now.
Cybercriminals recognize that the speed of the OT-IT convergence introduces security gaps that are ripe for exploit, and are developing more sophisticated and destructive attacks. Historically, cyber criminals have been primarily interested in stealing data, but they are increasingly targeting OT organizations as they recognize the potential for widespread disruption.
The recent wave of high-profile cyberattacks in the US – the Colonial Pipeline, JBS and the Kaseya software supply chain cases, are painful lessons that highlighted the threats of cyber-attacks on companies that deliver Critical Infrastructure. Cyber-attacks can completely disable business processes for a long duration and inflict tremendous damage, not just on enterprises, but on society as well. These cyberattacks can also threaten the safety of citizens and – in the case of critical infrastructure – national security.
What are the biggest concerns regarding the convergence of OT and IT for organizations in Asia Pacific?
Ng: The biggest concerns for OT leaders are related to security measurements and analysis and a significant number of intrusions, particularly from insider threats, according to the Fortinet 2021 State of Operational Technology and Cybersecurity Report.
Survey findings reveal that OT leaders continue to see significant intrusions that affect the organization. Outages that affect productivity and revenue continue, and the risks to physical safety are rising.
Majority of organizations have been largely unsuccessful at preventing cybercriminals from exploiting their systems, with 9 out of 10 companies experiencing at least one intrusion within the past year. The impact of these cyber intrusions has been steep for companies. More than half (51%) of the respondents reported documenting lost productivity, 42% experienced operational outages impacting revenue and 45% encountered physical risks and safety issues.
The second insight of Fortinet’s 2021 OT survey is that OT leaders were not prepared for changes related to the pandemic and had to quickly increase budgets and change processes. The pandemic accelerated the need for third-party secure remote access because technical staff could not be on-site doing work in person. Not many companies could afford to scale up connectivity rapidly for business continuity and balance security needs at the same time.
Thirdly, Fortinet’s OT study shows that OT leaders faced a significant increase in insider threats and phishing in 2021, with malware continuing to be a problem. OT leaders also noted the commonality of specific attack methods, including phishing (58%), malware (57%), insider breaches (42%), hackers (40%), ransomware (32%) and DDoS attacks (24%). Almost half (42%) of the intrusions were due to insider breaches, meaning that they were deliberate and malicious attacks by employees or people with access to the internal systems. Attackers are constantly exploiting weaknesses related to the rapid changes to working that occurred at the beginning of 2020.
Lastly, OT leaders continue to struggle with security measurements and perceptions when it comes to OT-IT convergence. Less budget is being approved and allocated for risk assessment tools even though they are important to identify vulnerabilities in the network. More priority is given to attack detection tools and 27% of respondents ranked this as the most important feature of security solutions. OT cybersecurity issues are reported to senior/executive leadership fairly evenly, although the results of penetration / intrusion tests are not shared quite as much as the other issues. Vulnerabilities (70%) and intrusions (62%) remain the top cybersecurity measurements that are tracked and reported.
How should organizations develop a robust security strategy for their operational technologies in today’s multi-cloud environment?
Ng: Like any infrastructure expansion, the benefits of moving OT to the cloud can outweigh the risks. However misconfiguration is one of the leading causes of cloud-related risk. In a recent Gartner survey of infrastructure and operations (I&O) leaders, 58% of respondents identified “insufficient skills and resources” as their biggest challenge when it comes to meeting cloud adoption and optimization goals.
Organizations are looking for more automated and integrated solutions to ease cost and operations burdens. The ultimate goal in developing a cloud security strategy is to unify security solutions deployed across cloud infrastructures, applications, and connections so that visibility and control can be managed centrally on a single platform.
There are a few key considerations for developing a robust cloud security strategy. Firstly, cybersecurity and threat management methods should be baked into the systems as they are being developed and not merely added as a last thought. Secondly, organizations should leverage automation to improve processes, capitalize on the use of data for insights and reduce errors. Thirdly, establish a network operations center (NOC) to monitor all applications and platforms within IT and OT environments can help improve cyber security posture. The centralized management system enables OT businesses to configure, manage, and monitor all components, eliminate silos and provide greater visibility.
Foundationally, visibility remains a primary problem to address as organizations move toward a digitally transformed IT/OT environment.
Organizations can take a four-pillar approach to develop a robust cloud security strategy:
- Zero Trust: Using intent-based segmentation that interprets business and security requirements, then automatically converts them into a segmentation policy, can help isolate workflows and applications.
- Artificial Intelligence-driven security operations: Deploying technologies like artificial intelligence (AI) and machine learning (ML) coupled with automated processes can detect and neutralize threats at the speed of business.
- Security-driven networking: Integrating network infrastructure with security architecture using an integrated security platform to enable access control and segmentation.
- Adaptive cloud security: Connecting resources to protect from multiple threat vectors while leveraging consistent models and integrating with third-party applications.
Please share some ways a country can secure critical infrastructure and critical industry sectors to mitigate against cyberthreats in the OT environment.
Ng: To secure interconnected IT/OT layers, organizations must view them as systems within systems and understand the complexity of the infrastructure that this connection supports. In manufacturing, vigilance across the OT architecture must extend from the plant floor all the way up through to the cloud. Having an integrated cyber security platform enables consistent security across the network, provides seamless interoperability and complete visibility, as well as granular control for hybrid deployments.
In addition, with the increasing number of cyber-attacks, a robust security strategy should include a comprehensive Incident Response Plan to minimize the damage and mitigate risks should a compromise occur within the company’s network.
However, based on Fortinet’s ransomware study, most organizations are ill-prepared for cyber-attacks. Less than half of the respondents have implemented strategies such as network segmentation (48%), business continuity measures (41%), remediation plan (39%), testing of ransomware recovery methods (28%) or red team/blue team exercises (13%) to identify weak points in their cyber security systems. While measures such as security training for employees, having offline back-ups and setting cybersecurity insurance help organizations achieve cyber preparedness, additional steps should be taken to boost incident response plans.
To address the growing complexity and risks when it comes to managing and protecting the digital environment that powers critical services sectors such as water, power, oil and gas, telecommunications and transportation, governments within the region are pushing for initiatives that will boost the resilience of critical infrastructures against increasing cyberthreats.
In Singapore, for instance, the government established the OT Cyber Security Masterplan and Operational Technology Cyber Security Expert Panel to enhance the security and resilience of Singapore’s critical sector. Collaboration between government agencies, Critical Information Infrastructure (CII) facilities and the academic sector were being formed to help mitigate cyber threats in the OT environment.
Recently, the Chair of the Asia Pacific Computer Emergency Response Team (APCERT) and Cyber Security Malaysia joined 18 other Asia Pacific countries and 31 international teams in an ambitious international cyberattack simulation, where nations worked together to take down a fictional cybercriminal infrastructure.
Likewise, other countries within the region are working on policies and create guidelines to address cyber security risks.
Another key factor to developing a strong security posture is for industries to coordinate with external stakeholders, including law enforcement. To ensure the effectiveness of responses, cyber security professionals must partner with global or regional law enforcement, like SingCERT or MyCER and share valuable intelligence information to help take down cybercrime groups effectively. To make attacks more difficult and resource-intensive for cyber criminals, public and private entities must collaborate by sharing threat information and attack data. Private-public partnerships also can help victims recover their encrypted data, ultimately reducing the risks and costs associated with the attack.
Collaboration between private and public entities also expands visibility. As cybercrime knows no borders, actionable threat intelligence with global visibility helps both the private and public sectors shift from taking a reactive approach to being proactive.
With the increasing number of ransomware attacks on essential services, organizations must take a proactive stance to protect IT systems. A successful cyberattack on critical infrastructure can disrupt operations and the supply of electricity, oil, gas, water and waste management. When essential services such as transportation, communication facilities, hospitals, and emergency services fail, the safety of workers and citizens are under threat.