Ahmik Hindman, senior networks and security consultant at Rockwell Automation, recently spoke to Senior Contributing Technical Editor Wayne Labs about assessing cybersecurity risks, implementing security patches and building a cybersecurity risk management system.
WL: Certainly a risk assessment is a good way to begin an extensive OT cybersecurity program, but how can manufacturers know where to begin when they have network nodes they probably have forgotten about 20 or more years ago? What is a systematic way of accounting for all network and subnetwork nodes and the equipment attached to them?
AH: Manufacturers can’t protect assets they don’t know they have. With smart manufacturing growing increasingly more reliant on IT and operational technology (OT) convergence, it also leaves companies more susceptible to costly cyberattacks. This was the case for a Fortune 500 food manufacturer that turned to Rockwell Automation to gain a clear understanding of cybersecurity vulnerabilities within its IT and OT networks. During the two decades prior to working with Rockwell Automation, this food manufacturer acquired dozens of businesses, each with separate technology and security infrastructures. This left the company in a tangled web of assets and no clear understanding of where it was vulnerable.
As part of the collaboration, this company deployed a centralized threat detection system across its 46 sites, which helped determine a baseline of network assets and to continuously monitor for threats without disrupting operations. Centralized threat detection systems are valuable tools that act as a watchful eye across the entire network, subnetwork and connected equipment. It helps manufacturers stay ahead of threats, minimize risk and maintain secure operations across their vast networks and systems.
WL: Playing devil’s advocate for a moment: If the plant engineering staff has forgotten the existence of a 20-year-old data acquisition system (DAS) running some proprietary RTOS that is still functioning in a remote part of the plant and feeding data into a PC-based node attached to the network, isn’t it likely that a hacker won’t find it? It’s likely the DAS hasn’t been checked for years, and its Windows XP host hasn’t been touched either. So how safe is the DAS and its XP-based host? Can an XP machine even run a modern virus? Just how risky is this node—and what action needs to be taken?
AH: These “forgotten assets” are prime vantage points for cyberattacks, offering stealthy entry points for attackers. Outdated systems lack security updates and offer attackers the initial foothold they need to deploy disruptive attacks. For these forgotten assets, it’s likely been years since they were updated with the appropriate security protocols.
There are endpoint solutions that do support legacy OS’s even going back to Windows XP, however interoperability between the priority IACS applications running and the endpoint solution could be problematic.
Rockwell Automation helps customers address this problem through a layered Defense in Depth approach to security that includes but is not limited to: Next Generation Zone Based firewalls, RBAC Controls, Switch ACL’s, OT-IDS to monitor network traffic for signature-based threats, as well as baseline deviations.
WL: Like the above, how endangered are 20-plus-year-old-PLCs sitting on a subnetwork with actuators, motor controls and sensors tied to them on a sensor type of network? Are their proprietary operating systems relatively safe from hackers and ransomware? What about newer PLCs using some form of Windows as their OS? Wouldn’t they be more prone to attack than their older proprietary PLC counterparts?
AH: These too are vulnerable. If the threat actor can access this subnetwork (most have some connection point to configure those devices), then they are also susceptible to malicious modification, as these devices have no concept of modern security controls.
WL: What about industrial computer systems that may be supporting vision systems or some other tasks (e.g., supervisory robotic control)? No doubt these systems are running some form of Windows. If they’re running Linux, are they any safer from attacks?
AH: No this is a misconception of Linux operating systems. Unpatched Linux systems are equally vulnerable as their Windows counterparts. In fact, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), a repository that logs technical vulnerabilities in different software products, reveals that over the past 20 years, Linux experienced a higher number of reported vulnerabilities compared to Windows.
Rockwell Automation helps our customers address this attack surface by replacing computers with zero clients (no OS to maintain) and using a Secure Agnostic Content Delivery system, Rockwell Automation’s Thinmanager to deliver content to those devices.
WL: With all of the above in mind, how does a manufacturer assign risk and set priorities for mitigating the risks?
AH: Manufacturers can effectively prioritize cybersecurity risks by first identifying critical assets that could significantly impact operations if compromised. By focusing on securing these assets, manufacturers can allocate resources and take the necessary measures to fortify their most vital components against cyberattacks and minimize the impact when a breach does occur. This provides a strategic approach to protecting the core elements of their manufacturing infrastructure.
WL: Based on a thorough risk assessment, how should a manufacturer think about and apply security patches? What about equipment that is either incapable of patches or wasn’t even designed to receive patches?
AH: There are three things as companies should consider when prioritizing cybersecurity efforts – how likely it is this vulnerability will be exploited, how easy it is to patch the vulnerability and the business impact of a potential attack. Companies should patch vulnerabilities that are actively being exploited by attackers first. There may be those assets that are decades old and not likely to be exploited, those aren’t as high of a priority as vulnerabilities that expose critical assets containing customer data or proprietary information. Additionally, vulnerabilities that are easily patchable should be prioritized over complex ones.
WL: We all know that layered security is a must to help prevent attacks. In a facility that has added equipment and software onto the OT network for years, how should a manufacturer begin revamping its system to create a layered OT network that looks like the NIST layered security network?
AH: Creating a layered network within your OT system requires a phased approach. In phase one, companies must assess their current system to identify critical assets and vulnerabilities. In the second phase, companies can begin segmenting their network using demilitarized zones (DMZs), firewalls and access controls. Additional security measures include deploying a patch management strategy and continuously monitoring for threats and vulnerabilities. Finally, companies must prioritize continuous improvement of their operations and their people. Leveraging training, incident response planning and staying up to date on the latest cybersecurity guidelines helps companies significantly increase the cybersecurity infrastructure and ensure that vulnerabilities don’t slip through the crack.
WL: While we’ve concentrated on the OT system, can we assume that the IT system is secure? What steps do we need to take to ensure the OT system is protected from the IT system?
AH: Smart manufacturing grows more reliant on IT and OT convergence, but protection for one system doesn’t guarantee both networks are safe. More than 80% of cybersecurity attacks started with compromising IT systems. To help protect OT systems from attacks on the IT side and vice versa, companies must establish strong network segmentation between the two environments. This approach separates the greater network into smaller segments and allows companies to limit access for security threats and minimize damage. A holistic cybersecurity approach that includes a layered defense strategy and continuous learning is the best approach to securing operations. Only by securing both IT and OT can organizations truly minimize the risk of attacks impacting critical operations.
WL: How does a manufacturer protect itself from a disgruntled employee who has access to the system and wants to pay back a grievance? This actually happened to a company I worked for.
AH: While not the most common threat actor, internal threats can wreak havoc on systems without the proper defenses. Typically, access to operational systems is granted based on an implied trust, which can be leveraged by threat actors to breach networks. A Zero Trust approach is the best practice to help protect critical assets from both internal and external threats. Zero Trust assumes everyone – and everything – is a threat, it requires continuous identification and authorization before granting access to resources, making it significantly more challenging for disgruntled employees to cause harm. Zero Trust limits employee access to sensitive information or systems beyond their designated role and limits the damage that they can inflict.
WL: Finally, what outside help is available in building a cybersecurity risk management system and attacking all these issues, e.g., old hardware and software that have never been patched? Controls companies, system integrators, networking companies, etc.? What about liaisons?
AH: Partnering with a company with industry cybersecurity experts will always give an organization a leg up in the competition. A cybersecurity partner can provide recommendation, design and implementation assistance to match the company's overall cybersecurity risk tolerance.
Rockwell Automation offers comprehensive cybersecurity services designed to enhance the security and efficiency of your infrastructure by adopting a proactive approach to cybersecurity across IT and OT environments. Our services span the entire attack continuum, addressing security before, during and after an event. This includes conducting security assessments, continuous monitoring of assets and networks for improved visibility, threat detection, and planning for response and recovery. By identifying critical assets and risks, protecting against potential threats before they occur, and ensuring real-time threat detection, we aim to keep your infrastructure secure. Our solutions comply with industry standards such as NERC CIP, NIST 800-53, and NIST 800-82, helping you manage risk and protect business-critical information. Whether through project-based deployments or continuous monitoring by our experienced industrial security teams, Rockwell Automation is committed to safeguarding your operations with world-class solutions like Cisco and Claroty for effective threat detection and response.