Due to increasing digitization, networking also increases in the production environment. This also increases the risk of attacks on industrial control systems. This can not only cause severe financial damage but, in the worst case, endanger human life. What should companies do to protect themselves?
When you think of OT, short for Operational Technology, you first think of production systems. The term generally includes systems for controlling and monitoring physical processes. They are used in industry and almost all sectors, for example, in drinking water and power supply or air conditioning in buildings. Without OT, our life as it is today would be inconceivable because it provides the automation technology that has become a matter of course for us in everyday life.
Networking is increasing as a result of digitization. OT systems are no longer only networked with one another but also with IT systems. The convergence takes place in both directions: In ERP systems, for example, production information is also stored and control production orders in the MES (Manufacturing Execution System), the MES, in turn, sends operating and machine data back to the ERP for evaluation. This means: Attacks on the server or database of the ERP have a direct effect on production. In addition, due to the increasing use of remote maintenance systems for machines and systems, a connection to the Internet is essential. If these connections are implemented insecurely or are not regularly maintained, they represent a weak point that can be exploited. In addition, there is the risk of attacks from within, which exists even in isolated networks – for example, from an infected USB stick or laptop that an employee or service technician connects. According to an analysis by the BSI, the smuggling of malware via removable media and external hardware ranks first among the top ten threats for industrial control systems (ICS).
OT Systems Are, Particularly At Risk
Once criminals have penetrated, the extensive networking means they can move from any point of attack in the entire IT / OT environment if the appropriate protective measures are not in place. The attack surface grows with every networked device. IT systems in production, for example, are usually particularly susceptible to cyber-attacks because they are often operated with an outdated operating system for which there are no longer any security updates. Attacks on OT systems, in particular, can have serious consequences. This is not just about significant financial damage due to plant downtime and loss of reputation. Malfunctions of machines and systems can also endanger human life, for example, if medical devices fail in a hospital or the electricity and drinking water supplies are endangered. Companies,
Targeted And Untargeted Attacks
So far, we have seen a few attacks that are targeted against OT systems. It is often a question of widespread ransomware attacks on IT systems, in which production facilities are also affected as collateral damage. In March of this year, due to a ransomware attack on the IT systems of the Königsberg-based company “Fränkische Rohrwerke”, production could not be carried out at 22 production sites around the world for a week. Unfortunately, it can be assumed that there will be more specialized attacks on production environments in the future. Because these are very lucrative for criminals, be it for blackmail or industrial espionage, and unfortunately often even less protected than the company’s IT systems.
That’s What Companies Should Do
To protect themselves, companies should take a holistic view of cyber security, integrate production into their IT security concepts and expand them to include the requirements of OT. The following steps support this:
Occupational health and safety training courses are established measures to maintain the safety culture in companies. The most crucial step in keeping pace with the challenges of increasing networking is employee empowerment and development. Raising employees’ awareness of cyber security with the help of training courses should also be carried out regularly in the production environment.
To establish a comprehensive cyber security culture in the company, IT and OT managers must work together. Often there are communication challenges here because different requirements come together. An important step is to get representatives from both areas around the table, clarify responsibilities, and define the joint approach. This cooperation must be demanded and promoted by the management. The support of a strategic partner who has both IT and OT expertise can act as a valuable catalyst.
Perform A Security Assessment
The evaluation of the current security structure forms the basis for a comprehensive cyber security concept. It is first necessary to analyze the IT and OT in the production environment and define protection goals. Which systems are involved in which processes? Who communicates with whom? What are the weak points, what is the risk of exploiting these weak points, and what can happen in the worst case? This results in a risk assessment. To carry out a security assessment, it is advisable to work with an external partner who provides strategic advice and takes on seamless implementation responsibility as an implementation partner if necessary.
Derive Technical And Organizational Measures
From the security assessment results, specific technical and organizational measures can be derived to achieve the defined protection goals. Common security standards such as ISO 27001 and IEC 62443 can serve as a basis. As a specific, technical measure, for example, introducing a network monitoring system is recommended, which monitors the production network around the clock. It creates transparency about the components in the network and sounds an alarm as soon as suspicious activity occurs.
Develop And Test An Emergency Plan
If there is an attack, it is essential to react quickly and minimize damage. Therefore, companies should draw up a crisis response plan in which responsibilities and instructions for action are clearly defined. This also includes a backup plan that should be checked regularly. Since every environment has a different criticality, an emergency plan must constantly be developed individually. To ensure that it works in an emergency, it should be tested regularly.
How A Pharmaceutical Company Optimizes Its OT Security
A pharmaceutical company is increasingly using infrastructures created for IT for OT. This resulted in compromises in terms of availability, operation, maintenance, and functionality. Different usage profiles of IT and OT could not be adequately mapped. The company, therefore, commissioned external cyber security specialists with the renewal of the IT and OT infrastructure. The analysis showed that two independent infrastructures should be set up and securely connected. The cyber security experts set up functional zoning and segmentation of the OT network and production facilities. They qualified the OT infrastructure according to industry-specific guidelines such as IEC 62443 and GxP. Today the company has two self-sufficient,
Using cyber security solutions has to be more economical than not doing it. The first step is a professional security assessment to identify and prioritize the individual need for action in a targeted manner. Only if companies take the requirements of IT and OT into account in a comprehensive cyber security concept can they also protect their highly networked environments sustainably and appropriately in the future.