Skip to main content

OT Security: Protecting Industry 4.0 from Attack

OT-security-0

Cybersecurity is a high priority for every business nowadays. But despite improvements in IT security, the operational technology (OT) used to monitor and control industrial processes is often dangerously unprotected. Over the past couple of years, the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued multiple public warnings about the vulnerability of OT systems, insecure-by-design practices in operational technology, and a rising ransomware threat to operational technology assets.

As manufacturing digital transformation efforts accelerate, the problem will only worsen—making Industry 4.0 a tempting target for cybercriminals, hacktivists, and even the militaries and intelligence agencies of nation states. But next-generation industrial security appliances may offer a solution to the unique challenges of OT security.

IT/OT Convergence: Synergy or Cyber Risk?

Digital transformation initiatives have filled the modern factory with IoT technology: a multitude of smart sensors that collect data from the manufacturing process in real time. The result is that historically “unintelligent” OT assets now generate a wealth of useful data—data that can be shared with IT networks for reporting, analysis, and process optimization.

This merging of IT and OT networks is known as the IT/OT convergence, and the business case behind it is clear, according to Calvin Ma, Product Manager at NEXCOM International, a manufacturer of network and industry 4.0 solutions. “Companies gain greater control over their manufacturing process. And customers can see inside the factory, giving them better insight into progress and quality,” he explains.

But in addition to the benefits, IT/OT convergence brings significant risks. After all, a smart factory is an online factory—and this exposes OT networks to attack. That’s a serious problem, since operational technology is notoriously hard to protect because of factors like legacy equipment that simply can’t run security software, as well as the questionable security practices of OT vendors.

As #manufacturers shift to an Industry 4.0 model, threats to OT networks are likely to increase. But modern industrial #security appliances will provide an effective and affordable way for businesses to defend themselves. @NEXCOMUSA via @insightdottech

In addition, joining a secure IT network to an OT network introduces problems of its own. “When everything is connected,” says Ma, “cybersecurity events that would have been easily contained on the IT network can now spread to the OT network—and OT networks are relatively fragile.”

But an expanding OT attack surface is an unacceptable risk for manufacturers.

Why OT Security is so Hard

One of the surprising things about OT security, given the well-known difficulties, is how similar it is to IT security.

The cyber threats to OT networks, for example, mirror those faced by IT networks: ransomware and viruses, hacking and backdoor software, worms, and botnets. And the basic solution to OT security is similar to the approach used on the IT side: monitor network traffic for suspicious data packets, segment networks so that malicious packets can be contained when they are detected, and place critical assets behind extra layers of protection.

Why, then, is OT security so challenging?

A big part of the problem has to do with the technical limitations of OT endpoints. “Many of these systems were not designed with security in mind,” says Ma, adding that legacy OT assets in factories often run on nonstandard or archaic operating systems, making it “impossible to install security software on them.”

Another challenge comes from the business culture of industrial facilities themselves. The KPI that matters most to plant managers is productivity. And downtime, however reasonable the justification, is expensive. Convincing leadership to take a network offline to upgrade security—or asking them to implement a solution that will require regular network outages for maintenance in the future—is a tough sell.

But this leaves manufacturers with a difficult choice. Should they accept costly downtime in an attempt to improve OT security, or roll the dice and risk a total shutdown later on?

Obviously, neither option is a good one. But a new breed of industrial security appliances—rugged, flexible firewall devices designed to meet the needs of factories/plug-and-protect —may offer a way out of this conundrum.

OT Security with Less Downtime

NEXCOM’s Hwa Ya Plant implementation is a case in point.

Hwa Ya is NEXCOM’s smart manufacturing demo site—and also a working production facility. As such, it has all the usual physical challenges of factories:

  • A large footprint with many different types of equipment in constant operation
  • A harsh environment with high temperatures
  • Cramped, hard-to-access spaces that make device maintenance complicated

To secure the OT network at Hwa Ya, NEXCOM used its own ISA 140 industrial security appliance. Multiple units were deployed at key points throughout the facility to establish a micro-segmented OT network. The eSAF cybersecurity software package, developed by OT security specialist TMRTEK, was installed on the devices, allowing them to monitor and inspect OT network traffic in the same way that traditional endpoint security software does on an IT network (Video 1).

Video 1. ISA 140 used for micro-segmentation and packet inspection on an OT network. (Source: NEXCOM)

The result was a well-secured OT network with good visibility. But perhaps just as important, the Hwa Ya deployment demonstrated the business benefits of modern ISA 140 in a factory setting.

ISA 140 is compact and easy to install, so implementation doesn’t entail costly shutdowns or extensive infrastructure upgrades. And once in place, an out-of-band (OOB) remote management feature and bypass functionality allow OT security personnel to maintain the devices without disrupting the network.

Ma credits many of these benefits to NEXCOM’s technology partnership with Intel®: “The Intel Atom® processor that we used has built-in OOB functionality, which let us develop features that would minimize downtime without having to enlarge our circuit design.”

In addition, says Ma, the Intel chip was a good fit for the physical challenges of a factory setting: “The CPU is high performance, very reliable, and rated for extreme temperatures: perfect for Industrial control system (ICS) security.”

The Future of Industrial Cybersecurity

As manufacturers shift to an Industry 4.0 model, threats to OT networks are likely to increase. Bad actors are as eager as any enterprise to take advantage of a market opportunity. But modern industrial security appliances will provide an effective and affordable way for businesses to defend themselves.

And in the years ahead, as OT networks grow more complex and diverse, manufacturers will also have access to security equipment purpose-built for distinct use cases. “We’re going to see a trend toward specialization in OT security,” says Ma, whose company is currently expanding ISA 100 Series product line to enhance it with appliances specifically designed for wireless (ISA 141) and switch (ISA 142) networking security in OT.

“Sooner or later, everything in the factory is going to be on a single network. But with advances in industrial security technology, businesses will have the tailored solutions fitted to the various OT scenarios they need to make that network truly zero-trust—ensuring a secure future for industry 4.0,” says Ma.

 

This article was edited by Christina Cardoza, Associate Editorial Director for insight.tech.

About the Author

Nick Leon Ruiz writes about the Internet of Things, cybersecurity, and digital privacy. He works with established companies as well as start-ups on content strategy, thought leadership, and B2B marketing. Nick’s background in education and academia — a PhD in philosophy and years of experience teaching technical communication courses to STEM majors — underlies his passion for making complex topics accessible to a wide audience.

Profile Photo of Nick Leon Ruiz