While Cyberattacks Are Inevitable, Resilience Is Vital

It wasn’t that long ago when a series of major companies in the food industry suffered ransomware attacks that forced them to shut down operations.

As in multiple other sectors, the companies were wildly unprepared: living with a false sense of security, thinking they would never suffer any kind of cyberattack, believing they had a built-in sense of resiliency they thought would keep them up and running.

They were wrong.

To that end, the food sector is just one of many that must understand that production availability is key in operational technology (OT) environments. Production systems generate enormous amounts of revenue per hour so having one down for days or weeks because of a cyberattack is extremely expensive—not to mention the brand damage, environmental and safety risks involved.

This is exactly where a resilience program can really come into play.

Resilience entails the ability of a system to anticipate, withstand, recover from and adapt to, cyberattacks and natural or accidental disruptions. Along those lines, organizations must acknowledge that the days of the hard-shell security exterior keeping attackers out are long gone. There must be a realistic and comprehensive resilience strategy to control the impacts of an attack.

“We must accept the fact successful attacks are inevitable, but ensure we have the people, processes and technologies in place to avoid catastrophic events,” said Mark Carrigan, senior vice president of process safety and OT cybersecurity at Hexagon. “This starts by identifying the most critical assets, understanding the potential consequences of the attack and improving our ability to respond and recover.”
 

Attack costs rising

Understanding your critical assets is even more important today because the costs of attacks continue to go up. Just look at the numbers from various industry reports. According to IBM’s annual Cost of a Data Breach Report, the industrial sector experienced the costliest increase of any industry, rising by an average of $830,000 per breach over last year.

For 2024, the report found that the data breach cost for the industrial sector was $5.56 million compared to the previous year's $4.73 million. Energy also went up to $5.29 million from $4.78 million. Pharmaceuticals also jumped to $5.10 million from $4.82 million.

When it comes to ransomware attacks, manufacturing is the top target, according to a report from cloud security provider Zscaler, Inc.

According to the Zscaler ThreatLabz 2024 Ransomware Report, which analyzed the ransomware threat landscape from April 2023 through April 2024, there was an 18% overall increase in ransomware attacks year-over-year, as well as a record-breaking ransom payment of $75 million to the Dark Angels ransomware group.
 
In terms of specific attacks, MKS Instruments in February 2023 suffered an attack that “affected…production-related systems, and as part of the containment effort, the company has elected to temporarily suspend operations,” according to a report on the incident database, ICSSTRIVE.com. The total cost of that attack to date has been $450 million. The breakdown from that attack was $200 million, which fell on MKS, while one of their suppliers felt a $250 million hit because they couldn’t get product from MKS.

In August 2023, Clorox said damage to the information technology (IT) network "caused widescale disruption of Clorox’s operations." Total cost of that attack to date is $49 million, according to ICSSTRIVE. That same year, Johnson Controls was the victim of an attack that cost the company a minimum of $27 million, according to ICSSTRIVE.
 

Tracking OT cyber incidents

According to the 2024 Threat Report issued by ICSSTRIVE, out of 356 cyberattacks reported in 2023, 68 caused physical consequences to manufacturing or critical infrastructure facilities distributed among more than 500 sites—a 19% increase over the 57 attacks reported in the previous year. Costs related to cyberattacks reportedly were $27 million for Johnson Controls, $49 million for Clorox and up to $450 million for MKS Instruments, to name just a few.

ICSSTRIVE stands for “Industrial Control System Security, Threats, Regulations, Incidents and Vulnerabilities provided by Experts.” ICSSTRIVE.com, a sister site of ISSSource.com, is a database of incidents in the manufacturing sector that started in March 2021. On the site, you can search the more than 1,200 reported incidents in the ICSSTRIVE database by industry sector, country, company, type of attack (like malware or ransomware), or even attack groups.

Other key findings in the 2024 Threat Report include:

• In the period 2019-2023, attacks are almost doubling annually with an average compound annual growth rate of over 90% per year.

• The discrete manufacturing sector was the hardest hit, followed by transportation and process manufacturing.

• In roughly one-quarter of all attacks since 2010, where public reports included enough detail, threat actors impaired or manipulated operational technology (OT) systems directly. In the remaining attacks, physical consequences were an indirect result of compromising IT systems or other kinds of systems.

• Attack complexity is increasing, including for example the emergence of serious GPS spoofing attacks and an increasing number of supply chain attacks with physical consequences.

The database allows asset owners to research incidents that have occurred in the same industry they operate in. They can learn what has happened to their peers and they can also use it when they become aware of new malware, ransomware, or activity groups. It also helps operators and asset owners understand the magnitude of what kinds of cyberattacks the manufacturing industry is facing and saves time when putting together a justification for a cyber investment.

Find out more from the 2024 Threat Report.

Government involvement

When it comes to resiliency, even the U.S. government understands cyberattacks are inescapable, and it shifted its focus toward building resilient systems. That is why it issued a report on resilience created by the President’s Council of Advisors on Science and Technology (PCAST).

Cyber-physical systems are at the core of the critical services that underpin our lives, PCAST said in its report. Cyber-physical systems are increasingly vulnerable to threats from nation-states, terror groups, criminals, a range of natural disasters, as well as accidents and failures.

One case in point PCAST gave when talking about resilience is the 2021 Texas winter power crisis. While the failure of physical systems due to extreme cold led to a skyrocket in demand for electricity to provide heat, the lack of resilience built into the overall system—including its cyber elements—contributed to the catastrophe that left more than 4.5 million homes without power.

“It is refreshing to see the United States Government (USG) finally consider the importance of resilience when looking at the safe, secure and reliable operation of infrastructure in the eyes of an ever-changing and faster-growing threat landscape,” said Joel Langill, founder and managing member of the Industrial Control System Cyber Security Institute (ICSCSI), LLC. “We should understand that security and resilience are not the same thing, nor are they mutually exclusive from one another.”

Remaining resilient to stay up and running or recovering quickly from an attack is not overly expensive and it is possible for all companies as they most likely have all they need right now to fight off 90% of attacks. They just need to apply the basics.
 

Understand fundamentals

“Cybersecurity in the industrial sector can improve by maintaining strong fundamental practices while integrating advanced tools,” said Dewan Chowdhury, chief executive and founder of security provider, malcrawler. “Core practices like network segmentation, regular backups, comprehensive asset inventories, adherence to security frameworks and secure remote access form a great foundation of a resilient cybersecurity posture.

“Complementing these basics with new technologies such as AI [artificial intelligence] and machine learning can significantly enhance threat detection and response capabilities,” he said.

But, he added, don’t get caught up in all the bells and whistles of new technologies hitting the market. Understand what you need and apply the proper technologies at the proper time.

“Organizations must avoid the common pitfall of investing in cutting-edge technology that remains unused,” Chowdhury said. “Instead, they should focus on integrating these tools into their existing security frameworks to enhance, not replace, fundamental practices. Learning from the past, where many cybersecurity products became obsolete, highlights the importance of staying adaptable and informed about industry trends. By balancing core practices with innovative tools, the industrial sector can build a robust and adaptable cybersecurity defense.”

Taking lessons learned from other practices like safety could help build an understanding of resilience.
 

Learn from safety

“Industrial sectors, especially those with mature process safety cultures, commonly leverage techniques such as peer review or cold eye review (CER) to reduce the likelihood of safety incidents,” said Dave Gunter, director of business development at industrial cybersecurity solutions provider Armexa. “Industrial cybersecurity practitioners, in these and other industrial sectors, could achieve additional levels of maturity by adopting similar practices.”

Gunter continued: “While peer review or CER may seem obvious, in practice, humans often jump to solutions before thoroughly discussing the pros, cons and risks with others before deployment. A diverse team of functional experts brings value to the approach. CER leverages the experiences and skills that you already have within the organization.”

For example, Gunter said, senior members of the team typically introduce tried and true fundamental concepts into the discussion. Mid-career practitioners have a clear line of sight as to what works and what doesn’t in the current field of operations. Junior team members may ask questions like, “Why do we do it this way?”, which may challenge others to consider alternative solutions.

“The result is a clear—and hopefully quick—discussion on the concept, the tool or approach, the fundamentals, what-if questions and a rationalization of why this is occurring and its importance,” said Gunter. “I am not suggesting design by committee or disclosing any cyber-sensitive information; however, validating a concept is a key element in quality assurance and testing.”

This process can introduce a pragmatic, trust-but-verify (peer review and CER) culture into the OT cybersecurity solution development, explained Gunter. Industrial OT cybersecurity maturity will benefit from interactions with other professionals, consultants and service providers to validate technology, trends, skills, work processes and approaches,” he added.

Over the past 15 years, OT defenses have gotten better and stronger, but there needs to be a constant state of vigilance. “Increased focus on OT assets has improved overall cybersecurity,” Carrigan said. “Industry and regulatory bodies realize OT systems are essential to delivering critical services and products and have increased investments to secure these assets.

In general, Carrigan added, “investments in segmentation, threat detection and remediation, asset management, and basic hygiene have improved our security posture. That said, while we have improved our ability to prevent and detect events, there needs to be more investment to respond and recover.”

OT protection fundamentals

In the spirit of applying fundamental cybersecurity practices for OT, Chowdhury offered a range of practical suggestions.
 

Network segmentation: Network segmentation protects OT assets effectively. Existing technologies support VLANs to carve out the network, or modern firewalls create zones to separate OT equipment. During a cyber breach, segmentation prevents attackers from accessing other parts of the network, confining them to a specific zone. This confinement facilitates quicker detection and response. Situational awareness in OT networks is simpler compared to corporate IT environments because OT networks are predictable. Attackers on a segmented network trigger multiple alarms when they attempt to access different networks or unusual ports.

Importance of backups: Maintaining backups is essential because every environment experiences downtime. This downtime may result from cyberattacks, human error, or environmental issues. Organizations must ensure they have the latest backups to restore configuration files for OT equipment such as remote terminal units (RTUs), programmable logic controllers (PLCs), computer numerical control (CNC) machines and laser cutters. The effort to maintain backups is minimal, but the rewards are significant. Having up-to-date backups allows OT systems to quickly resume their critical functions after a disruption.

Asset inventory or comprehensive OT configuration management database (CMDB): Quite a few large companies lack a comprehensive understanding of their OT environment. They do not know all the different equipment or their network connections. It is crucial to document all OT equipment, whether connected to the network or air-gapped. At a minimum, collect data on the model, make, industrial purpose, technical point of contact, network connectivity, engineering workstation connections and human-machine interface (HMI) connections. This data is crucial for understanding the environment and establishing an incident response program. Depending on the CMDB tool used, it can also serve as the central repository for backups.

Implement a security framework: Establishing a cybersecurity program is straightforward with multiple available frameworks. These frameworks help organizations understand what they need to implement for better cybersecurity posture and maturity. The NIST Cybersecurity Framework, for example, is industry-agnostic and allows organizations to map out their cybersecurity program against recommended guidelines. Evaluating an organization against a suitable framework helps identify gaps in the cybersecurity program. The cost is minimal, requiring resources to communicate across the organization to understand the current posture. In addition, the ISA/IEC 62443 series of standards is also a useful tool to help manufacturers and asset owners start and then continue to grow their security programs.

Maintain basic hygiene: Regular software updates, patch management and strong password policies are fundamental. Ensuring these basic hygiene practices are in place can prevent a significant number of attacks.

Secure remote access: During COVID-19, remote access to OT environments surged. Organizations realized cost savings by having vendors remotely troubleshoot and monitor equipment for efficiency and warranty support. However, in the rush to quickly ensure remote access at the time, security professionals delayed implementing precautions until later—and quite a few organizations suffered the consequences. What the industry learned is secure remote access is more important now than it has ever been. Network segmentation helps implement secure remote access programs. With network segmentation, companies can restrict vendors to specific assets and prevent remote access OT devices from interacting with other parts of the network.

Beyond the basics

While applying basic OT cybersecurity practices can alleviate the majority of attacks, Chowdhury said that there are also new technologies that can help address sophisticated cyberattacks. “Implementing fundamental actions and leveraging new technologies requires minimal investment, as most companies already have the human and technical resources necessary,” he said.

Useful new technologies include:  

• AI and machine learning. AI and machine learning bring significant advances in securing operational technology environments. AI leverages behavioral analysis to detect anomalous activities within OT systems that may indicate a breach. By continuously monitoring equipment and user behavior, AI can identify deviations from normal patterns, alerting security teams to potential threats before they cause significant harm. Machine learning models can predict and respond to emerging threats in real-time within OT environments offering threat intelligence. These models analyze vast amounts of data from sensors and control systems to identify patterns and indicators of compromise, allowing organizations to proactively defend against sophisticated attacks.

• Zero trust architecture. Zero trust architecture enhances security in OT environments by assuming no user or system is inherently trustworthy.

• Identity and access management (IAM). IAM ensures that only authorized individuals have access to critical OT systems. By enforcing strict identity verification and access controls, IAM reduces the risk of unauthorized access and potential breaches in the OT environment.

• Micro-segmentation. Micro-segmentation breaks down OT networks into smaller, isolated segments to limit the spread of potential breaches. This approach contains threats within confined areas, preventing them from moving laterally across the OT network.

• Security orchestration, automation and response (SOAR). SOAR technologies streamline and automate security operations in OT environments, enhancing an organization’s ability to respond to incidents swiftly and effectively. By integrating various security tools and processes, SOAR improves the efficiency and coordination of incident response efforts, reducing the impact of cyberattacks on critical OT systems.

Understand consequences

Cybersecurity is all about understanding risk and applying the basic controls and sprinkling in new technologies to keep the bad guys out and keeping the system up and running by eliminating as much unplanned downtime as possible.

“Cybersecurity is a risk game—as long as computers are required to deliver critical products and services, they will have some vulnerability to an attack,” Carrigan said. “Risk is a simple equation: Risk = Likelihood x Consequence. Most of our investments have been in reducing the ‘likelihood’ side of the equation. The future of OT cybersecurity will be in reducing the consequences of cyberattacks—specifically, how to minimize the impact of infiltration and restore operations within an acceptable period.”

Manufacturers must understand their risk appetite and know what and where their organization’s crown jewels are and how to protect them. “Applying the same security practices to all OT assets is not practical—some are more important than others, even within the same company and the same OT network,” Carrigan said.

Remaining resilient to a cyber incident—any kind of incident—means manufacturers must apply the basics, sprinkle in some new technologies and plan, test, revise and then start that process all over again. Don’t live with a false sense of security. Creating and following a resilience plan will keep your organization up and running while remaining productive and profitable.

Resilience best practices

It is no secret cyberattacks of all types continue to increase as certain industrial sectors remain low-hanging fruit for attackers. The following are some basic best practices to stay ahead of attackers:

• Fight to remain resilient.

• Understand your risk equation.

• Understand the likelihood and the consequence of an attack.

• Train, train and then train some more; get specific OT training.

• Re-evaluate your system and understand the dynamic nature of cybersecurity.

• Increase visibility.

• Take stock of what you have on your system.

• Understand what is talking to what.

• Create a culture of collaboration.

• Communicate.

Final thoughts

In the end, remaining resilient is a program and not just a slogan. No matter what the status is of any security program, it must keep evolving to get better and better because attackers are not standing pat. Whether it is ransomware, a terrorist or a hacktivist attack, a threat actor wants to get in, get what they can, and then get out successfully.

A successful resilience program always falls back on applying solid technology, understanding and communicating the process, and having smart workers understand what to do at the right time.

This feature originally appeared in AUTOMATION 2024: 1st Annual OT Cybersecurity Trends Report.