'Complexity is the Enemy of Security'

Interview with an industry expert discussing attack surface visibility and critical cyber planning misses.

Data Center

Manufacturing continues to expand in the technology, capabilities and reach of its data infrastructure. The expansion has created numerous advances and elevated our societal norms of efficiency, communication and support in what is unquestionably a global community. However, all of this enhanced connectivity comes with challenges, perhaps most easily illustrated by assessing the industrial sector attack surface now available to cyber criminals.

I recently had the chance to site down and discuss these challenges, and solutions, with Qiang Huang, vice president of product management, cloud delivered security services of Palo Alto Networks.

Jeff Reinke, Editorial Director: One of the biggest challenges manufacturing faces with OT security is visibility into the size of an ever-increasing attack surface. While there’s no silver bullet – what are some good places to start in improving this visibility? 

Qiang Huang, Palo Alto Networks: A lack of a clear understanding of a company’s risk exposure in OT environments makes it difficult to know the real threat surface to protect. With this in mind, a Zero Trust approach with micro-segmentation policies has never been more critical. Some best practices for improving visibility, and setting the stage for Zero Trust implementation, include:

  • Conducting an inventory of all assets, applications, systems and devices.
  • Using a solution that’s built for OT and is easy for OT teams to understand.
  • Choosing a comprehensive solution to reduce vendor sprawl, silos and integration issues.
  • Being judicious in the deployment of additional sensors, which can be difficult to roll out and add additional complexity.

JR: Are there any specific vulnerabilities that hackers are taking advantage of which might be especially prevalent in manufacturing enterprises?

QH: The most common form of attack activity impacting manufacturing is ransomware. The ransomware families are largely identical to those impacting the IT side of the house because the factory control layer is largely built on an IT technology stack - almost exclusively Windows. Active Directory services, MS SQL database repositories, and the engineering workstations are almost all Windows. Thus most of what gets abused are standard Windows exploits.

In addition, with digital transformation and increasing remote operations happening throughout the industry, there are more OT assets and applications that can now be accessed externally, dramatically increasing the threat surface for manufacturers

JR: Recent social and economic dynamics have led many manufacturers to make significant investments in new technology. Meshing them with legacy equipment presents integration and security challenges. What advice would you offer in helping to realize the efficiency benefits without sidestepping security?

QHManufacturing environments are one of the most dramatic convergences of legacy and reasonably modern computer and networking generations. The plant floor is often composed of old, out of date, but highly stable and predictable systems built before the turn of the century. Those systems were built on full trust models without any security considerations to their designs.

The top of the factory, however, was built largely on a Windows platform that, while more modern, is a highly targeted asset class. Given this divergence, the optimal security strategy is to determine what assets fall into what grouping and then segment into specific zones of control, along with associated conduits of communication. These concepts are codified in ISA 99 and IEC 62443 standards and following them is a common strategy.

JR: Continuing with the theme of meshing the old and the new, when it comes to OT systems, many component suppliers like to tout “secure by design” features. What are your thoughts – do you think this provides a false sense of security for many manufacturers? After all, this doesn’t cover connection points and legacy systems, right?

QHSecure components are good. There are explicit standards, like IEC 62443 4-2 which provides for industrial security certifications. We have also observed governments across the world driving cybersecurity baseline label regulations for IoT device manufacturers to ensure a set of baseline security capabilities are built-in. These standards mainly focus on new systems. Given the very long operational lifecycle of industrial OT systems, this means that enterprises will need to implement security in a very hybrid and heterogeneous OT environment for the foreseeable future.

What is also important, however, are secure systems - the association of components assembled to achieve a particular function. The system, sometimes referred to as a machine cell, could be a designated “zone” as mentioned earlier. Making that machine secure is much more valuable. By understanding the totality of the machine's componentry and behaviors, factory operators can apply mitigating policies either to the pieces, or enforce and protect at the system gateway.

Even if all the individual pieces pass a security certification, it does not mean that their configurations or deployment will be inherently secure. For those reasons it is better to emphasize zone security rather than trying to rebuild a machine with only secure components. There is a good chance that new machines and their components coming on-line today will still be as insecure as their predecessors. The need to explicitly secure them will continue for decades to come.

With these considerations, we are of the view that network security tools will continue to play a critical role to help secure these complex OT environments.

JR: The human element of OT security is being addressed more frequently of late. What are your thoughts in helping operations personnel play a bigger, more positive role in improving OT cyber defenses?

QHPlant managers, OT leaders, and other security practitioners should be stakeholders in the final decisions made by a manufacturing operation when considering cybersecurity technologies and overall strategy. These groups can play a more influential role by identifying critical cybersecurity gaps and requirements for OT systems based on their experience and hands-on knowledge of the operation as a whole. Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) in manufacturing organizations would be best served to elevate and consult with these personas when in the midst of or contemplating digital transformation for their OT systems.

JR: Another major concern is finding OT cybersecurity talent. Have you seen any best practices for either developing or recruiting this type of talent? How does the future look for manufacturers seeking this type of in-house expertise?

QHWe have also recognized the shortage of security talent in all verticals, a particular lack of OT cybersecurity and the even broader problem of an aging workforce in the overall industrial space. These trends over all are very worrying. Technology simplification can help by extending existing IT security tools and talents into OT cybersecurity, by adding OT specific capabilities and adapting for OT-specific operational considerations. Our platform approach has already helped OT organizations who are thinking about tool consolidation as a solution to the lack of OT security talent.

Even with consolidation, the need for more security workers, particularly in the industrial space remains critical. Palo Alto offers training with our Cyber Security Academy to help grow those skills.

JR: Any closing thoughts?

QHAs discussed, with major digital transformation trends in manufacturing, the OT environment is becoming more hybrid and dynamic with a dramatic increase in the threat surface. It is critical to modernize OT cybersecurity to secure industrial networks and assets, remote operations, and emerging mobile (4G/5G) connected assets. This starts from having strong OT visibility of assets, risks, and behaviors. With proper visibility, you can deploy the right segmentation, mitigations, and behavior controls.

Complexity is the enemy of security, consolidating your protection around a platform approach eases your team’s work and extends your security.

More in Cybersecurity