A recent report from Crowdstrike researchers shows that nearly 80 percent of all data breaches emanate from identity-based vulnerabilities. This is supported by recent reports on attacks against Schneider Electric, Boeing and even back to the infamous Colonial Pipeline ransomware attack.
As the industrial attack surface expands, so do the number of logins, access points and cloud connections that need to be secured. Failing to ensure the proper attention and priority is given to the security protocols needed in all of these areas will guarantee that attacks attributed to stolen credentials, default password usage, and outdated authentication practices will continue.
Hackers have shown a propensity to evolve and invest in new and more complex tools, which we now know will include AI-driven capabilities. So, as the bad guys step up their game, so will you. To discuss some of the ways that identity-based attacks will impact cybersecurity planning, investment and training, I recently sat down with David Cottingham, President of rf IDEAS, a leading provider of individual and device authentication products and services.
Jeff Reinke, editorial director: The industrial attack surface continues to grow with each connection point. What impact (good and bad) have you seen this dynamic have on identity-based attacks or credential harvesting?
David Cottingham, rf IDEAS: The challenge that manufacturers have is that with the addition of each endpoint, there's one more vulnerability added, and one more connection point that a hacker has to gain entry to sensitive data and networks.
Each endpoint that requires a password or secure authentication is vulnerable to attack, and with 90 percent of passwords hackable in less than six hours, that opens many doors for hackers. However, many of these vulnerabilities can be eliminated by the separation of IT and OT.
That being said, issues relate back primarily to identifying the operator - the need to authorize a user is not a universally known issue. Legacy systems have been traditionally open systems that are initiated via physical push buttons or keys, or on-display start/stop routines and operators are not required to login in most instances. Because of this, there is no accountability or audit trail and no way to ensure that the person initiating the process is qualified. Overall, manufacturers need more secure methods of authentication to secure their networks, data, production lines and more.
JR: What are some of the primary vulnerabilities you’re seeing when it comes to credential harvesting in the industrial sector? How are hackers getting this information?
DC: Among the primary vulnerabilities in the industrial sector are hackers getting access to HMI, PLC, SCADA, or other mission-critical manufacturing systems to halt production and get the manufacturer to pay a ransom. The financial impact on a manufacturing plant having their production lines down can be catastrophic.
Furthermore, exposing or manipulating customer order data can result in a failure to fulfill orders. Lastly, the theft of intellectual property can enable a competitor to launch a competing product, which severely impacts time to market and market share. With shared workstations and shared passwords being a common practice in manufacturing, hackers are getting this information by hacking vulnerable passwords or shared pins.
JR: Are there any best practices that you advocate or have seen implemented that help limit these types of attacks?
DC: There are several best practices that can help limit these attacks. Enabling multi-factor authentication such as password and smartcard authentication is one way to hold frontline workers accountable and eliminate shared passwords/pins.
Another recent technological development to bolster security is adopting a passwordless solution, such as ConvergeID, where a manufacturing organization can convert their employees’ existing physical ID badge credentials into FIDO2 security keys. This also enables IT administrators to streamline the assignment and removal of user keys and the designation of security policies.
Yet another approach is to separate OT and IT to ensure the production process is not vulnerable to outside attacks. Ensuring that cloud applications are managed and maintained in a closed network that does not have access to the internet is also a contributing factor to enabling a secure network. Ensuring that operator groups, within the production process, are created to classify and limit operators to their qualified roles is a key step.
Audit trails must be established, be accessible, and can be verified when errors or production incidents occur. This can be accomplished by using credential readers that can be attached to HMIs, PLCs, SCADA systems and internal cloud logging/QA systems. Accounts can be setup on the HMIs to grant access to the process, and look-up tables can be established on PLCs to enable and disable the production process, eliminating physical push buttons and keys, which can cause friction among legacy systems.
JR: What role do you feel government or regulatory bodies should play in strengthening identity-based security protocols?
DC: As with healthcare (HIPAA), Financial Banking (Sarbanes-Oxley Act) and other regulated industries, there needs to be pressure to implement regulatory compliance in the manufacturing industry for identity-based security protocols and secure authentication.
As long as manufacturing companies continue to have confidence that the government will bail them out in ransomware attacks, then the urgency will not be there to adopt solutions to prevent cyber-attacks. We have seen government mandates for IAM for medical device manufacturing and mission critical processes that are controlled by HMIs and PLCs. Multi-factor authentication achieves that requirement, in that we have seen customers implement these solutions to meet IAM requirements. But there is a need in government and regulatory bodies to ensure that mission critical devices are not compromised during the production process.
JR: What role can individuals play in better securing this type of information and the systems connected to them?
DC: Individuals can secure their information better by participating in internal team tests to identify possible weaknesses in the current systems in place and then make the appropriate modifications. Employees can also be sure they are creating good password habits and using strong passwords for instances with no passwordless solutions.
JR: What do you feel are the biggest trends impacting cybersecurity as a whole in the industrial sector?
DC: One major cybersecurity trend to look out for is how companies will learn to anticipate and detect supply chain attacks. Since these attacks are highly impactful, affecting not just one company, but potentially hundreds or thousands, pressure will then increase from regulators and customers to get the systems more tightly secured - meaning stricter regulations and compliance requirements for vetting vendors.
Further implementation of Zero Trust structures will also occur, resulting in more identity-centric models such as multi-factor authentication, continuous authentication, etc.
