Image Credit: Cessna152 / Shutterstock

Bad actors target manufacturing, processing plants and utilities as open targets because the operational technology (OT) and IT integrations used do not provide the security needed to protect the core systems that run plants. By taking advantage of wide security gaps between IT, OT and industrial control systems (ICS) that weren’t designed for securing operations, bad actors seize the opportunity to launch ransomware attacks.

Sometimes even large-scale attacks, including those on Colonial Pipeline and JBS Foods, which illustrate the vulnerability of plants, utilities and systems, are the result of IT and OT systems’ security gaps that bad actors tend to exploit.

IT/OT gaps lead to security breaches

Processing plants, utilities, manufacturers and supply chains that rely on IT and OT systems have tech stacks designed for speed, efficiency and shop floor control. Unfortunately, ICS, IT, OT and legacy enterprise resource planning (ERP) systems are not typically designed with security as a primary goal. As a result, the tech stacks built on these systems have wide IT/OT security gaps where implicit trust leaves them vulnerable to attacks. 

Eighty-six percent of process and discrete manufacturers report having limited visibility into their ICS environments, making them an open target for cyberattacks. At the system level, a typical ICS is difficult to retrofit and enable more robust tools like zero-trust network access (ZTNA) at the application level. As a result, these systems become targets for bad actors who can scan IT and OT infrastructure and tech stacks and find open services, IP addresses and other endpoints that are entirely unprotected. This is such a problem that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert earlier this year warning of such attacks targeting ICS and SCADA devices.  

A recent survey by the SANS Institute, in collaboration with Nozomi Networks, found that the most prominent challenge organizations report with securing OT technologies and processes is integrating legacy and aging OT technology with modern IT systems. 

“With the evolution of new attack frameworks, legacy devices, evolving technology options and resource constraints, the biggest challenge with securing control systems technologies and processes is the technical integration of legacy and aging ICS/OT technology with modern IT systems,” the survey’s authors write. “Facilities are confronted with the fact that traditional IT security technologies are not designed for control systems and cause disruption in ICS/OT environments, and they need direction on prioritizing ICS-specific controls to protect their priority assets.”

Fifty-four percent said it is the greatest challenge they face in securing their operations today, followed by traditional IT security technologies not being designed for control systems and causing disruption in OT environments. Additionally, 39% of the respondents say ransomware is the most significant concern regarding attacks on their ICS- and OT-based infrastructure. 

Gaps between OT and IT systems leave processing plants and utilities vulnerable to attacks. Bad actors see the system disconnects as an opportunity to take advantage of little to no visibility plant-wide. Source: The State of ICS/OT Cybersecurity in 2022 and Beyond

The SANs study also points out that several ICS facilities fell victim to the Ekans ICS-tailored ransomware. Notable companies, including Honda and multinational energy company Enel Group, where the adversary group demanded $14 million in ransom for the decryption key and to prevent the attackers from releasing terabytes of stolen data.

Honeywell helps close gaps with zero trust 

Getting zero trust right across manufacturing and processing plants and utilities optimized for OT and ICS systems is a challenge because, unlike traditional IT stacks and network infrastructure that have endpoints with an OS or firmware installed, OT and ICS-based systems rely on programmable logic controllers (PLCs) to monitor plant and machinery process performance. 

Infrastructure operators that keep water treatment, electrical utilities and process manufacturing plants running rely on supervisory control and data acquisition (SCADA) systems that are designed for monitoring, not security. Defending the availability, reliability and safety of their industrial control systems and operations can become more challenging as new processes are added to an existing plant.

Upwards of 85 vendors are vying to provide zero-trust capabilities to processing plants and utilities by offering endpoint detection and response (EDR), managed services, and cloud-based platforms for running entire processing operations. One player in the space, Honeywell, differentiates itself by how much data it can capture across diverse networks and interpret it in real time to avert intrusions and breaches. 

“Honeywell was the organization that had cybersecurity experts who were able to reach our target. With our OT DCS engineers, their mentality, and existing collaboration with Honeywell engineers, we had a solid foundation to build on,” Ioannis Minoyiannis, head of automation at Motor Oil, said on Honeywell’s website.

Earlier this month, at the company’s Honeywell Connect 22 event, it introduced two advances in its cybersecurity solutions aimed at helping processing plants and utilities progress on ZTNA framework initiatives. Additionally, its Advanced Monitoring and Incident Response (AMIR) managed service added dashboard visibility.

Providing greater visibility and control over threat detection, security monitoring, alerting and incident response based on security information and event management (SIEM) and security orchestration and automation and response (SOAR) capabilities, Honeywell helps process manufacturers and utilities build out ZTNA frameworks.  

By identifying and responding to threats faster with early threat detection, threat hunting, remediation and incident response, AMIR managed services helps manufacturers make progress on their ZTNA initiatives. Additionally, threat notifications and guidance help harden endpoints and give any organization insight into how best to segment networks in the future while enforcing least-privileged access.

Honeywell’s AMIR managed service is a step in the direction of treating every identity and endpoint as a new security perimeter for a processing plant, manufacturer or utility. 

Honeywell’s AMIR managed service workflow helps close IT/OT gaps while providing the intelligence and insight processing plants, utilities and manufacturers need to make progress on their ZTNA initiatives. Source: Honeywell.

Honeywell’s service is for all ICS assets, regardless of manufacturer

Keeping the design criteria for ZTNA frameworks as defined by NIST standards, Honeywell’s AMIR managed service is vendor-neutral, supporting both Honeywell and non-Honeywell assets on an ICS network. The AMIR managed service is designed to help mitigate complex OT security incidents, threats and cyberattacks through incident response support provided by Honeywell’s security professionals.

Information and updates are also provided via automated and immediate custom alerts and routine trend reports. In addition, the company designed the enterprise dashboard to provide customers with support 24/7.

“AMIR helps fill a major security gap that many industrial customers currently face: the inability to monitor OT environments 24/7 and proactively detect and respond to evolving threats,” said Jeff Zindel, vice president and general manager of Honeywell cybersecurity. “The addition of an AMIR dashboard offers customers enhanced visibility to know the status of identified incidents and the steps being taken by Honeywell OT cyber professionals to help respond to active threats.”

Cyber App Control, previously known as Application Whitelisting, was also introduced, with vendor-agnostic support for both Honeywell and non-Honeywell control systems. It is designed to provide an additional security layer that ensures only known and trusted applications can run on ICS assets. The National Institute of Standards and Technology (NIST) considers Cyber App Control essential for OT security.

Cyber App Control uses the latest software release from security specialist VMware Carbon Black, with special rules and configurations crafted specifically for OT environments, developed by Honeywell’s OT Cybersecurity Centers of Excellence and Innovation. 

Prioritizing ZTNA for the future

Bad actors will continue to prioritize the softest targets that deliver the largest ransomware payments, beginning with processing and utility plants that are core to supply chains. Locking up a supply chain with ransomware is the payout multiplier that attackers want because manufacturers often pay up to keep their businesses operating.

Any business that integrates OT, IT and ICS systems may want to examine the benefits of pursuing a ZTNA-based framework to secure its infrastructure. Implementing a ZTNA framework doesn’t have to be expensive or require an entire staff. Gartner’s 2022 Market Guide for Zero Trust Network Access is one reference that can define guardrails for any ZTNA framework. With every identity a new security perimeter, manufacturers must prioritize ZTNA going into 2023.