Making Operational Technology a Cybersecurity Priority

Why Manufacturers Must Make Operational Technology a Cybersecurity Priority in 2024

All it takes is a few lines of malicious code to damage critical manufacturing equipment and shut down operations for days, weeks and, in many cases, months. As of 2022, the manufacturing and distribution industry overtook the finance and insurance sector as the most targeted industry for cyberattacks. Increasingly, hackers are targeting operational technology (OT) as the access point to disrupt a business’s operations and revenues.

OT includes both hardware and software that’s used to monitor and control physical devices, processes and infrastructure. Today’s manufacturers rely on operational technology to increase automation, improve productivity and enhance data-driven insights. However, it often provides cybercriminals with an easy target.

Manufacturing and distribution companies focus on minimizing operational downtime. For many, this translates into keeping legacy equipment running despite inherent security risks. Historically, manufacturing equipment was built to operate standalone, collecting data, monitoring performance and posing little cybersecurity risk. In recent years, operational technology has become more interconnected, leveraging the firm’s network, enterprise IT platforms and the internet. While the increased connectivity produces improved efficiencies and enhanced data, it also creates significant cybersecurity gaps.

Understanding the OT Risks Facing Manufacturers & Distributors

Sophisticated, ever-evolving attacks can involve gaining access to the firm’s network, resulting in data breaches and ransomware demands. Other types of attacks render key OT equipment inoperable or cause defects in the components the machinery produces. With motivations that range from sabotage and financial gain to activism and industrial espionage, cybercriminals target OT that wasn’t designed with cybersecurity in mind.

For example, one major issue for many manufacturers is legacy equipment that runs on outdated, end of life operating systems. According to a survey of industry technology leaders, 86% reported having core OT functions running on outdated and unsupported operating systems. More than one in three says their business still uses Windows NT, which was released in 1993, with support discontinued as of 2004. Without regular software updates and security patches, operational technology is more vulnerable to cyberattacks.

The risks extend beyond a manufacturer’s or distributor’s facility and equipment. A supply chain vendor that’s shut down due to an attack on their OT has repercussions up and down the supply chain, but the risk doesn’t stop there. Across today’s interconnected supply chains, vendors can inadvertently pass along malware via automated data sharing and software updates. Or the hardware components supplied by the vendor can be compromised with embedded viruses or defects.

5 Essential Actions to Reduce OT Cybersecurity Risk

As manufacturing and distribution firms continue to embrace smart technology, their cybersecurity strategies need to evolve to encompass OT. Reducing the risk of OT-targeted cyberattacks and expensive downtime requires the implementation of a multi-layered security strategy.

1. Break down the silos between IT and OT.

While most operational technology historically operated in isolation, using specialized software, today’s OT is much more likely to converge with the firm’s information technology (IT) systems and networks. That means manufacturers need to create closer collaboration between IT and OT teams, which have traditionally operated separately. A good first step in making OT a central element of the firm’s cybersecurity strategy is to do a thorough cybersecurity governance assessment that evaluates the current working and reporting relationships between IT and OT.

2. Conduct a comprehensive OT risk assessment.

Next, review end-to-end OT processes to identify all technology that interacts with the network, including supply chain partners. Inventory the programmable logistics controllers (PLCs), including how old they are, what operating systems they use and how they’re updated. Consider who has access to each OT component, who needs access and what the login security is. This type of detailed assessment identifies potential security gaps and provides a roadmap for enhancing OT cybersecurity.

3. Recognize that OT cybersecurity solutions are different.

Addressing OT security gaps will require different solutions than traditional IT strategies. While OT cybersecurity can leverage IT solutions, the strategies must also take into account the unique requirements of manufacturing processes. For example, protecting PLCs at the device level is nearly impossible. Instead, companies utilizing OT equipment need to design segmented networks that create secure “islands” where the devices live but also make it very difficult to get to them. This way, if a virus impacts a PLC, it’s less likely to spread to the entire line or across facilities.

OT Steps_Page_1.jpg

4. Analyze the potential business impact and mitigation strategies.

It’s important to regularly ask “what if?” and engage the team in determining the implications and the steps they would need to take. Working with expert advisors, manufacturers and distributors can stage a realistic attack — tailored to the organization — to help increase awareness of different risks, define the potential impact and brainstorm the best ways to respond. The data and insights captured during these types of tabletop exercises can also be used to calculate the potential business costs, refine existing cybersecurity measures and enhance future mitigation strategies.

5. Prepare for OT cybersecurity regulations.

While there are not extensive regulatory requirements for manufacturers related to OT security in place today, more scrutiny is likely coming. In 2019, suppliers and contractors working with the Department of Defense (DOD) were introduced to the Cybersecurity Maturity Model Certification (CMMC), which, though not law, aligns with The National Institute of Standards and Technology (NIST) Guide to Operational Technology Security that was updated in September 2023. Since it typically takes firms years to assess and address OT security, the NIST guidelines offer a framework to help manufacturers and distributors stay ahead of potential regulatory requirements.

The cybersecurity and manufacturing and distribution industry experts at CBIZ can help your firm assess its operational technology risks and optimize cybersecurity strategies to close gaps and limit operational downtime. Connect with a member of our team and gain access to more resources here.

This article includes input from Jeremy Price, Managing Director, CBIZ Risk & Advisory National Cybersecurity Practice, and Curtis Griffin, CBIZ Senior Manager and OT Cybersecurity Expert. Together, their teams provide expertise in information technology and operational technology.

AE Logo

With a potential recession on the horizon, we know you want resources to help your business master the moment. We've put together our Agility & Excellence Resource Center to bring you strategies and solutions with a finger on the pulse of what's ahead.

Why Manufacturers Must Make Operational Technology a Cybersecurity Priority in 2024

All it takes is a few lines of malicious code to damage critical manufacturing equipment and shut down operations for days, weeks and, in many cases, months. As of 2022, the manufacturing and distribution industry overtook the finance and insurance sector as the most targeted industry for cyberattacks.

Risk MitigationManufacturing & DistributionYes