Stephen M. Perry, Ph.D.
Contributor
Roman Havriliak, Chief Cybersecurity Coach, FSO Institute
During a recent meeting, FSO Institute’s Manufacturing Health Roundtable (MHRT) explored the importance of cybersecurity, especially threats to operational technology (OT) in manufacturing, to business continuity.
What follows are a few key points from that discussion and some operational insights by FSO Institute Coach Roman Havriliak, formerly of Pfizer, and an information technology thought leader.
1. Some alarming signs
Reports from OT cybersecurity thought leaders at Dragos paint an alarming picture for food and beverage manufacturers regarding cybersecurity threats to them. Just a few months ago multiple cybersecurity organizations including EPA, NSA, USDA, and FDA urgently warned of current threats to OT manufacturing systems. Globally, North America has a disproportionate number of ransomware incidents (187) by region in Q2/2024, compared to next highest region Europe at 82.
Manufacturing leads the way in ransomware incidents by ICS Sectors (Industrial Control Systems) registering 210 incidents in Q2/2024 with transportation, government, and oil and gas trailing significantly. Ransomware incidents by manufacturing subsector in Q2/2024 is led by construction (33) followed closely by consumer food and beverage (27). MHRT members shared some of their own experiences with cybersecurity disruptions both direct (their company) and indirect (their supplier companies) that underscored the significance of this issue for business continuity.
2. Bridging the IT/OT divide to mitigate the threat
MHRT members are unanimous in their belief that collaboration between information technology (IT) and operational technology (OT) is critical to mitigating cybersecurity threats to manufacturing. One of the most useful tools to bridge this divide comes from the PMMI MaX Forum that recently published a work document Bridging the IT-OT Gap on Cybersecurity. The key differences and compatibilities of the two systems is highlighted including the corporate functions and operating systems covered by each (common corporate functions versus systems that focus on physical transformation of a product), the end point being managed (human using a computing device versus physical assets like pumps, motors, valves, etc.), the purpose of software applications (people-centric to help people do their jobs versus device-centric to help make product by controlling physical equipment), the type of data processing (transactional versus real time) and the highest priorities (data security, integrity and availability versus production operations and customer deadlines). To sum it up, IT focuses on data and communications while OT focuses on machine behavior and outcomes. The document highlights the constraints place on both IT and OT and presents solutions for overcoming them.
3. Implementing a framework for managing cybersecurity risk
The MHRT shared some of their challenges and solutions regarding their own cybersecurity threats they’ve faced. Most of these falls into perhaps one of the most useful frameworks for managing cybersecurity risk, the NIST Cybersecurity Framework (CSF) 2.0 published in February 2024. The National Institute of Standards and Technology is a governmental agency responsible for advancing technology and security standards within the United States. Here’s a brief description of each element of the framework:
Govern – Ensuring that the organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
Identify – Ensuring that the organization’s current cybersecurity risks are described and understood.
Protect – Ensuring that safeguards to manage the organization’s cybersecurity risks are used.
Detect – Ensuring that possible cybersecurity attacks and compromises are found and analyzed.
Respond – Ensuring that actions regarding a detected cybersecurity incident are taken.
Recover – Ensuring that assets and operations affected by a cybersecurity incident are restored.
FSO INSTITUTE: Roman, do you have any additional thoughts regarding cybersecurity threats to food and beverage manufacturers?
Havriliak: A growing trend in the industry is the increased use of cloud-based services to support manufacturing processes. For example, IoT devices are becoming more prevalent in various operations, from security monitoring to process management. Many of these devices utilize cloud-based services to provide comprehensive capabilities. However, with the use of these devices, more and more operational technology (OT) data is exposed outside the organization’s firewall, thereby increasing the risk to both operations and data integrity.
Another example is the expanding use of external supply chains. Many manufacturing companies rely on Contract Manufacturing Organizations (CMOs) to supplement their internal supply chains, which requires the exchange of manufacturing data, including recipe information and other intellectual property. Statistics show that almost 60% of data breaches are caused by compromised suppliers or third-party partners. Without proper consideration of a third party’s cybersecurity practices, there is significant risk. In fact, attacks on third parties often aim to “tunnel” into another company’s network through weak security between partners.
FSO INSTITUTE: From your own experience, what have you found to be most effective in bridging the gap between IT and OT in order to prevent and/or respond to cyber threats?
Havriliak: Robust governance ensures a holistic approach to addressing enterprise risks. This area is often the least mature within cybersecurity management and is one of the more challenging aspects to address. Since cybersecurity involves all parts of the organization, it requires a cybersecurity structure that reflects this extensive threat surface. Traditionally, a company’s cyber organization is fragmented across various business lines and layers, which generates inconsistencies and potential gaps in the enterprise’s security defenses. Consolidating such an environment into a unified enterprise cyber culture is a difficult task.
Another challenge is that IT cybersecurity is typically more mature and better understood than the company’s OT environment. A company’s IT systems have been traditional targets for many years, and as a result, IT vulnerabilities are well recognized, with mitigating solutions readily available. OT architectures, on the other hand, are less understood and often rely on separate technical organizations—such as the engineering department—for support. Furthermore, IT and OT often report to different organizational units, leading to separate strategies for managing cyber risks.
By establishing an enterprise-wide cybersecurity organization that potentially employs a Defense-in-Depth (DiD) type of approach, many of the concerns related to OT and IT can be effectively addressed.
FSO INSTITUTE: Can you describe an actual cybersecurity experience using the NIST model?
Havriliak: A significant incident occurred between a manufacturer and a key vendor, both of which had implemented robust NIST-based cybersecurity frameworks. Governance was established, cybersecurity risk management strategies were in place, and business risks were understood. Safeguards were implemented to protect assets, with risks identified and priorities defined. Vendors were screened as part of a cybersecurity audit before sharing any data.
During a routine Dark Web surveillance, it was discovered that the vendor had suffered a compromise, and data was being offered for sale. This triggered a cyber incident response process, bringing together key stakeholders to triage the incident. The goal was to identify vulnerabilities to the manufacturer and secure affected assets, including reviewing integrated systems and understanding shared data.
After the triage, the manufacturer decided to disconnect all interfaces and disable accounts related to the vendor, impacting over 70 systems. The manufacturer then contacted the vendor to understand the breach. They identified it as confined to one cloud service, where credentials to a storage bucket had been compromised. The threat actor was expelled, and the environment was restored from backups. Agreements were reached to destroy the exfiltrated data.
In summary, the NIST-based frameworks enabled both companies to effectively respond before any significant business impact occurred.
