Why cyberdefense needs to underpin entire supply chains

With an ever-increasing number of suppliers plugging into connected equipment, objects and systems in your enterprise, OT (operational technology) and information technology (IT) security convergence is paramount to reduce risk. There is a growing need to take a preventative, defensive and detective approach to security.

By bringing operational and information technologies together through OT-IT convergence, enterprises can create greater customer value with smarter, connected business processes, products and services. In IT, applications, databases, networks and systems are used to gather information that helps users make business decisions. OT gathers information for decision-making purposes but also to monitor and change the “state” of an OT device, its outputs or environment. The combination of the two can be used to drive supply-chain-wide efficiencies.

OT is traditionally found in factories and industrial environments like oil and gas processing facilities. Supervisory control and data acquisition (SCADA) systems, part of industrial control systems (ICS), are used to ensure that a factory can maximize outputs and quality assurance while minimizing unscheduled downtime. Over time, the definition of operational technology has expanded to refer to a wide range of connected machinery and tools used in the construction, mining, logistics and retail sectors, among others.

OT monitors cyber-physical needs, enabling enterprises to achieve control objectives. This can include alerting engineers when a part in a crane on a construction site needs replacing, changing the temperature of air conditioning units in a retail store in response to the weather, keeping the flow of a liquid in an oil and gas pipeline at a defined pressure or temperature, as well as manufacturing a product to defined parameters and quality levels. Indeed, OT features in most office environments today as a result of the digitization of building automation systems that include CCTV and access control systems as well as HVAC (heating ventilation and air conditioning) units.

Identifying the risks

In the past, OT was not networked and managed separately from IT. Most of the tools for monitoring or adjusting physical equipment used closed, proprietary and dedicated protocols. Today, more and more OT systems are being Internet-enabled. Indeed, Forrester describes the IIoT (Industrial Internet of Things) as the key enabler of OT-IT convergence and the next generation of OT. A cyberattack on OT and IIoT infrastructure can have far reaching consequences, including shutting down critical services, causing widespread environmental damage and even loss of human life.

In this new world, machines, raw materials, parts and finished goods are increasingly connected using IoT sensors, and data is continuously shared between enterprises and their external suppliers and customers. For example, machines on a factory floor or air conditioning units in a retail store can be connected to the Internet so that third-party vendors can perform remote diagnostics and predictive maintenance.

By 2020, Gartner predicts that we’ll see a 25 percent re-allocation of manufacturers' spending from "procure and maintain" capital equipment programs to "dynamic service models," where a recurrent fee is paid to suppliers for predictive maintenance. Known as a “servitization strategy,” the supplier sells an “outcome as a service” – the continuous operation of the equipment that underpins the business of a manufacturer, airline or construction firm.

“Orange Business refers to this as the ‘Internet of Enterprises’ era of business ecosystems in which people, objects, business processes and infrastructure are connected within an enterprise and across its supply chains,” observes Werner Reuss, Head of the IoT Industrial Vertical at Orange Business. “This creates efficiencies through real-time data insights but also introduces new security risks. Increasingly, OT and IIoT attacks happen when malicious actors get into an enterprise’s OT through an outside partner or provider.”

A massive 77% of enterprises with OT and ICS (Operational Technology and Industrial Control Systems) surveyed by the analyst firm Pierre Audoin Consultants said security is now a top priority. Targeted attacks and advanced persistent threats (APTs) are a particular concern.

In addition, third parties are one of the fastest growing risks to an enterprise’s sensitive data in all areas. According to the Ponemon Institute, 58% of enterprises admit to having experienced a data breach caused by one of their vendors or third parties. Yet less than half of enterprises said they believe managing third-party relationship risks is a priority. In addition, many breaches go undetected with 22% of enterprises admitting they don’t know if a third-party data breach had happened in the past twelve months.

“Considering the explosive growth of outsourced technology services and the rising volume of third parties, companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability,” advises Dr. Larry Ponemon.

This is a key area of focus of Orange Cyberdefense, the Orange Group’s expert cybersecurity division. “We’re seeing a rising need for proactive, value chain cyberdefense from our customers,” commented Jean Christophe Mathieu, Head of Industrial Security at Orange Cyberdefense. “This involves taking a protective, defensive and detective approach to securing data and critical business assets across all OT and IT functions, but also addressing the risks associated with connected supply chains.”

Learning the lessons from recent attacks

The Stuxnet worm is one of the best examples of a serious OT cyberattack that used Windows zero-day vulnerabilities to attack the maintenance and administration centrifuges of an Iranian nuclear factory. In recent history, hackers accessed the network of retail giant Target via a third party that was monitoring and servicing its heating, ventilation and air conditioning (HVAC) systems remotely over the Internet, enabling them to steal customer data.

In its 2018 Internet Security Threats report, Symantec reported a 200% increase in hackers injecting malware into supply chains. For example, a threat group called Xenotime – authors of the Trisis/Triton malware, which attacked an oil and gas company in Saudi Arabia – re-emerged last year and made several industrial control attacks on unnamed companies. The hijacking of software updates to systems was identified as a rapidly emerging way for attackers to gain an entry point into well-protected targets.

Symantec reports a 200% increase in hackers injecting malware into supply chains in 2018.

The OT security challenge

Gartner believes around 80% of the security issues faced by OT are almost identical to IT, while 20% are very unique and cannot be ignored. Security-by-obscurity still reigns in many OT environments. Equipment is often left unpatched, either because it’s difficult to apply fixes to proprietary, non-IP systems or because equipment is too critical to operations or expensive to be taken offline. Long replacement cycles on major pieces of industrial machinery increase risk exposure.

Werner notes that, “Most OT environments are brownfield sites where legacy OT and IIoT solutions will coexist for long into the foreseeable future. This means enterprises need to work with partners who understand both these worlds. This is a need Orange Business is able to meet through its partnerships around the world, including Siemens Mindsphere, the leading factory automation equipment provider, and GHD, the global professional services firm working in the mining, transport, water and smart cities sectors. Added to this are our strengths in security through Orange Cyberdefense.”

Enterprises often lack the in-house resources and expertise to deal with an unprecedented volume of increasingly sophisticated security threats. Adding to the complexity is the fact that OT systems traditionally have come under the responsibility of operational teams rather than IT and the CISO (Chief Information Security Officer) function. It can be difficult to bring siloed departments together.

According to Jean-Christophe, “There is a big problem with the lack of monitoring and analysis of supply chain partner access to OT systems. Enterprises often don’t record who is accessing their network or what type of communications are taking place and fail to carry out regular audits. Tied to this are poor incident response and recovery plans.”

A protective, defensive and detective approach to security

With over 2,100 security experts at 10 managed detection and response SOCs (Security Operations Centers), 16 managed security solution provider SOCs, 4 Computer Emergency Response Teams and 3 scrubbing centers around the world, Orange Cyberdefense has extensive expertise to address this need.

Recent acquisitions of SecureData and SecureLink have made Orange Cyberdefense the second largest provider of managed security services in Europe by revenue with over 3,700 customers. The company supports the entire OT-IT, IIoT and cloud risk lifecycle. For example, it identifies threats through security strategy consulting and audit services, including OT penetration testing which helps enterprises check if existing security measures are working effectively.

Multi-layered protection is available across the IT stack – spanning network, cloud, web and access device layers – to defend the enterprise’s critical assets and data from attack. Detecting advanced persistent threats and security breaches is a big area of strength. Analysts at the Orange Cyberdefense CyberSOCs then qualify, contain and remediate attacks, ensuring business continuity. And finally, the teams proactively hunt for threats and investigate to identify data breaches that have already occurred.

Most recently, Orange Cyberdefense has worked with the European branch of a major APAC automotive manufacturer to conduct an audit of OT-IT security risks and put in place a plan of action to mitigate them. OT incidents occurred in several factories. This drove the need to improve insight and visibility of the OT environment and understand the baseline security levels of different factories, identify gaps and define an action plan. As a next step, OT probes are being deployed to continuously monitor for threats.

In some instances, for example in a recent engagement with a Nordics engineering firm, Orange Cyberdefense can even provide a CISO-as-a-service solution to advise a company’s executive board about risks in the absence of a Chief Information Officer within the firm.

Other recent engagements include supporting an IoT-enabled distribution network and enabling OT companies to use public clouds with greater confidence by addressing end-to-end security needs.

Monitoring supply chain footprints

With the advent of the “Internet of Enterprises” era of business ecosystems, the rise of the Industrial Internet of Things and a plethora of new devices, knowing what and who is connected to your network will be critically important – and that includes all third parties.

The reality is that the OT threat landscape spans almost every industry, from manufacturing to oil and gas to retail and logistics. OT and IT convergence is inevitable as part the Industry 4.0 and digital transformation trends. With the benefits of increasing connectivity comes more vulnerability – but the good news is these risks are manageable if the right security controls and policies are put in place.

Click here for part two in this series, which outlines the 5 practical steps you can take to address OT, IoT and cloud security.

Join us at Gartner ITxpo, Barcelona, where we will be giving two keynote presentations on OT-IT convergence and security risks on Tuesday, 5 November 2019.