The biggest challenge to adopting security tech in manufacturing
The manufacturing sector continues to be one of the most appealing targets for hackers. It has the largest average payout for a ransomware attack and the consequences are too visible and disruptive to ignore. The result: companies are much more likely to pay ransoms and meet demands. Not only is it an extremely profitable sector for hackers to exploit, but changes in operational technology are also broadening the attack surface almost exponentially. With so many digital and technological changes, legacy software is being intermixed with new software and revealing latent security gaps. Technology that was once safe in the perimeter is now opened up to broader access, making it even easier for hackers to find and infiltrate critical access points. Just imagine the scenario where a factory worker accidentally enables connectivity for a PLC that has, since installation years ago, only been accessible locally but is now connected to the local network, which is now connected to the internet. Without knowing it, that employee just opened up a new vector for bad actors and created a vulnerability in the factory’s security infrastructure with the toggle of a switch.
How to address manufacturing vulnerabilities
Some of these vulnerabilities are unavoidable. Smart factories are on the rise — a trend known as the Fourth Industrial Revolution, or Industry 4.0. It’s only a matter of time before plants, critical infrastructure, and factories evolve into more interconnected and digital spaces. The old, traditional perimeter no longer exists. The choice to connect or not to connect new equipment will vanish. Even more so, a manufacturer’s critical assets could now be outside of the perimeter walls, meaning those assets are no longer safe via traditional means. To combat the threats manufacturers face, a different approach is needed. The term "zero trust" is making its way across cybersecurity space because it meets the needs of this “different” approach. When trying to implement technologies that support zero trust, you’re researching, investing in, and installing technology that can granularly control all user access. This looks like remote access tools that allow you to put time-based controls on a user’s session, MFA tools that don’t just stop at two factors and include detailed vetting like employment verification, and credential management that stores passwords, automatically rotates them, and “masks and passes” them as a user logs into a system so credentials are never seen. These technologies are just a few that support the zero trust architecture, aiming to help rapidly mature the security programs of corporations around the world now that we see our traditional perimeters vanish. However, these “newer” and “different” tools and methodologies are much more complex than traditional security approaches — which often can be a cause of friction for companies trying to adopt them or seem impossible to adopt for the understaffed teams charged with implementing them.
The need for streamlined security technology
There’s a large opportunity for resistance when adopting technologies built for securing assets in place of the traditional perimeter. If implementation isn’t streamlined and fast, that technology has a greater and greater chance of being misused, “placed on the shelf,” or completely thrown away — even if the technology is necessary to fulfill security requirements and close vulnerability gaps. We often see that the burden to implement overwhelms the value of implementing in the first place. A classic axiom of engineering is to “optimize with constraints,” and it is the challenge of solutions providers to ensure these newer, necessary security controls are not so burdensome to implement. Most have not risen to this challenge. Let’s think about this in terms of an analogy with furniture that everyone can relate to. Let’s say you’re newly working from home (just pretend with me for a moment) and are in deep need of a desk (the dining room table just isn’t cutting it anymore). Three scenarios flash in front of your mind:
- Go to IKEA, grab a desk, bring it home, assemble it in less than an hour, and get back to work only a few hundred dollars lighter.
- Go to a lumberyard, select the appropriate wood, go to a hardware store, select the appropriate hardware, go to a home improvement store, and select the tools you’re missing. Get home, spend the next few days or weeks building a great desk, then get back to work. You end up with a decent (albeit quirky) desk for a decent amount of money, but at a large expense to your time and labor.
- Order something off Restoration Hardware’s website and have it delivered, already assembled. It may cost 20 times more than the IKEA desk, but it certainly was light on your time.
For implementing zero trust, most people probably feel like option 2 is the only option, i.e. find all the different components needed and build from scratch. Others might feel like they’ve found a solution like option 3 via a third party, but it comes with a hefty price tag. Most will not feel like option 1 exists when trying to close the security gaps presented by the vanishing perimeter. Not to say there is an issue with scenario 2 or scenario 3, but creating a viable scenario 1 for this new generation of security needs is the challenge technology needs to address. Streamlining technology so organizations can more easily adopt security practices is the most effective way to ensure the continued security of the broader community of organizations.
This post originally appeared in Data Breach Today.