Tag Archives: operational technology

By Willem Ryan

Data breaches, ransomware attacks and now, operational shutdowns. Recent events bear out that cyber strikes are not reserved solely to data breaches and IT systems but now include Operational Technology (OT) and industrial controls to disrupt operations, distribution and the entire food supply chain.

JBS Foods, the one of the world’s largest meat producers, was leveled by a cyberattack in early June, affecting U.S. and Australia operations. In a public statement, the organization revealed that it paid the equivalent of $11 million in ransom in response to the criminal hack against its operations. “At the time of payment, the vast majority of the company’s facilities were operational. In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated,” according to company documents.

There’s a security divide that shouldn’t be there—distinct lines between Cyber, OT and physical security teams that has resulted in disjointed and ineffective detection, mitigation and response to risk—forged by years of siloed departments.

It’s not a new problem—in fact the vulnerability of the critical infrastructure has been a discussion for decades. Moving to a converged approach across all departments, including HR, IT/cyber and OT/SCADA can effectively secure our most critical food production and distribution resources while actively enforcing compliance and company policies. Identity and Access is at the center of it all and the best way to holistically protect the enterprise.

In the example of high-profile enterprise Molson-Coors, a cyberattack in March centered on ransomware. In its SEC filing after the event, the beverage giant stated that the attack “has caused and may continue to cause a delay or disruption to parts of the company’s business,” which includes brewery operations, production and shipping.

The February attack on a Florida Water Treatment plant, hacked by compromise to a remote access software program on a facility computer, is still another stark reminder of the growing dangers of cyber-physical threats and that even employees can be part of the problem.

You can see just how fragile and vulnerable our supply chains and critical business processes have become. Cybercriminals now realize how disruptive and lucrative attacks targeting these systems can be so they will continue unabated without immediate stop-gaps.

Because these attacks have become blended and omni-present on every part of the critical infrastructure, executives need to move beyond IT-centric cybersecurity to minimize supply threats. This emergence of new attack vectors has other implications. It highlights the dire need to transition from siloed IT, OT, HR and physical security to a converged approach, yet executives remain at odds with how to execute this while working in their own bubbles.

The threat has become even greater than the organization itself. According to predictions by Gartner liability for cyber-physical security incidents will “pierce the corporate veil to personal liability,” for 75% of CEOs by 2024.

Security Convergence Key Ingredient to Digital Transformation

As the food industry continues to digitally transform, systems and processes move to rapidly connect. Security convergence, centered around identity and access governance, links all these separate departments and operations, so communications and processes actively and collectively address and shore up risk preemptively. Events, exceptions, alerts, alarms and targeted attacks on all points, including the network, control systems and physical security can be integrated for a coordinated and cohesive response.

Securing our most important critical resource—the food supply chain—means correlating threats across underlying HR, IT, physical security and OT used in production and processing. Physical access control and identity now links to specialized plant applications like manufacturing execution systems (MES), plant historians and demand management from ERP that can deliver information directly to production. Monitoring insider and contractor access to modifying batch recipes provides alerts and detection when the addition of a preservative has been suppressed, causing a contaminated batch to be produced, for example.

Integrating seamlessly with HR applications, converged software further prevents insider threat by automating background checks and risk analysis during the on-boarding and off-boarding process for employees and contractors.

The threat landscape today demands a single solution to manage operational risk and security. The following just one example of how this converged approach works.

A fictitious company named Big Food was dealing with disgruntled production foreman Tom. Tom not only had physical access to the production floor, but was intimately familiar with the control system settings to configure recipes for the MES.

Security software’s real-time link to SAP SuccessFactors HCM provided critical real-time data that identified Tom’s history of workplace issues. When Tom accessed the plant area after his normal shift hours, the security platform detected that he was making unusual changes to the production settings to eliminate the addition of preservatives. An alert was immediately sent to security operations staff as well as the plant manager. Incident prevented, with huge savings from avoided downtime and protection from loss of reputation to the company brand.

The food and beverage industry must meet high quality standards and adhere to rapid production cycles to preserve nutrition value and freshness. Convergence and automation are the keys to achieving these goals. As OT and IT networks become increasingly interconnected, OT environments become more exposed to cyber-physical attacks, which can result in tainted products, downtime and revenue losses. Security solutions secure enterprise IT applications and plant applications deliver continuous monitoring that prevents sabotage, acts of terrorism and other malicious acts. There’s also the ability to manage other supply chain risks, including changes to master data and transactions as well as the movement of goods and arrival notifications requirements by the FDA.

Today’s malicious actors don’t think in silos but most companies still do. As security and technology leaders we are compelled to rise and meet the challenge. It’s clear that only a converged approach, beyond IT-centric cybersecurity, is the way forward.

February 21, 2020

FST Soapbox

Cybersecurity for Food and Beverage Operational Technology (OT) Environments

By Craig Reeds

No Comments

Much of the attention that cybersecurity gets is on the IT or office network side of things, but recently people have begun paying more attention to operational technology (OT) systems that make up the country’s critical infrastructure. When people think of critical infrastructure, they automatically think of oil and gas, power generation, and water. Many people don’t realize that there are actually 16 critical infrastructure industries:

Energy
Financial
Dams
Defense
Critical Manufacturing
Water and Wastewater
Food and Agriculture
Healthcare
Government Facilities
Commercial Facilities
Transportation
Emergency Services
Chemical
Communications
Nuclear
Information Technology

One of the easily forgotten, but perhaps most important, is food and beverage manufacturing. A cyber attack on a food and beverage company might not result in the lights going out or clouds of toxic gas, but they could result in explosions, or tainted food. We need to start paying more attention to cybersecurity in the food and beverage industry. What would happen if a hacker got into the control system at a frozen foods distribution facility? They could raise the temperature in the freezers, thaw the food and then refreeze it. This could result in food poisoning for hundreds or thousands of people. Bad actors can do a lot of harm by targeting this sector.

Many companies are pushing to combine their IT and OT departments, something they call IT/OT convergence. This can be done, but you need to first understand that IT and OT have differing goals.

It is important to review the organizational structure. You will typically find that both IT and OT report organizationally to the CEO level. We also find senior management believes IT owns the industrial control system (ICS) networks and security—mainly because IT owns support, maintenance & operational budget for network and security (basically letting OT off the hook).

IT’s primary goals are confidentiality, integrity and availability, the CIA triad. While working toward these objectives IT also tries to make it possible for users to access the network from any location from which they are working, using whatever computing device they have with them. The goal is to make it as easy to work from an airport, hotel room or coffee shop as it is to work in the office itself. Technology is updated and replaced often. Service packs are loaded, new software releases are loaded, and bugs are fixed.

OT’s primary goals are availability, integrity and confidentiality—a complete reversal of the CIA triad. They strive to keep production running, be it an electric utility, an oil rig or a pop-tart factory 24/7/365. OT is all about what works, a “We’ve always done it that way” mentality. OT will always be reluctant to make any change that might bring down the production line. Remember, they are graded on widgets per minute. There must be trust and open communication between IT and OT if things are going to work properly.

When we are talking about OT cybersecurity, we usually use terms like secure or prevent, when we really should be thinking about words like containment. Securing the network and preventing attacks is important, but at some point, an attack will get past your defenses. Then it is a matter of containment: How do we keep the problem from spreading to other networks?

One thing to definitely avoid is the desire by IT to have bi-directional communications between the IT and OT networks—this should never happen. Also, avoid the desire to connect the ICS to the Internet so that you can control the process remotely. There is no reason for the plant manager to be able to go home, have a couple beers and then log on to see if he can make things run better. If the control system is going to be connected to the corporate IT or the Internet, it should only have out-going uni-directional data transmission to allow monitoring of the system.

Building a good OT cybersecurity program, you need to do three things:

Get C-Level support and buy-in for the changes to be made.
Communicate with stakeholders and vendors.
Make decisions as a team, make sure all the stakeholders, IT, OT, engineering are all involved.

After you have set up the structure and started communicating, you need to begin cybersecurity awareness training for the OT staff. This training should be focused on educating plant personnel on what cybersecurity is, both at work and at home, and how to respond or escalate something that seems wrong. They need to be trained what needs to be dealt with immediately and what can wait. Consider doing tabletop exercises where you practice what to do when certain things occur. This can act as a stress test for your incident response plan and help find the holes in your plan and procedures. These tabletop exercises should involve C-suite individuals as well as people from the plant floor, so everyone understand their part in a cyber-attack response.

If these concepts are followed, you will be well on your way to creating a much more cyber-secure production environment.

Security Convergence Key Ingredient to Digital Transformation

How We Use Cookies