Visibility Into ICS and OT Technology Is Critical
Food and beverage manufacturers are wrestling with how to implement stronger cybersecurity measures as their industry becomes an attractive target for cybercriminals. The gradual embrace of new technologies, including Internet of Things (IoT) devices, throughout the industry opens them up to the villains of the world – but it also creates opportunities to build security that addresses threats before they become significant events.
The need for better cyber defenses is particularly clear in the wake of several attacks in 2021, most notably the ransomware attack on JBS USA on Memorial Day weekend. The attack shut down JBS processing facilities in six states, Australia and Canada, and had a significant negative effect on the U.S. food supply chain, since the company’s plants process 25% of the beef and 20% of the pork in the country.
A timeline of the attack revealed that it actually started much earlier. A Russian ransomware gang began probing JBS’ networks in February 2021, and spent three months exfiltrating company data – potentially as much as five terabytes – before launching the attack, shutting down the company’s systems and demanding payment to restore them. It cost JBS $11 million to pay the ransom, plus lost sales, disruptions to their distribution system, and reputational damage.
Food Processing magazine hosted a recent webinar with Dragos, which specializes in industrial cybersecurity for OT environments, to provide a framework for the food industry to consider how to improve cybersecurity and identify threats before they become significant events.
What Are the Risks to the Industry?
As the JBS example above illustrates, food and beverage manufacturers face the same challenges that the entire industrial sector faces. These include weaknesses in IT cybersecurity, such as credential theft that allows a bad actor to get into corporate systems, not knowing where there may be an unidentified connection between those systems and factory OT systems, and not patching or replacing industrial control systems (ICS) with known vulnerabilities, to name a few.
Ransomware has been around for some time, but it is front-of-mind for the private sector after high-profile attacks across industries. While it may be the most visible threat currently to the food processing industry, what if instead of demanding payment to unlock corporate systems, a hostile party infiltrates those systems and compromises worker safety or even the safety of the products being made? Or what if they steal and then sell proprietary data regarding formulations, ingredients or sales forecasts on the dark web?
“Building automation system access … is one of the bigger aspects of food and beverage,” Kyle O’Meara, principal adversary hunter with Dragos, told the webinar participants. Any kind of third-party access into a company’s OT environment provides an opening to adversaries, “especially if you’re not monitoring and paying attention to what’s going on,” he pointed out. And companies usually know next to nothing about what security measures their third-party providers are taking.
Another threat is from an insider, O’Meara said. “This individual might have access to information that they shouldn’t have access to. A disgruntled former employee may be able to gather all the information about your crown jewel assets … or gather information about your networks and things like that, and then take that with them to sell to competitors.”
Steps to Address IT/OT Weaknesses
Miriam Lorbert, senior industrial consultant for Dragos, told the participants that they “probably know and understand that the key to doing anything successfully within an organization is having good relationships between key groups and stakeholders … So our recommendations for a successful OT cybersecurity journey starts with building a strong foundation with your executive team and key stakeholders.”
With that foundation, Lorbert laid out some milestones.:
- Put together a plan about what needs to be done
- Identify a path to move forward
- Prioritize what key actions on that path are
- Define what needs to be accomplished to execute the plan
- Build collaboration between IT and OT groups
“Those are the two groups that are really going to be carrying out everything that you need to make sure you have a defensible architecture,” so ensuring their relationship is strong and all their members agree on steps moving forward is critical, Lorbert said.
Dragos recently released a report on what it considers to be the five critical control areas where it recommends installing mitigating controls for effective OT cybersecurity, Lorbert said.
First among them, having an ICS-specific incident response plan is crucial, she said. “Many companies probably already have an incident response plan, but it may not include operational technology or industrial control systems’ specific attributes.” There are many differences between IT and OT infrastructure. For example, there are different device and asset types, communication protocols, tactics, techniques and procedures for each type of infrastructure. The response plan should include how to manage the potential impact of an incident that impacts either side.
Having a defensible architecture also is essential. “This is what can help you harden your environment,” Lorbert said. “It can detract or completely prevent an adversary from gaining access.” Actions include removing extraneous OT network access points and maintaining strong policy controls at IT/OT interfaces.
Mitigating high-risk vulnerabilities is important, and Lorbert recommended subscribing to information sharing or intelligence sharing organizations that will provide notifications about those types of vulnerabilities when they are discovered. They can be matched against the priorities set in the action plan to determine if they should be dealt with immediately. One area that requires attention is committing the people and resources to undertake mitigation and maintain and update it as needed, she said.
Visibility into OT assets is another essential attribute. “You don’t know what you don’t know, or you don’t know what you can’t see – you also can’t protect what you can’t see,” she said. “In our annual review for 2021, we found that 86% of Dragos Services customers had limited to no visibility in their OT environment … That’s pretty scary, not knowing the landscape of what you have on your ICS side. If there are rogue devices or rogue communications happening, most people would be unaware of it.”
Maintaining an inventory of assets, including their age, the last time they were updated and what software or firmware version they use is critical. “Your OT visibility is going to validate the controls you’ve implemented in your environment, so it will tell you whether the controls you have in there already are working or not,” Lorbert said.
Ready to put your insights into action?
Take the next steps and contact our team today.