Introduction
Manufacturers are becoming prime targets for cyberattacks, especially small to medium-sized manufacturers who are more vulnerable due to their budget and resource constraints in managing operational facilities and cybersecurity. However, as Operational Technology (OT)/Industrial Control Systems (ICS) become increasingly interconnected with Information Technology (IT) networks for the benefits of digitalization, these OT/ICS systems are also more exposed to cyber threats. This makes them low-hanging fruit that cyber criminals are not above taking. They can easily target and attack these businesses to steal confidential data, disrupt operations, or demand ransoms, while they are often virtually powerless to resist. Worse still, they are likely to become repeat victims as they may not be able to implement sufficient cybersecurity defenses and recovery plans due to lack of resources. In light of this, SMEs (Small and Medium-sized Enterprises) aka SMMs (Small and Medium Manufacturers) must prioritize the implementation of cost-effective and efficient cyber defense measures. In this blog post, we will discuss how cyberattacks affect SMMs and provide some real-world examples. Ultimately, we will suggest preliminary steps for implementing zero trust security principles to help SMMs develop their cybersecurity maturity.
The Importance of OT Cybersecurity for SME Manufacturers
In the digital age, cyber threats targeting Operational Technology (OT) systems have become an unavoidable reality. According to a report by the FBI’s Internet Crime Complaint Center (IC3), 847,376 complaints from the US public about cyberattacks and malicious cyber activities were received in 2021, a 7% increase compared to the previous year. The potential losses from these attacks total over $6.9 billion, a 64% increase from the year before. Unfortunately, over 60% of those were small businesses, which have become the “soft targets” for threat actors.
Traditionally, OT systems were designed to be isolated, focusing solely on reliability and physical security. The convergence of OT and IT systems brings significant operational advantages, including real-time data analysis, remote monitoring, and automation. However, this fusion requires more network protection for OT assets than ever before, especially those directly involved in the production line or factory operations. OT systems are now exposed to IT-related threats. SMMs must understand the unique security considerations in this convergence to design and implement effective cybersecurity measures.
Common Attacks on SME Manufacturers
The Manufacturing Extension Partnership (MEP) is a public-private partnership program by the National Institute of Standards and Technology (NIST) in the US. Its Manufacturers Guide to Cybersecurity describes common cyberattacks on, including phishing, web-based attacks, and ransomware. The Ponemon Institute also conducted an in-depth survey. Figure 1 highlights the distribution of common cyberattacks on SMEs.
Figure 1: Types of Cybersecurity Incidents among SMEs, Categorized by their Origin
Source: ENISA’s Cybersecurity for SMEs, June 2021
Figure 1 lists some common cyberattacks or vulnerabilities, and we provide a more detailed description in this section:
- Phishing attacks are the most common form of cyberattack. According to Barracuda’s report, an average employee of a small business (less than 100 employees) receives 350% more social engineering attacks than those at large companies.
- Web-based attacks include brute force login, Cross-Site Scripting (XSS), and SQL injection attacks. This can expose information that it normally wouldn’t, including customer details, user lists, and other sensitive company data. For instance, in the paper titled ‘SCADA vulnerabilities and attacks: A review of the state‐of‐the‐art and open issues‘, the authors reviewed several SCADA vulnerabilities and demonstrated that most SCADA is susceptible to traditional web-based cyberattacks.
- General malware includes adware, Trojans, and, most infamously, ransomware. Datto’s report points out that ransomware is the top threat to SMMs, with one-fifth of SMMs reporting that they’ve already fallen prey to ransomware attacks.
- Data leaks are another pain point for SMMs. External threat actors will definitely steal data from organizations. However, there are also internal threat actors that can leak data, some of whom do so unintentionally. For instance, an IT employee at the Maricopa County Community College District (MCCCD) failed to meet security standards. As a result, some of their databases and servers had been compromised and were made available for sale on the internet.
- In simple terms, a Distributed Denial of Service (DDoS) attack hinders people from using their needed systems or services, usually by overwhelming them. Despite growing defense capabilities, threat actors are becoming more skilled. As per an ENISA report, they are increasingly employing “reflection and amplification” techniques to intensify attacks without extra effort. DoS attacks, although not new, are becoming more sophisticated with threat actors conducting more reconnaissance activities than before.
- Insecure devices offer another attack surface for SMMs as some devices could even access SMMs’ critical infrastructure. Apart from unauthorized access and ransomware threats, insecure IoT devices could be another vulnerability. Once IoT devices are hacked, they become part of a botnet and could be exploited to initiate Denial of Service (DoS) attacks
Five Steps to Enhance OT Cybersecurity in SME Manufacturing
Small and medium enterprises (SMEs) should segment their networks to limit the potential spread of threats. By separating OT systems from the broader IT network, an incident in one system would not jeopardize the other. Technologies such as firewalls, demilitarized zones (DMZs), and virtual private networks (VPNs) can be used to isolate and protect different network segments. However, it’s important to first understand what security zones and network segmentation are.
According to the ISA/IEC 62443 standard, a security zone is a collection of assets—grouped either physically or logically—that share common cybersecurity requirements. Network segmentation is a method to protect corporate cybersecurity, where assets are grouped according to communication and cybersecurity needs, and appropriate protective measures are set up around these security zones.
In other words, communications within a security zone are considered trusted. Communication from within a security zone to outside is deemed untrusted and is subject to security controls, which must be comprehensively understood, defined, configured, and managed. Following the phased steps recommended in NIST CSWP 28’s white paper, SMEs can construct secure network segmentation in the following ways:
1. Establish an Asset Inventory
It can be challenging for security managers to identify vulnerabilities in devices and networks or carry out vulnerability mitigation without an asset inventory. As such, the initial step in the process of network segmentation involves cataloging the hardware, software, and sensitive data or information assets integral to business operations. Hardware assets encompass IT equipment such as office computers, servers, mobiles, tablets, and OT gear, including collaborative robots, sensors, and PLCs. The software includes operating systems and off-the-shelf or customized programs used by hardware devices. Data or information assets cover sensitive business, product, or customer information stored in hardware assets and accessed by software assets. For many small and medium-sized manufacturers, determining where assets (especially information assets) should ideally be placed often holds greater value than knowing their current location.
-
- For hardware assets, the location could refer to the physical location (such as a room number) or a spot on the network map.
- For software assets, the location could mean identifying which hardware assets host the software.
- For static data, location might refer to where the data is stored on the hardware and which software applications can access this data.
2. Assess Risk and Establish Security Zones
Without real-time visibility of assets and network traffic, it’s difficult for businesses to detect new devices, malicious activity, or offline equipment. Establishing security zones can aid in the implementation of network visibility tools. These zones break down assets into smaller groups, making it easier to set up monitoring tools and analyze their results. This not only improves network visibility but also aids in monitoring and analyzing security events.
For SME manufacturers, grouping their assets based on similarities such as operational functionality, level of importance, data sensitivity, etc., creates security zones. These zones typically share similar cybersecurity needs. These could include business applications (Office applications), administrative systems (domain controllers, Active Directory, and apps for managing network, cybersecurity, and computer systems), Manufacturing Applications (engineering workstations, MES, data historians, plant schedulers), and Industrial Control Systems (collaborative robots, sensors, PLCs, etc.).
It’s worth noting that while dividing zones into more fine-grained segments can reduce risk, it is easier to implement and manage fewer zones. Therefore, organizations should consider their capabilities and the number of security zones they can manage effectively and securely.
3. Determine Risk Levels of Security Zones
Lack of isolation between different parts of the network allows attackers to easily move from one system to another. By segmenting assets into security zones, it becomes clearer which assets need isolation for enhanced security. Isolation between security zones helps prevent lateral movement attacks or the spread of malicious activity across different areas. This effectively limits the range of attacker activity, boosting overall security.
Before implementing network isolation, each security zone must be assigned a risk level. Generally, the greater the risk associated with assets in a particular security zone, the higher the need for protective measures. Each business must identify risk categories for security zones, and define risk levels for each category. These risk levels, including Low Risk (L), Medium Risk (M), High Risk (H), and Very High Risk (VH) have the following implications:
-
- Low Risk (L): The loss of equipment has a minor impact on operations.
- Medium Risk (M): The loss of equipment has a moderate impact on operations but recovery is manageable.
- High Risk (H): The loss of equipment severely impacts operations.
- Very High Risk (VH): The loss of equipment results in full production halt or major financial loss.
4. Map Communications Between Security Zones
To effectively understand and set up trusted communications between security zones, we need a deep understanding of the traffic between all plant assets. To that end, we can use network monitoring tools to identify communication needs between assets. We must inspect and verify the identified traffic to detect any abnormal traffic that may exist within the environment. Typically, network monitoring tools can more precisely illustrate the actual communication scenarios between assets in the environment.
Moreover, incorporating network monitoring tools into business and plant operations management allows for ongoing monitoring of asset status, vulnerabilities, and network traffic. For common problems in the OT environment of small and medium-sized manufacturing industries, such as “poor visibility of assets and network traffic”, this provides an effective mitigation method.
Once we have identified and recorded the communication patterns between various assets, we can consolidate this information at the security zone level to determine communication needs between different zones. We need to clearly distinguish communications within the same security zone from those between different security zones. We can configure firewalls or other isolation devices based on this information to control traffic between zones, usually rejecting all inter-zone traffic except what is necessary for business operations. For instance:
-
- Business applications (such as ERP and MRP) may need to communicate with manufacturing application zones (such as MES and historian servers). Therefore, depending on actual application scenarios, we may allow “specific data traffic” between the business application zone and the manufacturing application zone.
- The manufacturing application security zone (such as MES and historian servers) may communicate with ICS (such as HMI, PLC, Robots, etc.) security zones, but the business application security zone (such as ERP and MRP) does not interact directly with the ICS security zone. Therefore, traffic from the manufacturing application security zone may be allowed into the ICS security zone, while traffic from the business application is blocked from entering the ICS security zone.
5. Determine Security Controls for Each Security Zone
Once assets are classified and partitioned into security zones, assigned risk levels, and the communication requirements between these zones are identified, the next step is to determine and apply security controls. Similarly, the implementation of security controls may employ different control methods according to the risk level of the security zone. For example, users might only use username/password (single-factor authentication) to log in, or they might use two-factor authentication.
However, for a comprehensive list of cybersecurity best practices related to the manufacturing environment, please refer to the ISA/IEC 62443 series of reference guides, or the NIST IR 8183 Rev. 1 Cybersecurity Framework Version 1.1 Manufacturing Profile (CSF Manufacturing Profile). For SMMs with limited budget and human resources, it may not be necessary nor economically feasible to implement all the best practices listed in the ISA/IEC 62443 series. But SMMs can at least define their objectives and the cybersecurity practices needed to achieve those objectives based on the desired amount of risk reduction for the organization.
TXOne Networks Can Assist Small Production Zones Achieve Network Segmentation
Network segmentation is a painful process that requires costly investment to change the entire infrastructure of security countermeasure deployment. The difficulty and costliness is exacerbated in an air-gapped network environment connected with a massive number of assets that were not designed for the modern corporate network.
EdgeIPS LE ensures affordable security of individual assets and small production zones through hassle-free transparent deployment, providing network visibility with the option of inline or offline functionality. This security solution is designed specifically to fit into your network without compromising your pre-existing configurations. EdgeIPS LE creates visibility and rock-solid cyber defense for the legacy systems and unpatched devices that make up the backbone of your production line, ensuring uninterrupted operation.
Furthermore, EdgeOne endows complete visibility over Operational Technology (OT), coupled with the ability to make on-the-spot modifications as required. This ensures the protection of your production line, enabling its continuous operation. Utilizing our Edge series products, our network defense platform provides an encompassing view of the OT environment, whether it’s connected, air-gapped, or standalone. Additionally, EdgeOne acts as a unified management platform, handling multiple sites for each instance of the deployed Edge series product.
Table 1: Pain Points of SMMs
| Pain Points | TXOne Networks Solutions | |
| The Challenge of Detecting New Devices, Malicious Activities, and Offline Devices without Real-Time Visibility | Transparent Network Traffic Monitoring and Control | EdgeIPS LE is specifically designed for deployment at levels 1-3, either in front of mission-critical assets or at the network edge. With its transparency and ability to monitor your network traffic and production assets, EdgeIPS LE can seamlessly integrate into your network without causing any disruptions to operations. |
| Network Segmentation Deficiency Facilitates Easy Movement for Attackers Across Systems | Operational Intelligence | Our core technology for EdgeIPS LE, TXOne One-Pass DPI for Industry (TXODI™), gives you the ability to create and edit Allow Lists, allowing for interoperability between key nodes and deep analysis of L2-L7 network traffic. |
| The Difficulty of Vulnerability Identification and Mitigation without an Asset Inventory | Improve Network Visibility by Integrating Existing Networks | EdgeIPS LE comes equipped to make your networks as integrated and coordinated with each other as possible, granting superior visibility of your network environment. |
| Balancing Prevention Measures and Production Latency: The Need for Proactive Monitoring | Switch between Two Flexible Modes, ‘Monitor’ & ‘Prevention’ | EdgeIPS LE offers flexible switching between “Monitor” and “Prevention” modes, allowing you to maintain productivity while maximizing security. |
| Balancing Productivity and Security: Challenges of Timely Vulnerability Updates in SMEs’ OT/ICS Systems | Signature-Based Virtual Patching | By implementing virtual patching, your network gains a robust and up-to-date initial defense against known threats. This gives users greater control over the patching process, creating a proactive defense strategy during incidents and offering additional protection for legacy systems. |
| Navigating the Ever-Changing Threat Landscape: Challenges for SMMs in Staying Ahead of Cybercriminal Tactics | Top Threat Intelligence and Analytics | EdgeIPS LE offers cutting-edge protection against unidentified threats by leveraging its comprehensive and up-to-date threat intelligence. Utilizing the Zero Day Initiative (ZDI) vulnerability reward program, EdgeIPS LE provides exclusive protection for your systems against undisclosed and zero-day threats. |
| Overcoming Challenges in Designing and Managing Centralized Management Systems for SMMs | Management Easily Centralized | Pattern updates and firmware management can be efficiently centralized on a large scale. For facilities with multiple EdgeIPS LE nodes, the EdgeOne provides a streamlined solution for administration and management, resulting in cost savings and improved performance. |
Conclusion
Small and medium-sized manufacturers, due to a lack of sufficient budget and human resources, are often the most vulnerable targets for hackers. However, if these manufacturers don’t attempt to take basic network defenses, the cost could be exponentially higher. We encourage small and medium-sized manufacturers to adopt security segmentation, a method to mitigate vulnerabilities in small and medium-sized manufacturing environments by using security zones.
Implementing security controls and improving cybersecurity is an ongoing process, not a one-time task. In this process, every step makes the facility safer and reduces its vulnerability to cyberattacks. To facilitate this challenging task of implementing security controls, this blog provides a foundational security reference framework that prepares organizations to implement OT zero-trust security approach. Of course, based on business needs, small and medium enterprises can also choose other best practices for cybersecurity from the ISA/IEC 62443.
