Vulnerabilities pose significant risk to manufacturers; here’s insight on what to do now to combat them.
By Willi Nelson, CISO for Operational Technology, Fortinet
As firms continue to integrate their IT and OT networks, they create a growing opportunity for cyberattacks. Bad actors have identified OT as a prime target, and they’re quickly rooting out zero-day vulnerabilities within these systems that they can exploit. And unfortunately, OT devices are increasingly being found to have such vulnerabilities.
All of this means that OT organizations need stay vigilant and on top of growing security risks. Being aware of the problem is just one step in what’s quickly becoming a constant game of whack-a-mole.
The vulnerabilities in OT devices
FortiGuard Labs researchers recently examined the prevalence of vulnerabilities in OT devices. They discovered and reported, for instance, 24 zero days in Siemens products in May of this year. This was on top of what OT: ICEFALL found earlier in the year: 56 vulnerabilities that impacted OT devices from 10 different vendors, including Honeywell, Emerson and Motorola. This underscores how widespread the issue is; almost no vendor is immune.
Other major zero-day bugs spotted in the first half of 2022 include an unauthenticated code execution vulnerability in Atlassian’s Confluence Server and Data Center technology and Microsoft Windows’ Common Log File System (CLFS) driver. These vulnerabilities are just a few of what are likely many more, and these findings underscore the fact that all OT products are increasingly being targeted.
The ongoing challenges with OT security
Many OT devices – hardware and software that help monitor and control physical devices – are thought to be vulnerable by design. What does “vulnerable by design” mean? It is expected that the majority of OT devices operate on secure or private networks with default trusted access enabled (air-gapped).
Because their objective is to improve the system’s efficiency, designers frequently make this assumption when launching new hardware or software. But since the design process is frequently focused on functions, it lacks security. There are just too many examples of these built-in vulnerabilities being used to launch actual attacks. Consequently, we can no longer take it for granted that any network is secure. Because of this, it’s crucial to keep OT in mind, particularly when examining vulnerabilities and zero-days.
What needs to happen next
Downtime is one of the main issues with a successful attack on an OT system. For every hour they are down, manufacturing floors might lose thousands or tens of thousands of dollars. Even while security breaches are unavoidable, how manufacturers handle and recover from cyberattacks is a good sign of how effective their risk management plans are.
According to a recent survey by Fortinet and Smart Industry, 63% of those in charge of network security know about, and are involved with, the security procedures associated with their organization’s OT initiatives. Most of respondents (83%) also acknowledge that increased connectivity increases the risk of cyberattacks on their assets.
Regular cyber risk audits and/or OT-specific security assessments are essential for a solid security strategy. You should continuously audit your security; test for flaws in your systems’ integrity, staff conduct and other vulnerabilities.
Budgetary commitment is an important aspect of a strong security posture. This only makes sense from a risk management standpoint when you compare security expenses to revenue potential. Additionally, an industrial enterprise’s security budget is impacted by how far along it is in its digital transformation. That budget might get reduced if a cybersecurity plan is already well-established and developed. It can be higher for companies that are just starting out.
Setting up for security success
The latest statistics for zero-day vulnerabilities and exploits in OT systems demonstrate that the convergence of IT and OT is expanding the attack surface and creating new opportunities for bad actors across the board. This isn’t isolated to any single vendor. Attackers are using these security gaps to infiltrate formerly air-gapped OT networks – and these gaps are widening as some manufacturing staff have begun to work remotely. Though not as commonplace as within other sectors, remote work in this field further opens additional opportunities for attackers.
So, as bad actors exploit the “vulnerable by design” status of many OT systems, manufacturers need to step up their security game to avoid expensive downtime and other detrimental consequences of a successful attack. This requires ongoing OT-specific security assessments and a commitment to allocate sufficient financial resources for the maturity level of the company’s security strategy. These actions will help industrial enterprises overcome the escalating threat of zero-day attacks.
About the author
Willi Nelson joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing, and life sciences. Most recently with GlaxoSmithKline (GSK), he established and directed the global OT infrastructure security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response, and risk reporting. During Willi’s tenure, he also oversaw the creation of the security organization and the global cyber defense team for GSK’s consumer health startup (now called Haleon). Beyond building and leading the OT and consumer health security teams, he led the security team responsible for cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads.