Regulations, lock-in, and legacy: How CISOs can beat these manufacturing headaches

Clean water. Continuous electricity. Safe transportation. Take away any of these things and much of modern life would grind to a halt. Yet the demands on the critical infrastructure that enables and improves modern life are continually expanding, especially as organizations seek to align their technology stack with business requirements, regulatory frameworks, and cybersecurity best practices.

Across industries, business leaders are increasingly looking to the benefits of cloud migrations — aggregating, storing, and processing large volumes of data — as the best solution to help meet those complex needs.

The leaders of Industry 4.0 see the value of predictive failure analysis, route optimization, load planning, and market demand predictions as table stakes. However, security requirements and the unique mix of one-of-a-kind critical infrastructure information technology (IT) and operational technology (OT) make these tasks far more challenging in the more mature critical infrastructure space. While endpoint detection and response (EDR) is an important part of a defense-in-depth strategy, defenders of critical infrastructure need more to successfully fend off attackers.

“We see nation-states identifying zero-day vulnerabilities in edge products and systems that don’t typically support EDR solutions. They exploit these vulnerabilities and deploy custom malware to facilitate their espionage operations,” said Charles Carmakal, CTO, Mandiant Consulting.

Context, clarity, and best practices

Securing diverse datasets is a critical aspect of this transformation and each successful journey must address technical and regulatory challenges. To secure critical infrastructure, we need context and clarity.

Lacking context and clarity renders the term “best practice” an unachievable abstract for many business leaders. To that end, we would like to explore four consistent challenges that we see across the manufacturing and industry sector:

• Dynamic requirements and risk terrain
• Securing critical infrastructure in a dynamic regulatory and risk averse environment
• Perceived vendor lock-in
• Legacy systems in IT and OT

Manufacturing leaders wrestle with evolving compliance standards as governments and regulators respond to growing cybersecurity threats and changing privacy requirements. Recent U.S. executive orders have focused on government policy for IT and OT systems, and software bill of materials; meanwhile, other government agencies have been updating their guidance for security architecture and risk reduction.

Where a dynamic regulatory environment meets established practice, how can businesses practically align with increasingly theoretical models?

In the current manufacturing and industry space, “vendor choice” can feel like a misnomer. Vendor selection may have occurred decades prior when there was no real option to truly migrate to another vendor. In other words, many organizations find themselves in a position where the only real option is to figure out how to make existing systems work with new regulatory, cybersecurity, or business requirements.

This takes on real meaning when dealing with EDR, vulnerability management, identity and access management, multi-factor authentication, and data encryption. These items should be baseline expectations for digital assets, yet they are often anathema for OT systems that achieve operational uptime through simplicity.

Solving for legacy technology and security debt

Legacy compute and infrastructure are the foundation of many distributed control systems (DCS) and supervisory control and data acquisition (SCADA) environments. Much like aged vendor relationships, both DCS and SCADA are actually prevalent security challenges. It is not uncommon for organizations to buy up surplus, dated hardware to support a DEC Alpha system or for vendors to deliver a packaged DCS in a self-contained, out-dated Active Directory Domain. Clearly, the manufacturing and industry space needs modern solutions that are unencumbered by legacy security vulnerabilities.

There are no hard and fast, right and wrong answers for these issues, but there can be many variations of right and some clearly very wrong answers. To start, we recommend developing a strategic paradigm before getting consumed by technical details.

It can be helpful to ask:

• Is the risk of operational disruption out of balance with cyber risk change management?
• Are we too focused on minimizing change and, as a result, increasing cyber risk?
• What are the industry-specific regulations that we are required to comply with?

For initial technical questions, consider the following starting points:

• Is it feasible for OT to continue to function if it is isolated during a cyber event?
• Can I use physical access requirements as a factor for MFA?
• What if my device incorporates Purdue Levels 0 to 3 in a single chassis?
• Is virtual isolation via virtual routing and forwarding (VRF) on the same hardware sufficient segmentation?

If it seems challenging, that is because it is. There is no silver bullet, tool, or framework that will address every situation. Understanding and embracing the complexity of the gaps between cybersecurity, operational resilience, and compliance is the beginning to productive solution engineering for manufacturing and industry use cases.

How to move your organization forward

If you haven’t already, it’s vital to discuss security in-depth with your team. Good places to start include reflecting on your current cybersecurity strategies, establishing priorities based on strategic business outcomes, and performing gap analysis between current and required support to more effectively shape your organization’s security roadmap.

To learn more or to contact us, please visit our CISO Insights Hub.