Austen Byers urges manufacturers to start establishing cyber protection within the operational technology landscape
A walk across an automotive manufacturer’s plant floor can be eye-opening when it comes to cyber security. The attack surface has grown so huge, and the operational technology (OT) environment so complex, that even plant and security managers are often stunned to discover the range of gaping vulnerabilities that exist under their watch.
More connectivity across and beyond vehicles, increasingly innovative and powerful technologies, and new suppliers across the manufacturer’s diverse ecosystem are coming into play simultaneously. What are the cyber security gaps that are being introduced along the way? And, most importantly, how can manufacturing facilities in this multi-layered industry get control over the OT environment and quickly put into place practical and effective protection measures?
A proven, uniquely enticing target for cyber criminals
The automotive industry is a sector of expansive reach and tremendous commercial value. It is marked by a tightly integrated supply chain of large and small suppliers. These manufacturing environments also rely on unusually diverse operating systems (OSs) of varying age to fulfill production requirements across critically important operational infrastructures. Any one of these characteristics would render the automotive industry a uniquely enticing and potentially lucrative target for cyber criminals.
It is no surprise that cyber attacks on automotive manufacturing are on the rise. Attacks target every facet of the industry—OEMs, suppliers, integrators, dealers, etc. Ransomware threats predominate, with notorious names in the cyber-crime industry such as LockBit, Black Basta and Qilin having targeted automotive manufacturers in the last two years with financially motivated and indiscriminate attacks. In some cases, attackers executed double-extortion approaches in which both high-value files were encrypted and sensitive data was pilfered. In such ways, the damage to targeted organisations was compounded in terms of both corporate espionage and financial loss.
Often, ransomware attacks exploit widespread vulnerabilities—1-day or n-day attacks which take place in the window of time between when a system vulnerability is known but its associated patch has not been implemented. In many of these cases, social engineering is employed to breach internal networks. But the last two years have also seen incidents beyond the realm of these common ransomware strategies. Advanced Persistent Threat (APT) groups have used significantly more sophisticated tactics to infiltrate automotive manufacturers.
These more strategic incidents often involve previously unknown software vulnerabilities and are known as ‘zero-day’ attacks. An unsuspecting employee inadvertently introduces malware in an organisation’s system, and suddenly the organisation is under siege from, for example, Cobalt Strike beacons capable of exploiting vulnerabilities, disguising malicious files, exfiltrating data and acting on further instruction from an APT group’s external command-and-control (C&C) servers. In this way, attackers can be positioned to move laterally across the target organisation’s network to compromise a range of critical OT systems that automate various manufacturing processes.
For companies in automotive manufacturing, the stakes are simply sky high. The trade secrets and intellectual property (IP) that form their very corporate lifeblood can be exposed, and the revenues that keep their organisations alive can be disrupted as whole production lines are threatened by lengthy standstills. Multiple cyber security events in the last two years have documented the substantial and varied havoc that threat actors pose for companies in the space.
The complex, hard-to-control OT environment
At the same time, the potential attack surface for threat actors to exploit is expanding as automotive manufacturers’ OT environments grow steadily more complex without adding the necessary cyber security measures. There are multiple factors that contribute to this issue, including flat networks. In most manufacturing plants, the OT networks are extremely flat. Mechanisms such as network segmentation are uncommon. This means that, if an attack penetrates the network, it is free to run roughshod across the flat OT environment—potentially reaching even the infrastructures of connected partners and suppliers in the highly integrated supply chain.
Automotive OT environments are marked by systems of an extremely wide range of ages. Some of the robotic systems are cutting-edge innovations; other systems are decades old. And often new and old systems are deployed side by side in production lines in the same plant. The newer systems depend on new OSs with vigorous patching and firmware requirements; the older ones might be relying on OSs that are so old that they are no longer even supported by their manufacturers.
Then there is the lack of clarity in roles. Companies in automotive manufacturing typically have traditional information technology (IT) network and OS support, but it is not uncommon to have little or no direct oversight and control over what systems are being plugged into the company’s OT network. Opening cabinets on the floor often reveals significant amounts of vendor-installed remote access for the systems that have been introduced into the environment. It is a honey pot of wide-open internet connections frequently overlooked and in the shadows of a company’s OT and IT personnel.
Conventional wisdom in cyber security often holds that visibility is the critical first step, and there is no question that visibility across the OT environment is valuable. But it is a grave mistake for an automotive manufacturer to concentrate efforts on anything—even at the very start of safeguarding its environment—other than protection. Visibility alone does not protect OT assets and the company’s sensitive data from possible breaches. The automotive manufacturing sector is too enticing of a target and too tightly integrated to rely on cyber security strategies that emphasise merely identifying vulnerabilities and devices to be patched or providing forensics after a cyber attack has taken place.
An achievable, low-risk path forward
The good news is that there are practical, low-risk steps that plant and security managers can take today to begin taking control of their companies’ OT environments. Organizations must resist the notion of perfect security postures and get moving with baseline protection of at least those mission-critical devices and preventing total shutdown of production lines.
Ensuring that perimeter assets are up to date and implementing proper cyber security training can be enough for an automotive manufacturer to avert substantial harm from 1-day and n-day attacks. Staving off the more sophisticated threats such as zero-day attacks initiated by APT groups will demand a tailored approach to advanced threat detection and response. OT network segmentation, virtual patching and endpoint protection in industrial control systems (ICS) are effective OT Zero Trust measures for locking down operational processes and safeguarding business continuity.
OT cyber security personnel must understand the unique requirements of OT devices, as well as IT security concepts to effectively communicate and facilitate collaboration across the organization, and they must be empowered to implement OT-specific protection of the production environment.
Furthermore, it is helpful to find OT-designated partners who keep up to date on the evolving needs, regulations and requirements for OT security from both technology and services standpoints. For example, companies in automotive manufacturing will be under increasing pressure to grasp and comply with developments from a growing range of standards—US National Institute of Standards and Technology (NIST), Trusted Information Security Assessment Exchange (TISAX) and the International Electrotechnical Commission (IEC), for example—as the automotive industry grows more complex.
OT is a complicated environment in which companies typically resist touching anything for fear of breaking something and stopping production lines (and revenue flows). But automotive manufacturing is no space to merely respond to security issues. The stakes are too high, and the risk of devastating, quickly spreading shutdowns is too great. A proactive and practical approach forward is achievable.
About the author: Austen Byers is Technical Director, the Americas, at TXOne Networks
