May 25, 2022//Joel Burleson-Davis
The manufacturing sector continues to be one of the most appealing targets for hackers. It has the largest average payout for a ransomware attack and the consequences are too visible and disruptive to ignore. The result: companies are much more likely to pay ransoms and meet demands. Not only is it an extremely profitable sector for hackers to exploit, but changes in operational technology are also broadening the attack surface almost exponentially. With so many digital and technological changes, legacy software is being intermixed with new software and revealing latent security gaps. Technology that was once safe in the perimeter is now opened up to broader access, making it even easier for hackers to find and infiltrate critical access points.
Just imagine the scenario where a factory worker accidentally enables connectivity for a PLC that has, since installation years ago, only been accessible locally but is now connected to the local network, which is now connected to the internet. Without knowing it, that employee just opened up a new vector for bad actors and created a vulnerability in the factory’s security infrastructure with the toggle of a switch.
Some of these vulnerabilities are unavoidable. Smart factories are on the rise — a trend known as the Fourth Industrial Revolution, or Industry 4.0. It’s only a matter of time before plants, critical infrastructure, and factories evolve into more interconnected and digital spaces. The old, traditional perimeter no longer exists. The choice to connect or not to connect new equipment will vanish. Even more so, a manufacturer’s critical assets could now be outside of the perimeter walls, meaning those assets are no longer safe via traditional means. To combat the threats manufacturers face, a different approach is needed.
The term “zero trust” is making its way across cybersecurity space because it meets the needs of this “different” approach. When trying to implement technologies that support zero trust, you’re researching, investing in, and installing technology that can granularly control all user access. This looks like remote access tools that allow you to put time-based controls on a user’s session, MFA tools that don’t just stop at two factors and include detailed vetting like employment verification, and credential management that stores passwords, automatically rotates them, and “masks and passes” them as a user logs into a system so credentials are never seen.
These technologies are just a few that support the zero trust architecture, aiming to help rapidly mature the security programs of corporations around the world now that we see our traditional perimeters vanish. However, these “newer” and “different” tools and methodologies are much more complex than traditional security approaches — which often can be a cause of friction for companies trying to adopt them or seem impossible to adopt for the understaffed teams charged with implementing them.
There’s a large opportunity for resistance when adopting technologies built for securing assets in place of the traditional perimeter. If implementation isn’t streamlined and fast, that technology has a greater and greater chance of being misused, “placed on the shelf,” or completely thrown away — even if the technology is necessary to fulfill security requirements and close vulnerability gaps. We often see that the burden to implement overwhelms the value of implementing in the first place. A classic axiom of engineering is to “optimize with constraints,” and it is the challenge of solutions providers to ensure these newer, necessary security controls are not so burdensome to implement. Most have not risen to this challenge.
Let’s think about this in terms of an analogy with furniture that everyone can relate to. Let’s say you’re newly working from home (just pretend with me for a moment) and are in deep need of a desk (the dining room table just isn’t cutting it anymore). Three scenarios flash in front of your mind:
This post originally appeared in Data Breach Today.