Towards the end of February this year, activity at a Hoya factory had to be brought to an almost complete standstill. The Japanese optics manufacturer suffered a malware-based cyberattack on one of its delegations in Thailand.
To begin with, this malware tried to steal user and employee credentials in order to later carry out cryptojacking, using the affected computers’ resources to mine cryptocurrency. In other circumstances, we’d be talking about a cyberattack affecting the performance of IT resources. However, in this case, it goes much further. The attack forced the company’s production plants to stop when the security between IT systems and industrial systems was broken. Bearing in mind the fact that Thai factories tend to operate 24 hours a day, the incident suffered by Hoya caused a serious decrease in the company’s production volume, which was still being felt one month later.
One model, two environments: IT cybersecurity and OT cybersecurity_
This cyberattack is highly representative of a situation increasingly being felt in the secondary sector, and one that will certainly continue to grow. This situation is the possibility of an attack on an IT system affecting a company’s operative and production processes. This is why industrial environments must always consider cybersecurity for both environments under the same model.
- IT Cybersecurity: in information technology (IT), the main aim is to protect the company’s systems against vulnerabilities and cyberattacks. This is why traditional cybersecurity measures and solutions focus on this environment and on protecting endpoints. What’s more, in IT processes, cybersecurity audits needn’t impact business processes, since the system can be interrupted every so often in order to carry out security checks or install updates.
- OT Cybersecurity: thanks to Operational Technologies (OT), organizations manage physical industrial processes by monitoring and controlling devices and computers. Under SCADA systems, it is vital to protect level 3 computers, and ensure their availability; these computers control operations. The same goes for level 4 computers, which are in charge of planning, inventory, demand, and production status (generally via an ERP software). Herein lies the important difference between IT and OT security: in OT, the technology must be available constantly, transparently and properly, since it is working 24 hours a day to provide support for the company’s internal operations or the servitized products – those offered as a service- acquired by its customers. On the other hand, carrying out OT cybersecurity audits is not as simple as it is on IT environments. This is down to the fact that these systems cannot be so easily stopped for checks or updates. Another reason is that OT systems tend to depend on a range of providers, which means it is not possible to apply standardized security checks. What’s more, most companies that use OT have use external companies that connect to their devices as part of the service, meaning that it is tricky to group all devices in the same audit.
Industrial operation control levels in SCADA architecture. Daniele Pugliesi.
Zero trust for a secure industrial environment_
IT and OT environments must be well integrated. But, more importantly still, it is vital to guarantee the security of both while ensuring that a bug in one cannot affect the other. Protection of transactions and endpoints must therefore not be at odds with stopping possible threats that target the organization’s computers, machinery and infrastructure.
To this end, companies that want to protect their industrial environment must proactively and automatically protect the processes on their endpoints, machinery and infrastructure in real time. This is especially true in a world in which more and more organizations in this sector are using networks that are connected to external partners and providers, and are starting to adopt IIoT (industry 4.0) systems, increasing the attack surface.
In this sense, Cytomic’s Zero-Trust App service, included in our advanced security solutions, is based on a zero trust attitude to new applications that try to run on the device, even if they come from an apparently benign source, in order to guarantee that only trusted applications and binaries can do so. It achieves this through a combination of a cloud-based global information repository (which stores known registers of billions of malicious applications and techniques) and the deep learning algorithm-based automated application classification system, Deep-Ranker. Deep-Ranker analyzes and registers trillions of events in order to establish the trustworthiness of over 300,00 binary applications every day. .
Because of the IT-OT duality we’ve discussed here, the teams that manage an industrial environment must have an absolute guaranteed level of availability in order to avoid situations like the one in which the Hoya plant found itself. Cytomic offers its customers maximum availability of its platform, since it is stored in a differentiated instance in Microsoft Azure, which is also stored in servers within the European Union. This way, any possible interruptions in business and production processes are avoided.
The digitalization of operations technologies in companies is an undeniable advantage for their business, services and products. However, it also exponentially increases cybersecurity risks. Protecting devices, and ensuring their availability, thus becomes a vital measure.