Skip to main content
close search
site logo
Dive Brief

Digitization costs manufacturing plants 'the luxury of isolation,' changing risk management

Published Oct. 1, 2021
Samantha Schwartz's headshot
Samantha Schwartz Reporter
A view of the shop floor from a BID Group facility in Saint George, South Carolina.
Ryan Golden/Cybersecurity Dive

Dive Brief:

  • As digitization increases in manufacturing environments, or organizations reliant on OT, the approach to risk management has to change, according to Steve Applegate, CISO of Dragos, during a virtual panel hosted by the cybersecurity company Thursday. The "luxury of isolation" is not as prevalent as it once was in OT environments.
  • In the old approach to risk management, the company could isolate IT and OT systems, and say "there's no reason why this ever has to touch something," Applegate said. Air gaps between IT and OT, however, have always been a myth because of processes like patch management.
  • Leadership struggles to delegate cybersecurity responsibilities when OT workforces are already facing constraints, such as at manufacturing plants operating somewhat independently of each other, as opposed to under a unified security operations center (SOC). OT-infused companies are in a transition from site-level best practices to overall best practices, said James Destro, head of product for manufacturing industry products at ServiceNow, during the webcast.

Dive Insight:

Cyberthreats to OT/industrial control system (ICS) environments reached a new level this year, with ransomware striking Colonial Pipeline and JBS USA within weeks of each other. Companies were forced to take a look at how and why IT and OT connected, because if they didn't, malware would. 

Independent cybersecurity from plant-to-plant is now changing to a more centralized, enterprise-like IT and cyber operation. Manufacturing companies are shifting technology maintenance responsibilities from automation or engineers to a centralized function of the CIO or CISO, said Destro. 

"And because of that, it's requiring a kind of unified user governance across the models for which these are maintained," he said. It's creating a visual intersection — whether IT or OT — for organizations to better understand where air gaps cease to exist. 

Unified governance was the case for Georgia Pacific: The manufacturing company overcame levels of variation among its plants as engineers operated independently from one another. Today, Georgia Pacific's 130 manufacturing locations are coordinated by their IT groups across the enterprise. 

"We put in those standards, we put in that oversight," said Fran Cioffi, CISO of Georgia Pacific, during the webcast. "Now it's a collaborative, productive effort to put in those IT systems that are secure," However, those secure IT systems are also remote access-enabled to accommodate the digital transformation and necessary data transfers between plants. 

"The old days of putting in a system, set it and forget it, that's changed. We've moved the organization along with that technically and organizationally," Cioffi said. 

Under an enterprise SOC, companies can alleviate individual plants of some of the monitoring workloads they might have had to do on their own. "Our plants don't have to focus on watching things all the time, we can have our enterprise SOC being that first responder, which then takes our console data and dispatches it down into those facilities for actual execution," Cioffi said. 

An enterprise SOC across plants offers a holistic view of devices and technologies, including dependable asset management and visibility as part of the organizational change. Applegate had experience in a cyberattack where the organization's Security information and event management (SIEM) had logs, but "nobody knew what this piece of equipment was; we didn't even know we had a log source for it," he said. 

Organizations have trouble gaining a clear understanding of where vulnerabilities might lie between plants when there isn't a singular oversight umbrella. Before, when Jeremy Korger, OT cybersecurity lead at Sub-Zero Group, got a vulnerability notification, it would mean "reaching out to several dozen folks and getting a different kind of answer depending on that person," he said. "Some of those people change up, people who have been there for many years have retired … and so now you have two people who just doesn't don't have the historical context."

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Whalebone Wins 2024 CyberSecurity Breakthrough Award
From Whalebone
October 15, 2024
Varsity Brands Data Breach Investigation
From Migliaccio and Rathod LLP
October 15, 2024
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Torus Unveils Integrated Energy Storage and AI-Driven Cybersecurity Solutions
From Torus
October 24, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell