Dive Brief:
- As digitization increases in manufacturing environments, or organizations reliant on OT, the approach to risk management has to change, according to Steve Applegate, CISO of Dragos, during a virtual panel hosted by the cybersecurity company Thursday. The "luxury of isolation" is not as prevalent as it once was in OT environments.
- In the old approach to risk management, the company could isolate IT and OT systems, and say "there's no reason why this ever has to touch something," Applegate said. Air gaps between IT and OT, however, have always been a myth because of processes like patch management.
- Leadership struggles to delegate cybersecurity responsibilities when OT workforces are already facing constraints, such as at manufacturing plants operating somewhat independently of each other, as opposed to under a unified security operations center (SOC). OT-infused companies are in a transition from site-level best practices to overall best practices, said James Destro, head of product for manufacturing industry products at ServiceNow, during the webcast.
Dive Insight:
Cyberthreats to OT/industrial control system (ICS) environments reached a new level this year, with ransomware striking Colonial Pipeline and JBS USA within weeks of each other. Companies were forced to take a look at how and why IT and OT connected, because if they didn't, malware would.
Independent cybersecurity from plant-to-plant is now changing to a more centralized, enterprise-like IT and cyber operation. Manufacturing companies are shifting technology maintenance responsibilities from automation or engineers to a centralized function of the CIO or CISO, said Destro.
"And because of that, it's requiring a kind of unified user governance across the models for which these are maintained," he said. It's creating a visual intersection — whether IT or OT — for organizations to better understand where air gaps cease to exist.
Unified governance was the case for Georgia Pacific: The manufacturing company overcame levels of variation among its plants as engineers operated independently from one another. Today, Georgia Pacific's 130 manufacturing locations are coordinated by their IT groups across the enterprise.
"We put in those standards, we put in that oversight," said Fran Cioffi, CISO of Georgia Pacific, during the webcast. "Now it's a collaborative, productive effort to put in those IT systems that are secure," However, those secure IT systems are also remote access-enabled to accommodate the digital transformation and necessary data transfers between plants.
"The old days of putting in a system, set it and forget it, that's changed. We've moved the organization along with that technically and organizationally," Cioffi said.
Under an enterprise SOC, companies can alleviate individual plants of some of the monitoring workloads they might have had to do on their own. "Our plants don't have to focus on watching things all the time, we can have our enterprise SOC being that first responder, which then takes our console data and dispatches it down into those facilities for actual execution," Cioffi said.
An enterprise SOC across plants offers a holistic view of devices and technologies, including dependable asset management and visibility as part of the organizational change. Applegate had experience in a cyberattack where the organization's Security information and event management (SIEM) had logs, but "nobody knew what this piece of equipment was; we didn't even know we had a log source for it," he said.
Organizations have trouble gaining a clear understanding of where vulnerabilities might lie between plants when there isn't a singular oversight umbrella. Before, when Jeremy Korger, OT cybersecurity lead at Sub-Zero Group, got a vulnerability notification, it would mean "reaching out to several dozen folks and getting a different kind of answer depending on that person," he said. "Some of those people change up, people who have been there for many years have retired … and so now you have two people who just doesn't don't have the historical context."