The 2023 National Cybersecurity Strategy has introduced significant changes with profound implications for U.S. manufacturers. Under the first pillar, "Secure Critical Infrastructure," the strategy has indicated coming regulations to mandate robust cybersecurity practices in specific sectors. Cybersecurity regulations represent a pivotal shift in the regulatory landscape, as they compel manufacturers to adopt comprehensive security measures to protect their operations, supply chains and critical infrastructure components. These regulations are set to enhance the resilience of manufacturers against cyber threats, safeguarding their intellectual property, production processes and sensitive data. The strategic intent is not only to prevent security breaches but also to mitigate the potential cascading effects of cyberattacks on national security.
Furthermore, the strategy places a specific emphasis on Internet of Things (IoT) devices, recognizing their heightened vulnerability to cyber threats. These connected devices, integral to modern manufacturing processes, present a significant attack surface and can be exploited as entry points for cyber adversaries. The federal government has allocated substantial funding and increased security interests in the IoT domain. This investment aims to promote the development and deployment of secure IoT technologies, which will benefit manufacturers by reducing their exposure to cyber risks.
Planning For the Future
In the long term, the impact of the 2023 National Cybersecurity Strategy on manufacturers is likely to be multifaceted. Global regulations, such as the EU Cyber Resilience Act (CRA), may also affect manufacturers and machine builders who work globally. While the current regulations primarily target critical infrastructure, manufacturers in various industries should anticipate that the federal government may extend similar cybersecurity requirements to them in the future. This dynamic regulatory landscape will necessitate ongoing investments in cybersecurity measures, influencing business strategies and budgets.
Overall, the 2023 National Cybersecurity Strategy's emphasis on securing critical infrastructure and IoT devices will enhance the cybersecurity posture of U.S. manufacturers. While it may introduce compliance challenges and increased operational costs, the long-term benefits will include improved resilience, reduced risk of cyberattacks and strengthened national security. Manufacturers should proactively adapt to these changes to thrive in an increasingly digital and interconnected world.
OT Cybersecurity Risks
Cybersecurity risks are not new to manufacturers. Many manufacturers have implemented strategies and protections against external cyber threats and vulnerabilities. These existing protections are incredibly valuable but still may leave manufacturers vulnerable to the dangers of many common cyber threats. Robust protection must include tactics to close off routes for external access and mitigate the risk of external and internal hacking.
IT and OT teams have different priorities and objectives: IT is measured on how effectively it can lock everything down and secure access; OT is measured by maximizing plant floor uptime.
IT and OT teams also have separate specialized focuses and expertise. IT manages corporate networks, infrastructure, and systems, emphasizing data security and network access. In contrast, OT teams specialize in managing industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and programmable logic controllers (PLCs). Their core objectives revolve around process control, reliability and safety.
Unfamiliarity can make a PLC difficult for IT to protect, sometimes leaving OT systems vulnerable or even “wide-open” and unsecure. Similarly, IT network access and security protocols can trip up OT-trained teams. Common cyber-attack vectors and tools, such as network lurkers, crackers and virus distribution, may be typical avenues of attack but are not always required to break into OT systems. Many plants have insufficient security and can be breached with basic phishing attacks or by connecting over WiFi to an unsecured OT PC. Hackers don’t have to attack a product vulnerability if there is a weakness in your security process.
The first step to building a secure plant is to review your cybersecurity risk and process, followed by ensuring that machines have security by design and security by default. Ensure that your machines are designed for security, can be locked down by default and that the vendor proactively discovers and fixes vulnerabilities and potential attack vectors: firmware, software and process. Responsible vendors constantly learn and adapt to remove and mitigate the vulnerabilities exposed in equipment similar to their products, ensuring they don’t have the same susceptibility, instead of waiting for a breach of their equipment to take action.
Challenges and Overlapping Risks
A cybersecurity breach can severely affect industrial operations, damaging critical infrastructure and causing financial losses and safety risks. IT needs a partnership with OT to create a cyber risk task force and understand plant floor operations to identify acute vulnerabilities. OT’s expertise is critical so that defensive processes and technologies can both secure and maintain efficiency on the plant floor. For many years, OT systems were often isolated from external networks, limiting potential cybersecurity risks. The growing interconnectivity between IT and OT systems and the need to take advantage of the efficiencies provided by remote access capabilities demands a collaborative approach to address the increasing number of vulnerabilities in OT systems.
When implementing a cybersecurity task force:
● Build a stakeholder team to evaluate the integration of IT and OT cyber practices. Include all levels and departments impacted, from potential users to managers and decision-makers, IT and OT teams, etc.
● Evaluate current in-place processes and systems, explicitly noting challenges faced and the goals for each team.
○ OT teams focused on maximizing machine uptime can often provide unique input on cybersecurity procedures and plant efficiency.
○ Where are the “easy wins?” What will require longer-term implementation plans?
● Identify fundamental needs for security and potential areas where machines or systems are vulnerable. Ensure the notes reflect any potential difficulties the team raises and include them in the planning phases.
● Identify opportunities for implementation where the most value is added and create detailed implementation plans for hardware, software, and training to implement new cybersecurity measures.
○ Ensure the solutions allow flexibility and open customization to provide insight and optimizations for unique applications.
○ Look to industry standards organizations, established SOAR and SOC best practices, and the National Cybersecurity Strategy for guidance.
○ Create an implementation timeline.
● As you implement cybersecurity solutions, maintain the stakeholder team throughout the implementation phases and launch to identify potential improvements and ensure that new systems and processes are fully implemented as designed.
