Industrial automation (OT) is the lifeblood of modern production and infrastructure, and ransomware attacks can cause millions in losses. In the manufacturing and infrastructure sectors, there is a separate department responsible for IT and control system protection (OT) for a reason. This stems from the fundamental differences in the processes they support, the people who operate them, and the infrastructure on which these processes rely. This is an issue that can be overlooked when creating security management systems. Why? Because legal and compliance departments often equate cybersecurity with threats coming from the internet to company data, which are naturally on IT servers. This compliance gap can pose a significant problem in the event of an attack on the company's machinery. Why?
Difference in challanges and priorities of recovery challenges and security approach in industrial automation
In the IT sphere, the priority is primarily data confidentiality. Regardless of the device – from a workstation to extensive server arrays – every byte contains valuable information, including personal, financial, and strategic business data. Therefore, IT contingency plans focus mainly on restoring databases, CRM systems, and key documents as quickly and effectively as possible.
The situation is completely different in industrial automation (OT). Here, availability and operational continuity become paramount. Production downtime generates enormous financial losses, entails contractual penalties for missed delivery deadlines, and causes severe disruptions throughout the entire supply chain. Moreover, in infrastructure sectors such as water supply, energy, and wastewater treatment, OT system failures can have serious, even catastrophic, consequences for entire societies.
Cloning IT plans for automation needs is usually a waste of time and resources – filling out spreadsheets, reporting metrics, and conducting analytics that won't translate into real OT security.
In case of a disruption in industrial automation, the team responsible for incident detection and response must take different steps to restore normal infrastructure operation than if the situation involved IT. Maintenance specialists will have their own Recovery Time Objectives (RTOs), and Recovery Point Objectives (RPOs) established using IT methods may not make practical sense for their processes at all. Additionally, there are IT elements whose operation is of little importance to office departments but is crucial for OT.
How can an attack unfold?
Public perception of ransomware attacks is commonly associated with data encryption and financial extortion. However, in OT environments, in addition to traditional documentation or personal data, configuration data of industrial machines and devices, as well as recipes or specifications stored within them, are also extremely valuable. Therefore, when referring to backups, IT and OT may have in mind completely different types of data stored on completely different media.
There are certain standard steps that repeat in hacker activities, which may vary in detail:
- Network infection: an attack can start by infecting the office network through phishing, software vulnerabilities, or infected data carriers,
- Ransomware propagation: the attack on OT systems occurs through network elements and server spaces shared with IT,
- Data encryption: attackers block machine access to technical documentation files, or halt their operation by encrypting drivers controlling production processes,
- Control takeover or data modification: attackers gain administrative privileges to control systems and change settings or shut down machines.
Impossible? Hard to imagine? The automation engineers at Honda, Norsk Hydro or TT Electronics probably thought the same thing prior to the attacks that affected these companies between 2017 and 2021.
What can fail when actions are based on IT plans and procedures?
When an attack occurs on systems or networks operated by IT, there is a high probability that the administrator will be the one to detect the attack. This is a qualified employee with appropriate knowledge of how to analyze the incident and how to respond to it. In the case of an attack on OT, anomalies are often first detected by an employee performing their daily tasks on the machine. This not only affects the flow of information about the incident. A regular employee does not have the authority to make decisions about stopping the production process, interfering with the operation of complex control systems (such as PLCs, SCADA, or HMI), or disassembling affected machines.
IT plans specify a step-by-step sequence of actions. Starting with verifying the incident, determining the infrastructure affected by the incident, and the scope of data needed for recovery. If necessary, they include preparing and issuing replacement infrastructure to employees during the recovery period, especially if it is crucial to preserve attack artifacts stored in the cache. Affected media can be safely removed and secured (at least those key for further analysis), as their unit value is typically within acceptable limits for the company.
The situation is different in the OT area. Machines generally cannot be disassembled without voiding the warranty, so factory service must be called on-site. And this takes time. In the case of encrypted network elements, remote service access is not possible. Moreover, it is difficult to predict what consequences a connection to an infected machine might have if the manufacturer has not tested it before introducing the product to the market. Redundancy is difficult, and removing and replacing components encounters legal barriers – in the form of service agreements and warranty provisions.
At the same time, the next shift is usually waiting to work, production plans must be fulfilled, so every minute translates into real losses. Therefore, maintenance personnel must race against time much more than in the IT area. It is worth emphasizing that OT environments are often more complex and integrated than IT environments, which further complicates the process of data recovery and restoring normal operation. Applying IT plans and procedures in an OT environment without considering its specific characteristics can lead to prolonged downtime.
Additionally, in OT, there are safety aspects with a completely different context than in IT. Therefore, completely different data is needed for post-breach analysis and security updates – and there is much less of it than in the case of IT. Therefore, filling out tons of documents, creating reports, and updating the risk register after an attack are activities that will further consume the time of automation engineers without providing real benefits. On the other hand, companies subject to NIS2 requirements must fulfill the obligations arising from the regulations. Personalization is key here.
Looking for legal help in cybersec compliance?
Reach out to our experts today for tailored advice and to fully secure your production! Interested in seeing what else we can do for you?
Want to find out more about building effective security management systems within OT environments?
You can start by watching a video about securing ransomware storage media and the reasons why companies lack procedures for it.
