Cybersecurity: “Securing the Industrial World Is Not the Same as Securing the Corporate World”

Attacks on industrial facilities and critical infrastructure are on the rise. This is the result of a recent study conducted by Rockwell Automation in partnership with the Cyentia Institute. With daily connections between IT and OT networks, most industrial environments’ equipment is increasingly exposed to sophisticated attacks. For the writers of the report, it is incumbent upon every industrial company to implement a robust OT/ICS security program to maintain the security and availability of its operations.

We spoke with Bruno Lignon and Pierre Paterni, Rockwell Automation’s experts on cybersecurity to discuss the key findings of the study and how Rockwell Automation manages to reconcile the worlds of OT and IT to strengthen cybersecurity and ensure industrial system continuity and availability.

Rockwell Automation has released the conclusions of its report “Anatomy of 100+ Cybersecurity Incidents in Industrial Operations.” This global study, conducted in partnership with the Cyentia Institute, analyzed 122 cybersecurity events that directly compromised operational technology (OT) and/or industrial control system (ICS) activities.

According to this report, nearly 60% of cyberattacks targeting the industrial sector are carried out by state-affiliated actors and are often unintentionally triggered by personnel. These figures align with other studies showing an increase in the number and frequency of OT/ICS security incidents, primarily targeting critical infrastructure such as energy production facilities.

Among the studied OT/ICS incidents, 60% led to operational disruptions, and 40% resulted in unauthorized access or data exposure. The damage caused by cyberattacks extends beyond the affected company, impacting entire supply chains in 65% of cases.

The study emphasizes the importance of strengthening IT systems’ security to counter cyberattacks. Over 80% of analyzed OT/ICS incidents began with the compromise of an IT system, attributed to the increasing interconnectivity between IT and OT systems. Therefore, for the writers of the report, proper network architecture deployment is crucial to reinforce a company’s cyber defense lines, as traditional firewalls between IT and OT environments are no longer sufficient.

We spoke with Bruno Lignon and Pierre Paterni, Rockwell Automation’s experts on cybersecurity, to discuss the key findings of the study and how Rockwell Automation manages to reconcile the worlds of OT and IT to strengthen cybersecurity and ensure industrial system continuity and availability.

Pierre Paterni: “In our recently released study, we analyzed over a hundred cybersecurity attacks within the industrial sector. The findings indicate a notable increase in attacks targeting critical infrastructure, particularly in the energy industry, utilizing a variety of techniques and tools. The most common attack methods include phishing, ransomware, and lateral movements to exploit remote services. The COVID-19 pandemic has heightened the need for remote connectivity, thereby expanding the attack surface for companies. Consequently, some hastily implemented security measures have been exploited by cyber adversaries to gain access to information systems.”

Bruno Lignon: “What we’ve observed also is that the number of cybersecurity incidents occurring in the last three years has already surpassed the total number of incidents reported from 1991 to 2020. One contributing factor is the increasing digitization, which is leading to greater connectivity between IT and OT environments. For instance, the adoption of ERP systems aims to enhance agility, align with production constraints, achieve efficiencies (such as on-demand manufacturing), and ultimately become more competitive in the market. But with that, come more risks.”

Pierre Paterni: “And also, IT tools like Windows for example, have made their way into OT, into an environment that was traditionally based on proprietary protocols. In the industry, there are over a hundred proprietary protocols, such as Modbus, Profibus, and ControlNet, among others. These protocols were not originally designed with cybersecurity in mind during the early days of automation. Now, we’re connecting ERP systems and other elements from the world of IT with these OT systems that were not initially built with cybersecurity in consideration. The integration of IT and OT has expanded the attack surface. Nowadays, the IT part is generally well-secured. When speaking with a CISO, they typically have a clear strategy for securing cloud access, workstations, and so on. However, this level of security doesn’t always extend into the factory. Hence, the challenge we face today lies there. Many end-users, particularly industrial entities, are also increasingly mandated by regulations to implement cybersecurity solutions. Regulatory requirements now compel businesses to communicate more about cybersecurity incidents. Therefore, the increase in incidents is partly due to more actors openly acknowledging and reporting that they have been hacked.”

Bruno Lignon: “Indeed, new directives will require European Union member states to report cybersecurity incidents to local authorities. One notable directive is NIS2, which is expected to come into effect around October 2024. Under this directive, companies will be obligated to report security incidents and establish effective control systems to secure their infrastructure.”

Pierre Paterni: “What needs to be done is to get organized, and have teams capable of managing cybersecurity in an organized manner. For instance, in the past, we used to have CISOs responsible for overall security. Now, we’re seeing an increasing number of Chief Operational Technology Security Officers (CISO OTIs) whose role is to secure OT in factories. This didn’t exist a few years ago, so it’s a significant step forward. Once we’ve done that, we assist our clients in certain processes. The first step is to conduct an assessment, which can involve inventories or penetration tests to assess and identify risks and vulnerabilities. This helps us understand where an attacker could potentially gain access. For example, we conducted a penetration test for a German automotive supplier. In just two days, our ethical hackers had access to both OT and IT systems across six factories. Once we’ve demonstrated what can be exploited by hackers, we implement cybersecurity measures. The idea is to have a network that follows best practices, is segmented, well-designed, and redundant. After addressing the network, we implement cybersecurity components, such as real-time threat detection. This means that if a hacker is in the system, we should be able to detect it. For this purpose, we use dedicated OT tools like Intrusion Detection Systems (IDS) that monitor industrial traffic and network flows. We are integrators of these tools, which have been designed for industrial environments and understand the protocols used in these settings. They allow us to create an asset map. We provide clients with a 360° view of their entire hardware and software landscape. Beyond lifecycle management, this also gives insights into system vulnerabilities. These are solutions designed specifically for industrial environments.”

Pierre Paterni: “The approach of many clients following these assessments often begins with infrastructure segmentation. Indeed, the exchange of information between the two zones, IT and OT, is a sensitive area. We want to prevent malware from the IT side from spreading into the factory or the factory, which is less secure, from propagating and affecting the company’s information systems. Both are highly interconnected and in some cybersecurity incidents, this resulted in production shutdowns. For the Colonial Pipeline incident, it was not the OT directly but rather the entire customer billing system, which relied on IT systems that was affected. Due to the IT systems’ inability to accurately track and bill for the products transported through the pipelines, the company had to halt operations. So, the two worlds, IT and OT, are closely connected, and one must be protected from the other. This is where Rockwell excels because we come from the OT world and have a deep understanding of IT. In particular, we undertake segmentation projects to securely transfer data and information in real time from one zone to another while securing these flows. There are techniques like the industrial DMZ that address this specific need.”

Bruno Lignon: “Indeed, OT and IT have sometimes struggled to understand each other. However, this is becoming less and less the case because cybersecurity is becoming an increasingly important topic in the industry. Our role is to support industrial stakeholders, particularly those in production, who may not always be cybersecurity-aware and might perceive cybersecurity more as a constraint than as something that can enhance production. Their primary motivation is how they can improve production, achieve greater efficiency, and boost productivity. So, we serve as facilitators, being a manufacturer of solutions for industrial purposes, and we understand their needs. We have over two hundred cybersecurity experts who assist our clients both in consolidating their infrastructure and in ensuring security to harmoniously integrate these two worlds. To be more general, what is crucial for cybersecurity in the industry is to engage with players who are not only proficient in cybersecurity but also understand the industrial world. Securing the industrial world is not the same as securing the corporate world. Even though the tools may be similar, these two approaches require expertise from someone with an industrial background.”

Pierre Paterni: “In every discussion with a client, we arrive at this point. Unfortunately, the potential cost of an attack, which can be very high, often doesn’t serve as a driving force for implementing cybersecurity. Many companies still adopt an “ostrich policy” and believe it won’t happen to them because they are not a target or not part of a strategic industry. However, what will bring about change is NIS 2. Currently, there is NIS 1 regulation that primarily applies to critical infrastructures, typically larger companies in the energy sector, and vital organizations. NIS 2 will impose constraints on a much wider range of actors, and most industrial companies will have to establish cybersecurity measures and report cyber incidents. Clearly, this will have a significant impact on many companies. Therefore, the message we convey is that these companies have no choice but to prepare now because implementing cybersecurity programs and solutions is not a quick process.”

Bruno Lignon: “The question is not about whether we will be attacked but rather when we will be attacked because companies will be targeted sooner or later. So, it’s better to engage in this process in order to prepare. According to our perspective, an essential approach is to identify industrial risks with different levels of urgency and potentially quantify these risks by saying, “Here, I have a loss of productivity, how much will it cost me?” With Rockwell, we provide our clients with the ability to quantify this risk by conducting risk assessments and modifying it. We rely on the NIST CSF standard for this purpose.”

Pierre Paterni: “Following the risk assessments, we clearly see how easy it is to infiltrate information systems, for example, with our penetration tests. So, we have already conducted and demonstrated this. We implement real-time threat detection solutions which are software programs that analyze network infrastructure flows. We have an OT SOC (Security Operations Center) with our analysts who receive all these alerts from our clients’ flows, and we analyze them. It’s a daily task where we observe either malware in action or suspicious flows. For example, we had a case where a client’s industrial system was sending information to a server in North Korea, which is not at all a normal operation. The client wasn’t even aware of it. We also offer another service, incident response for example when a client is a victim of an attack, such as a production line that is halted. In that wase, we intervene like firefighters, manage the attack in real time, minimize its consequences, and remove the attacker. Every day, with our real-time threat detection services, we receive alerts about things that resemble attacks, and we handle them in real time.”

Bruno Lignon: “When we audit the client’s infrastructure and OT assets, we accompany them in implementing protection solutions, especially real-time threat detection solutions. These are IDS systems that we position on their infrastructure to detect abnormal behaviors. These solutions collect all the traffic to provide a comprehensive view of their infrastructure without impacting production. Once we have implemented these solutions, alerts are sent to our SOC rather than directly to the clients, as they may not have the necessary skills, time, or training. Clients cannot be available 24/7 but threats and vulnerabilities are constant. Our SOC can manage that 24/7, 365 days a year. Whenever a vulnerability occurs that potentially threatens our clients, our services contact the client, and establish a remediation action plan to eliminate the threat or the attack. We also offer restoration services to bring the industrial system back into production in case of an attack-induced shutdown.”

Pierre Paterni: “The goals may initially seem contradictory; wanting to digitize more while enhancing security. However, it is possible to achieve both. Industry 4.0 has created an industrial imperative to exchange data to remain competitive and gain visibility into processes and the supply chain. We won’t cease exchanging information, but we must do it securely. This requires IT and OT professionals to communicate more on this matter. Rockwell serves as a bridge between these two worlds because we have a deep understanding of both. The concern arises when digitization projects move forward without giving due consideration to cybersecurity. Sooner or later, this oversight will come back to haunt them.”

Pierre Paterni: “We mentioned NIS 2. In parallel, there are also standards and directives that apply to components. As a manufacturer of PLC and HMI components, we at Rockwell, are increasingly impacted. This involves code security, how we handle computer code, how it’s written, and the management of product and software lifecycles. So, we are certainly at the forefront. For example, we have our first controllers that are certified under 62443 (the standard of the former ISA 99-European Industrial Society).”

Key Findings of the Study
The number of OT/ICS cybersecurity incidents in the last three years exceeds the total number of reported incidents between 1991 and 2000.
Threat actors primarily focus on the energy sector (39% of attacks), which is three times more than the next most frequently targeted sectors, critical manufacturing (11%) and transportation (10%).
Phishing remains the most popular attack technique (34%), highlighting the importance of cybersecurity tactics such as segmentation, physical isolation (air gapping), “zero trust” access, and security awareness training to minimize risks.
In over half of OT/ICS incidents, supervisory control and data acquisition (SCADA) systems are targeted (53%), followed by industrial programmable logic controllers (PLCs) (22%).
Over 80% of threat actors come from external organizations; however, “insiders” unwittingly play a role in opening the door to threat actors in about one-third of incidents.