OT cybersecurity in manufacturing: PwC

Manufacturers are increasingly being targeted by cyber threat actors. While much of the onus of cyber protections have typically been placed on chief information security officers (CISOs), chief information officers (CIOs) and information technology (IT) teams, in many organizations there is insufficient rigor and investment dedicated to cybersecurity surrounding operational technology (OT) (e.g., connected factory floor, manufacturing and supply chain assets). Specifically, many manufacturers often struggle to close the perennial collaboration gap between IT and OT teams on numerous fronts — including cyber attack mapping, OT asset management, OT security monitoring, vulnerability management, and reporting and recovery initiatives and protocols.

In 2022, ransomware targeting industrial environments nearly doubled the previous year’s total, with more than 70% of the incidents aimed at manufacturers. Attack entry points exist across the manufacturers’ businesses — from interconnectedness with enterprise IT environments to digital supply chains and connected factory operations (especially with AI and machine learning use on the rise), and internet-connected products and services. Exploitations including the open-source Log4J software and myriad other threats and vulnerabilities have heightened alarm in many C-suites in the industrial sector. Meanwhile, in July 2023, the Securities and Exchange Commission (SEC) finalized rules on public company cybersecurity disclosures. As a result, public companies are now required to immediately disclose material cybersecurity incidents and information on cybersecurity risk management, strategy and governance. These rules intensify the urgency surrounding increasing cybersecurity protections.

To delve into how manufacturers can better close the IT and OT gap, PwC and the National Association of Manufacturers (NAM) have leveraged internal OT security research, field experience, conversations with — and assessments by — industry-leading cybersecurity professionals to help identify ways organizations can bolster their OT cybersecurity defenses.

What to consider when your OT cybersecurity needs bolstering

Here are eight trends and imperatives manufacturers can consider to help manage an increasingly hostile OT cyber environment:

1. Focus on evolving your OT cybersecurity capabilities and identifying vulnerabilities

Many manufacturers are just beginning to deploy OT cybersecurity capabilities across their ecosystems. Executing a program that can focus on maturing capabilities with built-in flexibility and stability — one that is perpetually enhanced and can respond swiftly and effectively to changes in OT cybersecurity needs — can be key for protecting these environments now and in the future. Organizations should baseline their current capabilities and define a plan that can help them deploy necessary protections to increase the maturity of their program. It is essential that both IT and OT teams can identify potentially vulnerable assets, know where the data resides and understand how the endpoints and access point of those assets are controlled. Some companies can struggle with compiling a complete — and constantly updated — inventory of vulnerable assets that require security.

Takeaway

Building an advanced OT cybersecurity program should begin with a thorough assessment of the existing OT environment, prioritizing areas that the business is operationally dependent upon. By doing this, organizations can work toward gaining commitment from leadership so they can dedicate sufficient capital and other resources to enhance OT security. Once such an assessment is made, a framework for improving the maturity level of cybersecurity can be created and executed.

2. Get ahead of new cyber policies and regulations

With cybersecurity rising to the level of a national security threat, government regulations, recommendations and protocols are constantly being implemented to help all sectors. For example, the Cybersecurity and Infrastructure Security Agency (CISA) established the Ransomware Vulnerability Warning Pilot (RVWP) on January 30, 2023, which was required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Through 2023, CISA has been working with stakeholders to set sector-specific goals aimed at addressing cyber risks of specific sectors. CIRCIA requires companies that are attacked to report significant cyber incidents, and offers protections incentivizing them to report. Additionally, in January 2022, the White House issued the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, which announced the creation of an Industrial Control Systems Cybersecurity Initiative to promote closer collaboration on cyber protection of the nation’s critical infrastructures between the federal government and the critical infrastructure community. Meanwhile, the EU’s Digital Operational Resilience Act, which entered into force January 16, 2023, sets out requirements for operational resilience not only for financial firms but also for information communications and technology providers that serve financial firms — which could apply to some manufacturers.

Takeaway

Manufacturers should be prepared to comply with the new cyber attack incident reporting rules — as well as to leverage CISA’s guidance and recommendations.

3. Close the IT and OT collaboration gap

Many manufacturers can struggle to integrate IT and OT teams, relying on IT cybersecurity teams to perform OT security activities. However, manufacturers can benefit from utilizing the strengths of both IT and OT teams to help safely and effectively deploy cybersecurity protections in OT environments that are built-for-purpose, with an eye toward availability and safety.

Takeaway

Manufacturers should devote more cybersecurity training resources to their OT teams and nurture greater collaboration between IT and OT teams for effective deployment of cybersecurity protections in the OT environment. Additionally, both IT and OT teams should work within an integrated risk framework that can help cover operations and customer services.

4. Expand visibility of OT security risks across the organization leadership

Visibility of OT security risks — which can typically be limited to the domain of IT and cybersecurity teams — should expand across executive leadership, especially to the CEO and their reports as well as other executives, board members, operations and supply chain and engineering leaders. Providing greater visibility to the various domains of the enterprise is important to help achieve a united front, so that cyber protections can be strengthened against attacks that have pervasive impacts across the organization. The finalized SEC rules on public company cybersecurity disclosure can make it even more important for companies to help identify cyberattack incidents that are “material.”

Takeaway

Visibility into OT security risks across the organization can be expanded by regularly and widely sharing security-risk-related information, including:

Regular updates on OT security to the board or executive leadership team
Updates on the deployment of technical controls to cyber and operations leadership
Internal working groups across IT and operations to discuss OT security risks and solutions
OT security tabletop exercises with executive leadership, IT, operations and other teams to recreate a real-life attack more effectively

5. Invest in — and utilize — cybersecurity technology and tools

Manufacturers should be comfortable with combating cyber threats with a multitude of tools and solutions that help address key OT security risks. To be sure, many have already spearheaded asset management, network segmentation, technology refreshes, monitoring and response, patching programs, and identity and access management (IAM) solutions. However, organizations should stay diligent and confirm that the scope of these solutions can cover the entire environment, not just a sample.

Takeaway

To help bolster OT security, manufacturers should make the right capital investments so they can better leverage current and future technology and solutions.

6. With the alphabet soup of OT security frameworks, which best suits your needs?

Manufacturers have no shortage of information security frameworks to implement, with some (e.g., NIST CSF, IEC 62443 and ISO 27002) more commonly adopted than others. However, which ones can better suit the specific needs and capabilities of a given organization? Should they rely on one, or adopt a suite of frameworks? For some businesses, utilizing a common framework like the NIST Cybersecurity Framework (NIST CSF) can be good to baseline and benchmark, with more specific frameworks like IEC 62443 being utilized to guide requirements definitions and implementation approaches for OT cyber capabilities.

Takeaway

A wide variety of cybersecurity frameworks are in use across peers in the manufacturing industry today. Utilizing a common framework to help organize your program, along with supplemental guidance from more OT- or ICS-focused standards to help guide your requirements could help with balancing the program reporting needs with the specific considerations needed for the OT environment.

7. Consider working toward certification to help increase trust and security in your customer-facing products

As manufacturers continue to innovate and develop customer-facing products that are internet-connected, getting ahead of Internet of Things (IoT) cybersecurity certifications (e.g., the CTIA IoT cybersecurity certification) can help you to build trust with your customer base and prevent potential cyber-related repercussions in the future.

Takeaway

Manufacturers that are aggressive in certifying their IoT products will likely achieve reputational gains — and trust — from customers, while helping reduce the chances of data breaches or other attacks.

8. Reimagine your OT security staffing strategy

Organizations have an opportunity to benefit from collaboration across OT and IT cybersecurity teams. Cross-training between the two teams can be crucial. IT staff with solid cybersecurity skills should acquire a greater understanding of the OT environment. Likewise, OT personnel with deep knowledge of plant operations can benefit from training with IT cybersecurity counterparts. With the shortage of knowledgeable individuals in the industry today, utilizing the knowledge that you have internally and supplementing with external and cross-training opportunities can help you to upskill more quickly and position motivated team members to make a more lasting impact.

Takeaway

Organizations should continue to focus on hiring qualified OT security resources (and seek interim external support if necessary), but should also consider cross-training in-house OT security staff and equipping driven team members with the opportunity to pursue external OT security training.