In this episode we’re joined by Sean Sutton and Cara Haffey to discuss how organisations can secure their operational technology (OT). We discuss:
The Cyber Security Podcast from PwC UK covers the latest developments in cyber risk, resilience and threat intelligence. In each episode we’re joined by special guests to give you practical insight on how to improve your cyber security and create a more resilient business.
Subscribe to our podcast on:
Introduction by our host, Abigail Wilson: Hello and welcome back to The Cyber Security Podcast from PwC UK. In this episode we’re going to discuss a topic we perhaps don’t see covered as much as it should be: operational technology, also known as OT. Many sectors where OT is prevalent are undergoing wide-scale digital transformations, innovating and harnessing new technologies. However, increasing connectivity in OT environments ultimately exposes them to an increased attack surface. Today, we’re going to cover what you need to know about OT security, how it differs from IT, and why it’s a growing area of concern. We’re also going to discuss how to build resilient operations and also who’s responsible for securing OT. I’m joined in our virtual studio by Cara Haffey, our UK industrial manufacturing leader; and Sean Sutton, a partner from our cyber security practice, and we’re going to help you cover the basics.
Cara, Sean, thanks for joining us.
Sean Sutton: Hey Abi, no problem, happy to help.
Cara Haffey: Thanks Abi, good to be here.
Cara: It’s a really interesting point, because we in manufacturing have talked about operations - everybody understands what that term means Abi, but actually we tend not to use the phrase operational technology, but I’ve certainly heard it more and more recently. What does it mean to me? It means where you’ve got operations happening, but those are done through a software or hardware system that works alongside that and controls and executes those processes on the shop floor. An example of that for me would be CNC [numerical control] machines, and everything that we are using to produce, monitor and control processes in our manual operations.
Sean: Thanks Cara, OT security is really an extension of IT security. I would like to say it’s a new thing, but actually it’s as important and it’s been around for a long time, it’s just now that companies are really starting to understand that as well as securing their IT infrastructure, their business and their enterprise infrastructure, it’s equally as important to make sure that the operational technology environments are secure. But that brings with it some additional challenges. Whilst the principles of cyber security are the same - you need to make sure you’re patching systems, where you can restrict access, make sure things are segregated as much as they can be - the implementation of those sorts of security controls can be quite a lot harder in an operational technology environment. The other challenge that we see as well actually is that the responsibility for ownership of the cyber problem, as it relates to OT, can actually vary quite a lot. You can find that, whilst some organisations it does sit with the chief information security officer, or the chief information officer, often operational technology security sits with a whole host of other stakeholders across the business, whether that’s a site director, or even a business supply chain owner.
So part of the challenge that we see is that organisations are struggling to understand, perhaps, who has got the responsibility for looking after OT cyber, let alone then how do we actually meet some of the difficulties and implement some of the security controls that we need to. It’s a real challenge actually, but as we see society becoming increasingly digital, these systems really are getting opened up for attack.
Cara: Yeah, we certainly see that in manufacturing, Sean. If I think of what I read about or how I feel as a consumer, it’s about financial crime, and looking at kind of how that plays through, but actually when I come into my industry role, I just don’t think it's something that we’ve focused on enough in security of our operational technology. If I think about how digital everything is going, I might be, working with clients on digitalisation, you know putting in robotic process automation, or thinking about their client technology, I still think that we are talking in my sector about the finance and security around laptops and systems, and maybe not so much yet about operational technology. And really, where we should place the priority on that cyber security, is actually where it would potentially hurt my clients the most would be on the manufacturing floor in the organisations. I do fear that there are quite a lot of vulnerabilities there at the moment, but we are seeing people really look at this now, and really think about who’s responsible for that and what can we do. In one of our recent surveys, 63% of firms are placing a really high priority on this now and looking at it hopefully over the next couple of years. But maybe that’s enough, Abi, we can dive into other parts.
Abi: Thanks both, it’s great for that real introduction on how many sectors are impacted by this. Cara, I would like to dive deeper into manufacturing. Being from the threat intelligence team myself, what you mentioned particularly around transformation, reflects really what we are seeing in the threat landscape. One significant threat we’ve seen emerge is posed by ransomware. In addition to encrypting business and operationally critical systems, these criminal threat actors are increasingly stealing their victim’s data during an attack, and then threatening to expose it on leak sites if their ransom demand is not met.
We monitor these leak sites and in 2020 we found that manufacturers were the most frequently targeted of all sectors and there also appeared to be a shift towards disproportionately targeting industrial sectors.
Sean: Yes sure, it is, you’re right, unfortunately something we are seeing increasing in terms of its prevalence, its sophistication, and ransomware is unfortunately becoming probably the main theme behind a lot of the attacks that we see. If we just step back slightly and look at, on a broader critical national infrastructure, what you would typically find is that the threat actors that will generally target a country’s critical national infrastructure are very well abled nation states. Now clearly nation states aren’t going to have as much interest in lots of manufacturers (although in certain instances, like aerospace, they obviously do take quite a key interest in what some of those organisations are doing), but what we find is that, as with a lot of other threats and hacking techniques, that the tools and the techniques over time become more accessible, the barrier to entry, if you like, becomes a little bit lower. What you will find is that criminal gangs are then starting to pick up some of those capabilities and criminal gangs being motivated by profit, then see the manufacturing sector as a sector they can really target with some of these quite sophisticated ransomware-based attacks. We’re definitely seeing an increase in focus, just generally, across the broader industrial manufacturing sectors.
Couple of examples, obviously without providing too many specific details. One of the organisations with whom we work did have a ransomware attack on one of their industrial control systems. And actually, what they had to do, as part of the initial triage, was they had to shut down the production and distribution of some of the processes within that site. Now that had quite a big knock on effect to some of their downstream customers. The immediate impact, just from dealing with that event, and when I say just the immediate impact, I mean the actual triage of investigation into, and clean up following. There was a significant cost, it was over 50 million, but in terms of the downstream knock on implication for their customers, that as a business cost was much broader.
The other example that I’ll point out, sort of similar, although this is actually a little bit more sophisticated, targeted some robotic systems that were used in a global manufacturer. The attack was so significant that this particular manufacturer had to turn off their global production for two days whilst they dealt with the incident. The cost of that was significant and had a very huge implication for the organisation, but unfortunately these are the types of things that we are seeing happen more often, the impact of forced shutdown on this MV (motorised vehicle) line is certainly nothing that any production manager or facility owner would like to see, but unfortunately it is what happens if a cyber breach occurs.
Abi: Thanks for walking us through those, Sean. Although ransomware is prevalent in all sectors currently, it sounds like attacks against manufacturing and OT have the real potential to result in critical operational and business ramifications.
Cara: You’re absolutely right, Abi. We’ve just been through the period of COVID-19, where already the resilience of supply chains for our clients was tested. We’re sitting from the point of view of, if you are looking at your supply chain at the minute, you’ve been thinking about the physical resilience of it, where you are getting supply. We’ve had the historic thoughts and implications of these attacks being on the financial, getting people to pay money over, or fraudulently sending emails, and getting financial ransoms like that. Therefore, where you extend this in manufacturing, and maybe some of the things that people don’t think about is the downtime and the productivity issues, as well as the supply chain, and for the business itself, but then also for how supply chains are so linked in this industry. So, I think about, just in time, actually you’ve got a huge ecosystem of manufacturing around an assembly plant or a manufacturing operation, and those are now very linked through systems. So whilst you may be thinking of your own borders around your business and your operation, actually there are some huge vulnerabilities through the supply chain and the third parties, particularly where that’s all so linked and so just in time. If that supply chain starts to fail, then obviously very quickly the ramifications are there. As Sean touched on, unfortunately, I’ve been privileged to be in my role leading this industry for PwC in the UK for a while now. We used to talk about these things as if they were possible and unfortunately Sean and my other cyber security colleagues are now seeing this in assembly lines shut for two days. This is something we used to talk about, unfortunately it's now happening. But Sean, I suppose it is wider than that. We’ve seen the reputational and other things, which are just huge, I’ll pass to you for some of those types of examples.
Sean: Yeah absolutely, you’re right. You’ve got the immediate cost of clear up after the breach, potentially you’ve got the ransomware to pay or not pay, depending on what your decision process is around that, but actually it’s the broader implication of the reputational damage, certainly if you’ve had customers or suppliers or businesses that you supply to impacted. They might well look at what their own business resilience might require in terms of changing supplier. The reputational impact that can arise from a cyber attack is really quite broad. We are seeing, certainly in industries now, looking at the supply chain security a lot more closely. A very simple example is in automotive. German automotives have put together and are backing a TISAX (Trusted Information Security Assessment Exchange) in the automotive supply chain security standards. So what they’re expecting their suppliers to do now in terms of meeting a higher bar of security, clearly is all about them being able to protect their own business and their own brands. It’s got broader ramifications than just the immediate cost of addressing the cyber attack itself, it is certainly a broader issue that businesses need to be considering around.
Abi: Thanks both for delving into these, especially the longer-term implications of an attack, especially ransomware, to circle back to Sean’s point.
Sean: So I think a great starting point really is just to understand what assets you’ve got, where are those OT assets, how are they connected to your infrastructure, how are they connected maybe to your IT enterprise networks, how are people remote to your business maybe able to access the environment. Understand the assets, understand the threats, understand the vulnerabilities, and really plan and build out your knowledge of what that threat profile looks like for your organisation. Perform the risk assessment, really understand how you’re going to address some of the threats and the risks that you’ve identified. Make sure that you do that on an ongoing basis as well, it’s not just a one-off activity, unfortunately the cyber threat changes all the time, so you need to keep revisiting your estate, understanding what the changes are, how that might change your threat landscape, and then plan out your remediation activities. Some of those things can focus on basics, making sure you’ve got good patching in place where you can, making sure you’ve got mitigating controls for perhaps systems that you can’t patch.
Then there’s a whole host of other things that you can do to build layers of security into and around your operational technology environment, but it is really important as well to make sure you don’t miss the understanding of the culture. Some of the challenges we see actually it’s a little bit more about hearts and minds, and it isn’t necessarily just the technology change. Making sure you’ve got a good clear governance structure in place, making sure that people understand their roles and responsibilities, is equally as important as making sure you’ve got some really solid security controls in the environment.
Outro by our host, Abigail Wilson: Completely agree on your final point around culture and responsibility and especially talking around whose role cyber security is. This is actually a recurring theme we’ve picked up on during earlier episodes of our podcast. Cyber security is a company-wide challenge, and it really needs to be driven into all parts of an organisation.
Thank you, Sean and Cara, for joining us, and for that great discussion on the importance of operational technology security, and how it’s really impacting the manufacturing sector. For more on how you can tackle OT security issues, visit our website at pwc.co.uk/otsecurity. And don’t forget to subscribe to receive future episodes. See you next time.