Production downtimes after cyber attacks: Vulnerabilities in OT security cause problems

Production comes to a standstill if a cyber attack causes the machine control system fails. This brings OT security into focus. With new approaches IT security providers are responding to increased cyberattacks.

Cyber attacks threaten industry. Fatal: special conditions prevail here - control systems that can never be shut down, and analog systems can still be found en masse. OT security therefore faces particular challenges. Hidden risks become visible through new security approaches.

Industry is increasingly under attack. The latest incidents in Germany include a cyberattack on the industrial group Thyssenkrupp. Following "unauthorised access to the IT infrastructure", around 1,000 employees at a plant in Saarland were affected by the incident, according to the company. The company had to take "certain applications and systems temporarily offline". However, this is not the first time that the Group has been affected by a cyber attack.

Shortly before this, battery manufacturer Varta was confronted with the consequences of a cyberattack. Five production plants were affected. IT systems and therefore also production were proactively shut down temporarily and disconnected from the internet for security reasons, according to Varta.

Special conditions in production sphere

IT-based industrial control systems (ICS), dominate production sphere. They measure, regulate and control assembly lines, filling systems, injection moulding machines and presses. These systems form the central element of industrial process control in manufacturing. Without them, production comes to a standstill. These elements are part of Operational Technology (OT) and form the heart of production. They are also indispensable core components in critical infrastructure sectors such as energy, water and food production.

At the same time, however, they often harbour a whole host of security problems. The US Cybersecurity and Infrastructure Security Agency (CISA), the counterpart in the United States to the German BSI, regularly publishes security warnings. Recently, there has been an increase in ICS alerts. The reports reached a new peak on March 14th, when CISA published 15 warnings in one go. Some of them are so serious that they could lead to the takeover or shutdown of a production plant.

BSI speaks of "gigantic increase in vulnerabilities"

According to the BSI, 70 new security vulnerabilities are discovered every day. At the same time, the daily number of new variants of malware programmes is rising sharply, reported BSI head Claudia Plattner during an event organised by the digital association Bitkom. According to the BSI, the current situation in IT security is characterised by "a gigantic increase in vulnerabilities".

In Plattner's opinion, there is no problem with protecting against the consequences of a cyber attack, but rather a problem with implementation. Although her agency now has around 1,800 employees, it can only help in special emergency situations, said Plattner. "However, the power to implement everything we have to do lies with the companies and institutions."

New approaches in OT

This is also the case in OT, but the conditions are different there. Established protective measures from the office environment are only transferable to a limited extent. Traditional solutions are therefore not enough to secure production facilities. "In the OT sector, we find systems with very complex software. In addition, the use of digital systems increases the number of software components," said Rohit Bohara, CTO at OT specialist Asvin in an interview. This also increases the number of error sources, which massively increases the attack surface.

Bohara explains that these systems often do not receive regular updates and are therefore not up to date with the latest security standards. Numerous interfaces also complicate the situation because attackers can use them to access the components, he explains. Proprietary protocols that can only be found in OT usually prevent the use of conventional security software because it is designed for classic IT environments.

If vulnerability scans are finally carried out, they often find a large number of security gaps. Bohara explains: "There are usually so many that it is no longer clear how they can all be patched, for example because priorities are unclear or need to be determined first.

Context and environment of a system has to be taken into consideration

To safeguard OT areas, Asvin has therefore developed its own method, which the company calls "Risk By Context" (RBC). This is based on an algorithm that uses weighted graphs and contextual information to determine risk values, explains Bohara. "The method not only allows the risk to be identified and assessed, but can also determine where exactly the core risk lies in the company environment," he adds. "Once we have the RBC index, we can prioritise all locations, segments, assets and vulnerabilities."

He gives an example to illustrate how this works: If there is still a computer with Windows 95 in a network, this normally means a high risk for the company's IT. However, if this system has no network connection and is completely isolated, the risk can be considered low. "It is this kind of information that is included in the risk assessment and can play a decisive role," says Bohara.

Other OT specialists are also entering the market with new approaches. A common problem here is docking to analogue OT systems. Specialists such as TxOne or Genua offer gateway solutions for this. Artificial intelligence is also finding its way into OT security. Providers of AI solutions, such as Darktrace, have developed their own solutions for this. So there is a lot happening in the area of OT security, which was previously neglected.

Author: Uwe Sievers