A House of Cards: Shoring Up the OT Digital

OTORIO's 2022 OT Cybersecurity Survey Reveals: The OT Digital Supply Chain is Exposed

by Daniel Bren, CEO and Co-founder, OTORIO

Today’s OT networks drive production floors built on an ecosystem of third-party services, devices and infrastructure, each of which is built on other third-party services, devices and infrastructure, which are built on other third-party services, devices and infrastructure. 

This makes the OT digital supply chain a house of cards from a cybersecurity perspective. Pull one card out, and it all comes tumbling down. A breach anywhere along these chains can lead to a compromise of production, services, users, customers, and even business continuity.

Hackers know this, of course. It’s why they’re increasingly targeting the OT infrastructure of third-party vendors - rather than making the effort to frontally attack the security perimeters of targeted organizations. And as we learned from the Solarwinds, Codecov, Kaseya and most recently Transnet attacks, threats to the OT supply chain are serious, real, and rapidly-growing. In all these (and many other) attacks, hundreds of organizations were impacted because of a vulnerability exploited in one service provider.

Thus, it was not surprising to learn that the majority (53%) of respondents to the recent 2022 OT Cybersecurity Survey put supply chain attacks in their top three cybersecurity concerns, or that 99% reported a supply chain attack in the last 12 months. The question isn’t whether there’s a problem or an awareness of the problem – but rather, what can be done?

Rethinking the OT Cybersecurity Supply Chain

Even as operators, manufacturers and machinery builders invest heavily in the cybersecurity of their own networks and equipment, hackers have turned their focus towards highly-complex upstream and downstream manufacturing ecosystems. The impact of this trend is exacerbated by the inherent complexity of securing operational environments.

Any organization – service provider, manufacturer, machine builder, or vendor – is only as strong as the weakest link IN their supply chain. Given the dynamic threat landscape and continuously-changing technology stack - machine builders and service providers ultimately become part of the end customer’s supply chain. This means that machine builder and service provider cyber responsibility can no longer end after the Site Acceptance Test (SAT).

Any player with remote access to the production environment is a potential vulnerability or threat to the entire supply chain. 

What needs to be done? For starters, machine builders and service providers need to ensure that each machine or service is fully secured and compliant before delivery. Already, manufacturers are asking for proof of such security and compliance. In fact, 96% of survey respondents already require their supply chain vendors to provide a cyber certificate for their hardware or software. The remainder plan to start requiring this in 2022.

Machine builders are today expected to quickly perform automated checks and provide auditable reports during the SAT phase. Manufacturers and operators are also demanding ongoing responsibility for the cybersecurity and cyber-resiliency of delivered machines. This requires a rethinking of how machines are certified as cybersecure. 

To meet customer demands, machine builders need to adopt technology that facilitates the identification, tracking and mitigation of vulnerabilities on every machine at every customer site - including every on-board asset from every vendor. They also need to make sure their machines are aligned with industry best practices, customer security and other policies, warranty and service requirements, and constantly-evolving international and local regulations. And they need to proactively notify customers in real-time when new vulnerabilities are discovered, as well as provide clear remediation guidelines in real or near-real-time.

What about End Users? 

End users (both manufacturers and operators) are increasingly aware and concerned about attacks that originate in their supply chains. In the aforementioned survey, 83% of respondents reported that they were “highly concerned” and 17% were “somewhat concerned” about this. Now, this awareness is being translated into action. 

In addition to proactively and continuously assessing the risks and security gaps in their environments, manufacturers and operators are requiring that every machine, system, device or service be checked for cybersecurity, regulatory, and contractual requirements before being delivered. To lower risk and liability, these organizations are implementing micro-segmentation technology and limiting access to third-party suppliers based on the principles of least privilege and zero trust.

How OTORIO Can Help

OTORIO helps both end users and machine builders shore up the house of cards that is the digital supply chain - meeting existing and emerging challenges of OT network and asset vulnerability. 

spOT™ helps industrial manufacturing companies manage OT risk assessments. spOT identifies threats, instructs operating floor personnel how to best mitigate them, and automatically generates a security controls, risk, compliance and governance assessment. All this shortens audit time and required resources by up to 75%. [learn more]

For machine manufacturers, spOT Lifecycle delivers full asset-level visibility over all machines and their assets, even those not connected to a network. spOT automatically identifies security threats, alerting before vulnerabilities become liabilities. [learn more]

For more information on how spOT can help your organization, contact us