Top 5 Possible Trends in OT Security Market (emphasis on ICS) in 2023 & Next Few Years

This post is also available in: עברית (Hebrew)

By: Or Shalom, HLS expert

OT networks are continuing to pose a security risk for cyber security personnel. In addition to routine attacks, ransomware attacks have become more popular in the last couple of years, which caused labor strikes and have had a significant impact on product production, activity in the assembly lines and have showcased the cyber threat and its implications on the industry. As we begin to examine the possible trends, it will be beneficial to following the progress of global standardization (focusing on SANS, NIST, the US National Cyber Security Agency, as well as its British, Israeli, UAE equivalent etc.) which has changed the security mindset of factory assembly lines. This, in addition to drawing conclusions from cyber events, trends and the development of technology.

The 4.0 Industry Prefers the Layers of The Purdue Model:

The fourth industrial revolution, the 4.0 industry, is a synonym to the industrial and automation revolution. It allows for optimization processes via computer based algorithms which goal is to track and optimize the processes that create the assembly line. By utilizing these algorithms, a connection is created between different systems in different environments (organizational and external), planning of organizational resources (ERP) and of course saving a significant amount of money, resources, time, and manpower. Via these actions you can, for example, execute a fully automized assembly line with automatic reports regarding stock against product production in a way that will already take care of ordering future resources for the assembly line. And all of this happens in real time with no need for human intervention.

These processes are based on external environments and the industrial IOT, processing procedures (development tools, AI, ML), the calculation of many resources needed for a strong infrastructure and a cloud environment. This outlook warrants changes in the traditional process of the manufacturing environment, which up until this point was isolated in an air gap environment from the internet. If that many industry components include IoT abilities, this will require proper preparations that will impact the process of isolation and classification. Thusly, if the use of a diode was carried out in a one way fashion in certain situations from the operational network, the 4.0 industry shows a different future. This future requires for supervision over information flow processes to and from the network, thus requiring the usage of double diodes (and even further regulation). The planning of such information transfer processes must rely on filtration laws based on definitions of time, volume, examination of types of files and protocols, as well as the need to add self-analysis laws to the monitoring procedures.

The use of IoT requires preparation and planning. These components are a target to cyber crimination since by utilizing them the attackers could “skip straight” to the network. Therefore, in even as soon as the network characterization stage we must characterize a plan to prevent attacks on these components, or attacks which take advantage of them. This plan will include, among other things, process to block scanning attempts (such as Shodan engines and its domains), a process of tracking and permitting only registered protocols and application to enter the network, controlling the flow of information, processes to monitor and detect standards that have been used or attacked in order to isolate them from the whole network and prevent the spread of malicious programs. Since this operational network requires aspects relating to safety as well, there must be processes to monitor and make decisions accordingly to events that entail the intervention of humans.

As was previously stated, these trends will require security efforts and the execution of cyber security monitoring in the 4^th and 5^th level of the Purdue model against organizational interfaces and access to the internet.

Strengthening PLCs Against Cyber Events:

The last few years have shown us that there is a decent amount of vulnerabilities in the PLCs themselves [1] . These vulnerabilities, allowed for the creation of many attack forms and have had an impact on cyber security as a whole. Therefore, there must be through put into protecting the PLC and its environment. Attacks see the opportunity to access the PLC environment, in an unauthorized fashion, and create functional changes in the programming of the PLC, which consequences show immediately through a physical process in the assembly line (changing of the production process, the balance of resources, blocking or releasing of resources, overwhelming machines etc.). This information has a large influence on the security PLC market and the need to equip yourself with secured PLCs with the ability to carry out logical security functions inside the program of the PLC [2] . Additional requirements may be explored in compiling of program versions prior to the loading of the PLC as part of the effort to prevent any external influences from the PLC environment. An additional factor that might influence the examination of PLCs is located at level zero. This process will allow us to monitor security events while crossing them with previous measurement and physical activity as it is opposed to the documented computer actions (for example level zero against level three, etc.). One of the clear advantages of monitoring at level zero is the ability to examine measurements and physical activity such as the flow of electricity, number of rounds and more without being dependent of the existing information in the network.

As part of protection of the PLC environments, there exist requirements which are related to the methods and process that ensure back-up procedures and the ability to quickly recover in the assembly line. These processes were related t PLCs as well, however they were complicated, relied on human resources and demanded time to carry them out, as they were not automatic. We see that in the last few years many new and interesting solutions were developed based on hardware and backup procedures in the PLC environment, that guarantee full recovery as part of an automatic process. These abilities will influence efficiency procedures in the next few years as part of the need for security and additional technologies implements in the PLC environment.

Influences on Preparation Procedures for Business Continuity: 

During the last few years, in part due to the COVID-19 epidemic which causes a rise in cyber threats, many attackers were successful in shutting down a number of active assembly lines. Among the sectors which were influenced were: the pharmaceutical industry, chip industry, automotive industry, steel industry and more [3] . The operational complexity requires a need for business continuity at the assembly line, but also preparation for cyber crisis with the goal of fast recovery from these potential cyber-attacks. These preparations for industrial continuity are ingrained in a preparational process of mapping dangers to detect the most critical areas and components via two main goal [4] . One, is the ability to plan better security around the area of components in order to reduce the chances of attack. Two, is the ability to equip the assembly line with spare critical components (in case of an attack/malfunction) in order to prevent possible dangers that may have significant consequences on time or supply and volume. Often long equipment procedures are dependent of purchasing expensive components that don’t necessarily exist in spare supply with long waiting periods between orders. The period of grounding airplanes was an example of this, and a new threat was born accordingly that must be calculated in relation to operational environments and monitoring systems. Furthermore, mapping existing threats will allow for detailed reports of especially critical areas and prepare for equipment of components that will allow fast recovery of business continuity. There are quite a few models that process and detect these components (bases on examination of procedures, analysis of commands, etc.) as well as additional technologies for mapping in industrial environments [5] . In this process it is advised to concentrate security efforts, redundancy, ability to continue functioning around these following assets:

• PLC – as components that monitor and control processes
• Data historian – as a program that prioritizes all network activity of the assembly line (including activity times, failure, and additional useful information)
• Engineering workstation – as a critical station, dedicated to the formation of the network, its maintenance and examination of monitoring systems applications and other equipment of the monitoring system.
• HMI station – as a possible viewing, tracking and data control station

Examining Supplier Threats and The Supply Chain Processes:

The events that took place in the last few years have raised many conclusions to minimize supply chain threats and threats from the suppliers themselves. For example, we can examine the events that influences the automotive industry and which raise many important points of thought regarding supplier redundancy in order to avoid dependency on one single supplier. [6] The Japanese automotive company Toyota and its Just In time method of dependency on a single supplier proved to be an obstacle during a cyber events. Though the company showed fast recovery and a return to routine activity after a couple of days, the losses and consequences of the attack did not go unnoticed.

Mapping possible dangers from the clients side regarding the assembly line will encourage technologies and different services that will focus on possible threats in the supply chain. Beyond the technological monitoring, there will also be a need for the involvement of judicial personnel that will work with industry relevants in order to aid the business, the factory, or the assembly line with the possible losses. As part of preparations for possible threats in the supply chain there will be a need to communicate and work with a number of suppliers. The suppliers will be required to be transparent (as part of a judicial contract) and to prove readiness against cyber-attacks, both in threat examinations and PT, as well as utilizing online tools for early detection. The CISA published an important document during October 2022 which relates to the equipment of supply chain procedural software. The document details recommended methods of work, processes to prepare supplier prior to the signing of a contact, etc..[7]  The ability to examine possible threats from suppliers, to prepare for events and respond to these possible events in the chain is just as critical as the ability for fast recovery on the supply chain.

Change of Management and Prioritization Perception for Cyber Security Missions in The Assembly Line:

Throughout the years, it has been proven that being involved with assembly line cyber security is complicated and maybe not even required from management. Since, this is a complicated environment, with many types of components, protocol programs and different manufacturers. Traditional machinery will not always have a security solution, but more than anything there is a fear that involvement in the process might damage or lead to the halting of labor in the production and assembly lines. The cyber market which has adjusted itself to the world of assembly lines and OT networks, as well as the many cyber attacks in recent years, has developed an understanding that we must prioritize the treatment and protection of the assembly lines. For management, cyber threats have a high priority since they can not only lead to financial damages, but image damages and even judicial damages. Due to this understanding, there is a need for management to receive a plan to minimize possible risks in the cyber realm. Therefore, there must be an orderly, methodical, and correct method that will justify the management’s investment of resources and funds. In order to ensure a correct structuring of a plan, there must be a continues flow of intelligence. This process adds an additional value that will maintain knowledge of recent and current threats via following interest patterns, attack patterns, and attacks themselves. This process allows for detection and tracking of the interest of malicious elements surrounding certain components and specific models (this also influenced the prioritization of intelligence based trends).

As part of cyber readiness procedures in the assembly line, there is a need for partnership with high management. There are many processes which depend on contracts, judicial permits and requirements, funding resources (equipment of components or preparation for activating teams in case of an attack), a organizational speaker etc. Furthermore, a cyber crisis exercise has additional value in its synergy creation, understanding the cyber reality which is experienced during training and the exercise itself, as well as conclusions that might arise for debate and the prioritization of the management in regard to future cyber readiness.

It is of no doubt that the abilities and threats will continue to challenge cyber security in the OT network realm, as well as other. The protection of assembly lines is complicated due to its operational, security and employee safety consequences. The events that transpired during the last few years and the exposure to attacks (such as ransomware) and its influence on assembly line have changed the prioritization and the requirement of managers in regard to a cyber security plan. The 4.0 industry, mostly IoT, requires appropriate security preparations due to the possible risks that come with connectivity to external networks and the internet. These all will contribute to R&D in these arenas that will influence the cyber security market in significant ways, as well as the solutions of OT network, assembly lines and SCADA.

Or Shalom – Security and cyber expert and consultant to government ministries and defense industries, international business development consultant for companies in the fields of HLS and cyber and leads centers of excellence and advanced training programs in Cyber and HLS for various organizations in the civilian, security, industry, and academic sectors. He holds a master’s degree, as well as civil and national qualifications in the realm of HLS and Cyber Security. He has experience in security, innovation, planning, and characterization of technological security systems, HLS, and Cyber preparedness.

Prepared to dive into the world of futuristic technology? Attend INNOTECH 2023, the international convention and exhibition for cyber, HLS and innovation at Expo, Tel Aviv, on March 29^th-30^th

Interested in sponsoring / a display booth at the 2023 INNOTECH exhibition? Click here for details!

[1] https://i.blackhat.com/USA-22/Wednesday/US-22-Bitan-Revealing-S7-PLCs.pdf

[2] https://plc-security.com/

[3] https://www.otorio.com/blog/kia-ransomware-attack-part-of-an-automotive-cyberattacks-trend/

[4] https://www.youtube.com/watch?v=wCKYE4Hfiuw&t=565s

[5] https://arxiv.org/abs/1905.04796

[6] https://www.malwarebytes.com/blog/news/2022/03/toyotas-just-in-time-manufacturing-faced-with-disruptive-cyberattack

[7] https://www.cisa.gov/uscert/sites/default/files/publications/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF