By Bruce Geiselman
All companies need to plan for the possibility of a cyberattack or ransomware attack, said Marty Edwards, deputy chief technology officer at Tenable for OT and IoT.
“They should have that already written down and exercised,” he said. “That should be something that they evaluate once or twice a year with their company’s executives to make sure that everybody understands who is in charge when these things happen.”
Edwards encourages companies to have tabletop exercises involving executives, engineers, and security personnel. During those exercises, they should evaluate what would happen to their business operations if specific pieces of equipment became unavailable because of ransomware. How much would they be willing to pay for ransom? They need to identify and evaluate the experts available to them who could aid in a recovery. Company executives also need to decide what they would tell company shareholders, employees and customers in the event of an attack.
Most experts recommend not paying a ransom because it encourages cybercriminals, but circumstances will dictate a company’s decision on whether to pay. For example, a company might have little choice if it lacks good back-up and recovery plans, he said.
The greatest vulnerabilities for many manufacturers might be their operational, or OT, networks, Edward said. A lot of companies have taken steps to tighten up security on their IT (business) network but failed to take similar steps to address vulnerabilities in their operational networks, he said.
Twenty years ago, when many pieces of industrial equipment still in use were purchased, industrial control systems and PLC systems in factories and manufacturing plants were completely isolated from the corporate network. However, over the years, the number of connections between OT and IT systems has gone up, as company executives look to data to gain insights into various aspects of their business, from how many parts they’re producing to the consumables they’re using.
“Those connections keep increasing,” Edwards said. “We’ve continued to improve cybersecurity on the corporate [IT] site … Unfortunately, what we have not done in most cases is improve the security on the operational technology side of the house. The factory is still running the same PLC that was installed 20 years ago, and it’s never been updated because the old adage is, ‘if it ain’t broke, don’t fix it.’ Well, unfortunately, some of those older PLCs and computers that are in the factories have significant vulnerabilities in them.”
Once in the OT network, cybercriminals can then attempt to pivot to access information from IT systems.
In addition to updating OT software, companies should have the ability to flag abnormal situations, such as pieces of equipment communicating with each other that normally wouldn’t or spotting what appears to be a PLC that shouldn’t be on the network. Software from companies like Tenable can help identify those anomalies, but the software won’t help unless a company has the proper personnel in place to act on the information.
“I tell our customers all the time that there’s no use in buying our software if you don’t have the people to maintain and utilize it,” Edwards said. “There is no magic bullet here. You have to have a team of people that are trained and can respond to these types of incidents.”
Manufacturers can hire their own security experts or they can contract with an outside company. For example, they might have experts on a retainer who can be brought in to assist with security incidents once they are identified by software products.
Cyber insurance, which can help a manufacturer recover from a cyberattack, is one option available to companies including plastics processors. However, it’s important for the consumer to understand exactly what is covered.
“We’re seeing a shift,” Edwards said. “The recent shift is some of the major insurance companies are no longer providing ransomware coverage. They will not insure you to pay the ransom, which they used to.”
When ransomware coverage is available, it may be difficult to obtain.
“One thing is for sure, in order to obtain that type of insurance, you have to show increasingly higher amounts of due diligence in your own cybersecurity practices,” Edwards said. “The insurance companies are now looking at how well you do your cybersecurity, and if you have relatively poor cybersecurity in-house, your insurance is going to cost a lot more or perhaps you won’t be able to obtain that insurance.”
Tenable publishes an annual Threat Landscape Report to help companies identify and address known vulnerabilities.
Tenable, Columbia, Md., 410-872-0555, www.tenable.com
Bruce Geiselman, senior staff reporter