Visit our Content Hub!
Access free downloadable content curated by our editors.

Alarming Signs on Operational Technology Cybersecurity

Reports from OT cybersecurity thought leaders paint an alarming picture for food and beverage manufacturers regarding cybersecurity threats to their operations. Here’s how you can mitigate those risks.

NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) released its Cybersecurity Framework 2.0 earlier this year, a framework with guidelines for organizations to manage their cybersecurity risks.
NIST

During a recent meeting, FSO Institute’s Manufacturing Health Roundtable (MHRT) explored the importance of cybersecurity, especially threats to operational technology (OT) in manufacturing, to business continuity.

What follows are a few key points from that discussion and some operational insights by FSO Institute Coach Roman Havriliak, formerly of Pfizer, and an information technology thought leader.

1. Some alarming signs

Reports from OT cybersecurity thought leaders at Dragos paint an alarming picture for food and beverage manufacturers regarding cybersecurity threats to them. Just a few months ago multiple cybersecurity organizations including EPA, NSA, USDA, and FDA urgently warned of current threats to OT manufacturing systems. Globally, North America has a disproportionate number of ransomware incidents (187) by region in Q2/2024, compared to next highest region Europe at 82.

Manufacturing leads the way in ransomware incidents by ICS Sectors (Industrial Control Systems) registering 210 incidents in Q2/2024 with transportation, government, and oil and gas trailing significantly. Ransomware incidents by manufacturing subsector in Q2/2024 is led by construction (33) followed closely by consumer food and beverage (27). MHRT members shared some of their own experiences with cybersecurity disruptions both direct (their company) and indirect (their supplier companies) that underscored the significance of this issue for business continuity.

2. Bridging the IT/OT divide to mitigate the threat

MHRT members are unanimous in their belief that collaboration between information technology (IT) and operational technology (OT) is critical to mitigating cybersecurity threats to manufacturing. One of the most useful tools to bridge this divide comes from the PMMI MaX Forum that recently published a work document Bridging the IT-OT Gap on Cybersecurity. The key differences and compatibilities of the two systems is highlighted including the corporate functions and operating systems covered by each (common corporate functions versus systems that focus on physical transformation of a product), the end point being managed (human using a computing device versus physical assets like pumps, motors, valves, etc.), the purpose of software applications (people-centric to help people do their jobs versus device-centric to help make product by controlling physical equipment), the type of data processing (transactional versus real time) and the highest priorities (data security, integrity and availability versus production operations and customer deadlines). To sum it up, IT focuses on data and communications while OT focuses on machine behavior and outcomes. The document highlights the constraints place on both IT and OT and presents solutions for overcoming them.

3. Implementing a framework for managing cybersecurity risk

The MHRT shared some of their challenges and solutions regarding their own cybersecurity threats they’ve faced. Most of these falls into perhaps one of the most useful frameworks for managing cybersecurity risk, the NIST Cybersecurity Framework (CSF) 2.0 published in February 2024. The National Institute of Standards and Technology is a governmental agency responsible for advancing technology and security standards within the United States. Here’s a brief description of each element of the framework:

Govern – Ensuring that the organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

Identify – Ensuring that the organization’s current cybersecurity risks are described and understood.