Across the last few years the production and distribution of goods has embraced digital transformation, particularly in supply chain and manufacturing. The same systems that provide efficiencies to business (and lower costs to consumers) can have an unintended side effect – an expanded attack surface for cyber criminals to exploit.
A very public example of this was last year’s Colonial Pipeline failure, where threat actors were able to breach a billing server that was connected to devices that controlled the flow through the pipeline. Within 30 minutes after being breached the pipeline was shut down. Digitally connected non-IT devices, whether IoT, OT, or ICS, are increasingly part of manufacturing and supply chain operations and therefore can be “weaponized” as part of a cyber attack process.
Businesses historically have focused on gaining business efficiencies (as it their responsibility to their shareholders), and in doing so have to carefully balance organizational risk against it. Digitally connected manufacturing, supply chains, and distribution mechanisms are already indispensable to many organizations; as an example, think about cold chain logistics systems like what was needed to bring COVID vaccines to people. It would be impossible to have shipped the vaccines without that digitally connected supply chain continuously monitoring and assessing if the pharmaceutical is safe to use; yet at the same time the expanded number of digital devices and connections (if vulnerable) creates a larger attack surface for threat actors to exploit.
Another reason why threats of increased cyber attacks needs to be taken seriously is that the growth in devices used by organizations has dramatically shifted in the last few years from traditional IT systems (think servers, desktops, and networks) to IoT (Internet of Things) devices such as would be used in manufacturing and supply chain. There are robust IT security solutions that are well prepared to detect and remediation vulnerabilities on IT systems; however they do not work on IoT devices due to unique IoT operating systems, non-standard interfaces and communication protocols, and inability of IoT devices to support agents used in IT security solutions. This is leading to older (already solved) IT cyber threats like man-in-the-middle attacks being used successfully against IoT assets; organizations need to deploy cyber remediation solutions that support the unique nature of IoT.
Organizations would be best served by bringing together their IT security experts with the lines of business (LOB) who operate IoT devices (like manufacturing, facilities, physical security, logistics, and so forth) to develop and deploy new solutions to the new threats represented by IoT across the LOBs. Viakoo has seen over the last couple years leading organizations form IoT cyber committees to bring IT and LOBs together with great success. Combined with effective audit and compliance processes, bringing vulnerable IoT devices into a corporate security framework is critical to withstanding the tidal wave of IoT cyber threats facing organizations.
Another approach (in conjunction with forming an IoT committee) is to enforce existing corporate information security (InfoSec) policies across all IP connected devices, whether run by IT or by the LOB. There should be no devices operating on a network unless they either are compliant to InfoSec policy or have been granted an explicit exemption from it.
In summary, the risk to organizations from vulnerable IoT devices used in manufacturing and supply chain has become a high priority, with board-level visibility. Making sure every device (IT or non-IT) is visible, operational, and secure takes teamwork across the line of business, IT, and the CISO organization. In addition it takes automation to ensure that vulnerability remediation is matched to the scale of IoT devices. The good news is these are solvable problems, and leading organizations are already showing that with the right internal coordination action can be taken to shrink the IoT attack surface.