October 30, 2023 OT Security for Industry 4.0: Three Best Practices

How to secure an OT manufacturing environment that accounts for growing IIoT adoption.

By Stefan Keller, chief product officer, Open Systems

Manufacturers face a unique set of challenges. They need to be nimble and able to rapidly scale to meet supply chain demand and realize the promise of Industry 4.0, while also managing an increasingly distributed workforce. They need a competitive edge in a crowded global market, which means adopting innovations such as Industry Internet of Things (IIoT) technologies to optimize operations.

As a result, IIoT adoption is growing. The IoT market in the manufacturing sector is expected to grow from $209B in 2022 to $461B in 2027, according to a Research and Markets study. These IIoT devices, a subset of operational technology (OT) devices, need to be secured to ensure OT integrity. Organizations are already facing an increased number of attacks on OT environments, according to McKinsey. Consequently, manufacturers face risks of disruption due to subpar OT security.

Many manufacturers use the Purdue Model, which relies on air gaps for security, as an architecture for their OT security practices. Previously, there was no concern about IT threats in OT environments because both environments were air-gapped, but that is no longer the case.

IIoT devices directly connect to the internet, which in turn makes OT environments vulnerable to external threats and malware.  With manufacturers’ employees and partners increasingly working remotely, the OT environment must be exposed to the internet to enable this remote migration and type of work style. This convergence of IT and OT requires an expansion of IT security systems to secure IIoT and OT networks.

Here are three best practices for improving OT security:

1. Deploy a dedicated OT firewall. Start with global, standardized policies to help simplify an organization’s systems which reduces the chance of errors and improves security posture. Using an OT firewall enables organizations to detect and prevent threats by using intrusion detection systems and intrusion prevention systems (IDS/IPS). What’s more, OT firewalls can enable better visibility of traffic flow within OT and between OT and IT. It can be surprising to see how much OT-IT traffic there is and how much IIoT devices change traffic flow.
2. Properly segment the OT network. This can be done by leveraging OT firewalls. While OT segmentation is not as flexible as that of IT networks, it is effective. For most organizations, we recommend segmenting the OT network into common OT zones which usually include core, monitoring, management, legacy and buffer. For example, the core zone is central to producing goods and must be isolated and protected so it can run 24/7. Meanwhile, the buffer zone is often referred to as a DMZ and is required to separate IT and OT zones.
3. Implement ZTNA, not VPN, for remote access to OT devices. Zero trust network access (ZTNA) can be used to support the Purdue Model. Using ZTNA instead of VPN increases security and provides application access and/or system access instead of network access. By doing this, organizations reduce attack surface and the potential for lateral movement to reduce OT risk. Implementing ZTNA can also be helpful for compliance purposes because it contains an audit feature set for compliance that will only permit access if the hosting organization intentionally grants approval. This audit feature set enables their sessions to be recorded and stored for forensic purposes in case of a breach or incident.

With the convergence of IT and OT, safeguarding the OT environment is a priority. Organizations might think they can put modern OT security practices on the backburner, but they will be breached, and it will happen more quickly and more often than most expect.

Cybersecurity expert Paul Bischoff noted in a recent Comparitech study that in the last three years, US businesses specializing in manufacturing and utilities experienced 562 data breaches, with almost 91 million records put at risk. Using IBM’s estimated average cost per breached record, he estimated those breaches could have cost businesses more than $14.7 billion. In 2022 alone, he estimated that 136 data breaches targeting manufacturing and utilities have cost more than $6 billion.

By embracing these simple best practices and adapting to the evolution of OT environments, manufacturers will not only mitigate their risk but also position their organization as a forward-thinking operation that’s poised for growth and ready for the challenges and opportunities of Industry 4.0.

Stefan Keller, Chief Product Officer for Open Systems, is responsible for all aspects of product development for Open Systems’ Secure Access-as-a-Service solution. Previously, as Vice President of SASE, Stefan extended the portfolio with ZTNA and drove the company’s innovations in operational technology (OT) and was instrumental in initiating several of the company’s strategic acquisitions. Keller earned his Master of Science degree in Information Technology and Electronics from the Swiss Federal Institute of Technology (ETH).

Subscribe to Industry Today