India"s industrial automation (IA) market is worth approximately $11 billion in 2023 and is projected to grow at a CAGR of roughly 14 percent from 2022 to 2027 to $23 billion in 2027. Key players in this industry include manufacturers producing (closed-circuit) TVs, mobile electronics, air-conditioners, automotive and aviation vehicles, energy products (gas, diesel, petrochemicals), and healthcare solutions. Some of the major brands (in both the private and public sectors) representing these players and serving the Indian IA market include General Electric, Reliance Industries, Rockwell Automation, Siemens India, Honeywell Automation, ABB India, BHEL, Mitsubishi Electric, Larsen and Toubro, and Titan Engineering.
The core technology (significantly different from the traditional information technology (IT) in general non-IA enterprises) behind the functioning of the IA market is (AI/ML-driven) intra-organisation IoT and operational technology (OT) embedded Industrial IoT (IIoT) networks. Such smart networks, along with associated software and mobile applications, help each organisation:
As is popularly known, the cyber-risk terrain for IoT/OT-driven systems is quite large (when compared to non-IoT/OT systems) and rapidly evolving. Simply put, the IT wing of an IA enterprise comes with the traditional IT security challenges of data security the OT wing of the enterprise comes with an entirely different set of IoT security, equipment ageing, and security software compatibility challenges and the IT + IoT/OT system overall has an integrated set of security challenges that arise due to the complex non-linear, hard to measure, and unpredictable impact on the integrated IT/OT network when subject to cyber-incidents.
This broadened cyber-vulnerability space causes the bad actors to exploit IIoT cyber-security loopholes at a faster rate when compared to the rate at which the defenders are getting more knowledgeable and better at identifying and plugging these holes in a timely fashion. To drive home this point, according to Dragos – a market leader in IT/OT and critical infrastructure security consultancy, the ransomware attacks against the IA sector in the US (and is equally applicable to the Indian IA sector) increased by approximately 86 percent from 2022 to 2023. One of the main reasons for this increasing gap is that around 80 percent of investigated vulnerabilities lie deep within IIoT networks, with more than 82 percent of IoT/OT industries, anywhere around the globe, including India, having limited to no visibility within the IIoT environment. This limited visibility is often because of insufficient investments by an IA enterprise in IA cyber-security in the dimensions of people (e.g., human-in-the-loop), process (e.g., software supply chain issues), technology (e.g., lack of security by design), and governance (e.g., compliance).
The modern IIoT-driven IA cyber-threat landscape consists of two broad classes of attackers exploiting existing abovementioned IT/IoT/OT security loopholes: opportunistic attackers, such as prolific ransomware groups seeking OT targets, and highly sophisticated threat groups, such as nation-state-driven ICS/OT threat actors targeting industrial infrastructure advanced persistent threats (APTs). Such cyber-attacks result in a business disruption that can last from days to weeks, potentially costing enterprises hundreds of millions of dollars in multi-party cyber-risk impact.
The ransomware attacks against the IA sector in the US (and similar trends hold in India also and on the upward with Indian IAs getting increasingly digital and subsequently being on the radar of cyber-attackers) and increased approximately 86 percent from 2022 to 2023 via opportunistic threat groups with 72 percent of these ransomware attacks for 2023 targeting 437 manufacturing entities in 104 manufacturing subsectors. There was a nearly 30 percent increase in ransomware groups attacking critical industrial infrastructures between 2022 and 2023, with ransomware-as-a-service (RaaS) being the growing cyber-attack vector. Examples of well-known IA targeting ransomware groups include Lockbit, Conti, and Black Basta.
Cyber-attacks such as ransomware and APTs are inevitable hence, incident response plays a vital role in the current Indian IA market. However, incident response in the IoT/OT-driven IA space differs starkly from that in the IT sector. Subsequently, it cannot be adapted from an IT incident response playbook.
In contrast to that in IT systems (used for how you manage a business), cyber-incidents that impact OT systems (resembling why you are in business) can have physical consequences that threaten human and environmental safety. On top of that, OT incident responders must be able to effectively triage systems without shutting them down to maintain operational and uptime requirements. Moreover, traditional forensic tools for IT enterprises offer little or no visibility to systems and protocols in the OT network, which is usually a complex network of systems of systems. In addition, system abnormalities in OT-driven IA industries are very different from IT system abnormalities, and alternative OT network expertise is needed to respond to IA cyberattacks. Unlike in an IT system, where the adversary needs to exploit vulnerabilities in the software management systems to achieve its goal, an adversary might just need to exploit a single IT vulnerability and then abnormally operate OT systems to threaten human and environmental safety.
The OT-driven IA sector poses significant challenges in charting an incident response program (IRP). First, it is quite difficult to align operational and IT engineers on the same plane regarding agreeing on procedures and policies that need to be part of an IRP. However, as OT = IT + Physics, the IRP must have a good blend of IT and OT engineering system expertise. This is because a simple IT security breach on an Engineering Workstation System (EWS) can cause a set of cascading OT functionality abnormalities with potentially significant physical and environmental damage, and this damage space needs to be anticipated by OT system experts. Add to this the very high costs of dedicating an OT engineering team full-time within an enterprise to build a bridging capability between the IT and OT space for an IRP.
One might wonder (as many executives do) whether the IT incident response team could do the job of an OT incident response team, and the answer is a "no". IT incident response retainers are usually incapable of managing the cyber risk of physical consequences. What an IA enterprise needs (according to Dragos) is a retainer relationship with a firm specialised in OT-focused experts who:
(b) Small and medium businesses (SMBs) are buying cyber-insurance coverage for ransomware (to mitigate the adverse effects of business disruption), but at the same time, some enterprises in the SMB space query on the prospective value of cyber-insurance – resorting to self-insurance instead if the cost outweighs the value.
(c) Cyber-insurance can reduce the risk of ransomware via pre and post-breach consultancy regarding increasing cyber-resilience in a ransomware attack—but only as a means and not as an end.
(d) Increased cyber-insurance premiums/deductibles and a sparse cyber-insurance market are pushing some enterprises to good cyber-security practices, including zero-trust, multi-factor authentication, and backups.
(e) As cyber-insurers get more insight into organisational cyber-security practices and mandated security controls (without which these organisations may not be able to purchase cyber-insurance), certain organisations cannot purchase cyber-insurance. Subsequently, they cannot protect themselves against residual ransomware cyber risk.
(f) Cyber-insurers often do not find it rational to engage in cyber-loss prevention efforts that cyber-security experts and governments recommend for enterprises due to their attention to enterprise. In contrast, selectively engage in cyber-security efforts only.
(g) Cyber-insurers have not been able to adopt a traditional K&R insurer"s approach (due to privacy concerns) to negotiation for managing ransomware cyber-attacks.
(h) In certain situations when the impact due to a ransomware attack becomes un-insurable, cyber-insurers have been successful in pressuring governments to bear coverage responsibility in part and
(i) Cyber-insurance often does promote their clients to adhere to a critical NIST guideline that states that corrective actions post cyber-incident response should be shared in the private and the public to ensure that industrial automation organisations learn together, and improve together in preventing, protecting, handling, and recovering from cyber-attacks. This is because the breach attorneys hired by cyber-insurance agencies suggest enterprises against forensic and vulnerability information sharing to reduce litigation risk for the insured client.
Also read: The cyber-insurance vision is failing for ransomware attacks in India
We propose five managerial action items that should form a part of an efficient and effective industrial automation security program.
An effective incident response (IR) plan should necessarily account for OT environments" complexities and operational nuances as part of the IR design process for the security program. This accounting should not be an appendix to the IR design program. As an example, managers should, while designing the IR program, ensure that the threat detection strategies, IA process network architecture choices, and cyber data collection procedures align with the incident response requirements and anticipate questions targeted towards successful IR before a cyber-incident occurs. More specifically, managers should
IA enterprise management should design and deploy defence architectures that reduce the cyber-risk exposure of industrial automation enterprises to ransomware and APT threat groups. The ways this can be achieved are:
IA enterprises" intricately networked systems architecture necessitates network traffic monitoring (e.g., deep packet inspection) and subsequent AI/ML-driven smart analysis to understand the interactions among such sub-systems. This aids general resilience and recovery to mitigate downtime due to business disruption and avoid generating too many unnecessary alerts for incident response teams. The network monitoring management team should:
The digitisation of OT systems and COVID-working norms has significantly increased remote connectivity in work environments, even post-COVID. While it has been established that work-from-home (WFH) has its benefits, it brings significant cyber-risks. This calls for ensuring secure remote access for all employees within an IA enterprise is necessary. Multi-factor authentication (MFA) deployment and zero-trust solutions can go a long way to reduce the adversary attack paths. The management should prioritise the employee use of traversal paths sharing private networks between organisations, public networks, and the Internet for remote access. Wherever MFA and zero-trust solutions cannot be deployed, the IA enterprise management should include controls such as jump hosts and communications "break and inspect", guide remote communications through "choke points", and the capability to cut communications in certain scenarios.
The IA enterprise management should understand cyber controls and device operating conditions, aiding in cyber-risk-based vulnerability management decisions to patch cyber vulnerabilities and mitigate their impact. As recommended actions, the management should
First Published: Jan 10, 2024, 16:02
Subscribe Now