Manufacturing Needs a Stronger Lock on the OT Front Door

I previously wrote on the growth of ransomware attacks in manufacturing and how cyber attackers are aggressively going after operational technology (OT) environments for profit through a variety of means—including phishing, malicious email, exploited vulnerabilities, downloads, and brute force attacks—to exploit vulnerabilities in backup systems. But some attackers stroll right through the front door—simply by logging into authorized accounts. How can they do this? By using identity-based attacks and social engineering to obtain legitimate user credentials. These approaches encompass a variety of techniques, but the main difference is that identity-based attacks use systems to access or crack passwords, while social engineering approaches, including phishing, are designed to get the users themselves to divulge their login info. Either way, it’s a big problem.

Identity-based infiltration is on the rise

It’s happened to all of us: You receive a letter from some company you’ve done business with at some point stating that they had a data breach and your personal information may have been compromised. When this happens, your login credentials could end up available for sale on the dark web, so the company offers you 12 months of free credit monitoring. If it feels like you’re getting more of these notices lately, it’s not just you. 

According to IBM’s 2024 X-Force Threat Intelligence Index, there was a 71% increase year over year in the volume of attacks using valid credentials—and for the first time ever, “abusing valid accounts became cybercriminals’ most common entry point into victim environments.” Furthermore, manufacturing was the top-attacked industry for the third year in a row, representing more than one-quarter (25.7%) of all incidents in the top 10 most-attacked industries, and the use of valid accounts represented 41% of incidents in North America.

The reason for this rise isn’t hard to grasp. After all, why hack in when you can simply log in? It’s easier to harvest user names and passwords than to write and execute new exploits. Manufacturing organizations need to implement stronger controls to make identity-based intrusions much harder. 

Training is critical to enable users to recognize social engineering attempts so they don’t fall prey to them. But training is not enough. You need to fortify your authentication controls with phishing-resistant systems and protocols—and you need to extend those controls across the entire OT environment, including all of your legacy systems. 

Authentication plays a critical role in a robust zero-trust identity and access management strategy. There are three areas in particular to focus on to improve the security and protection of your critical OT systems: multi-factor authentication (MFA), single sign-on (SSO), and role-based access control (RBAC).

Layer up your authentication defenses with MFA

A password is one form of authentication. It’s something the user knows. But if a hacker also knows the password, it’s easy for them to get in. MFA adds an additional level of protection by also requiring something the user has, which the hacker does not have easy access to. Typically, this additional form of verification is sent to email, text, or an authenticator app. 

Streamline logins—securely—with SSO

Your users work with multiple systems. When they need different credentials to log into each one, it doesn’t just create so-called password fatigue, it increases the chances that they’ll pick easy-to-remember (and easier-to-crack) passwords, or that they’ll write down all their different credential combinations, which is a security risk. SSO allows users to securely log into multiple applications using one set of credentials. Companies use SSO to centralize authentication and improve security by enforcing strong access and security policies. With SSO, you provision a user the day they start at the company, giving them access to all the accounts they need with one set of credentials. And then when they leave the company, you can deprovision them from all systems in one action from a single point. SSO enables you to streamline identity management, centralize access control and monitoring, and decrease your attack surface—all of which strengthen your overall security posture.

Easily provide as-needed access with RBAC

RBAC enables you to restrict access to a system based on a user’s role, rather than having to assign and manage permissions on an individual basis. RBAC doesn’t prevent you providing individualized access when needed, but it streamlines the overall permissioning process while still ensuring that people have access to the applications they need to perform their jobs. A subset of role-based access control is time-based access control, which grants access for limited period of time and self-expires. You might use time-based access control with a vendor who needs to access a project or programmable logic controller (PLC)—or even a set of projects or PLCs—just until next Friday, for example.

Software Defined Automation supports strong authentication controls

MFA: SDA strongly recommends that users and companies implement MFA for all SaaS and enterprise applications whenever possible. Our products use MFA with authentication apps using QR codes. We support many of the popular authenticator apps (TOTP-compliant applications), including Google Authenticator, Microsoft Authenticator, Twilio Authy Authenticator, Duo Mobile, and Symantec VIP. MFA is enabled through the User Profile menu and can be used for login, as well as optionally for additional critical actions within the system such as to start Browser-based Engineering, approve deployment requests, and execute deployments.

SSO: SDA’s Enterprise offering supports a wide range of SSO providers.

• Integrates with identity providers (IdPs) that are based on SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0
• Supports Active Directory
• Available to extend to any commercial provider that supports the above-listed IdPs

RBAC and fine-grained permissions: The SDA console makes it simple to manage users and roles. There are standard roles for admins and users, and user permissions can be further refined to control access to specific devices or projects. You can also set time-based permissions that expire after a defined period to provide temporary access as needed. 

Learn more about OT security

Watch our on-demand webinar to learn more about how authentication mitigates OT security risks. If you missed our session on how to easily and quickly automate backup and recovery of your PLCs, that’s also available on demand. And be sure to register for our next webinar on September 19, which will focus on operational and data security features, including a demo of how SDA supports the NIST cybersecurity framework. 

And you can dive into Software Defined Automation’s Industrial DevOps tools yourself when you sign up for a free 14-day trial.