Cyberthreats Built Right into Your OT Environment

Summary

In March 2024, the U.S. government sent a letter to Shanghai Zhenhua Heavy Industries (ZPMC), a Chinese-based manufacturer with close ties to the Chinese Communist Party (CCP), demanding answers about cellular modems discovered on Chinese-built cranes deployed in US seaports. The modems were installed during manufacturing, but were not part of the equipment contract and offered no functional benefit to the ports that purchased the cranes.
 
In some cases, the modems were connected to the crane’s operating control system. Officials believe these could have been used to spy on ports, disrupt port operations, and interfere with a U.S. economy that is highly reliant on moving goods through its ports.
 
This case highlights the growing concern critical infrastructure sites and manufacturers have about vulnerabilities in their supply chain. Whether it’s machinery with components that are no longer supported or modern machinery with components that were compromised before they were even shipped, supply chain security is a serious concern for operational technology (OT) and one that must be addressed immediately.
 

Length and depth of an OT supply chain

To better understand the security issue facing OT facilities, it’s instructive to think about an automobile. Cars have multiple systems that all interact with one another, including the steering system, the engine, brakes and infotainment system.
 
Each system has multiple components, which are built by various manufacturers based on the automaker’s specs, and shipped to the automaker’s assembly plant. Once there, the automaker runs the parts through its assembly line and builds the car.
 
If any of those components have been compromised, or if any have security vulnerabilities, it could put the car and its passengers at risk. Threat actors might find it easier to introduce a backdoor into the infotainment operating system. Upon gaining initial access, they can move laterally across car networks to take control of the engine, brakes, or steering with potentially dire consequences.
 
Even more complex than automobile systems, OT sites manage numerous interconnected systems comprising many components. Unlike a car, which can be taken off the road temporarily to upgrade its firmware or replace a component, many OT sites run 24x7 with limited maintenance windows. Patches may need to wait for weeks or even months before they can be implemented, during which time the network is vulnerable to attack. In addition, plants and ports often run legacy machinery, deployed decades ago but still in operation as they are capable of doing the job but lack adequate defenses against cybersecurity threats. 
 

Securing the OT supply chain

Unsecured supply chains represent a critical vulnerability for facilities, jeopardizing their integrity, reliability and safety, as well as the security of their products. A compromised facility could face a range of devastating consequences, including intellectual property theft and product counterfeiting, crippling ransomware attacks costing millions of dollars, and even physical destruction that puts worker safety at risk.
 
There are a number of steps organizations must take to protect themselves from cybersecurity threats from their supply chains. Begin with mapping all assets within the facility. This map should be made via a comprehensive, automated process that also visualizes the connections and communications between assets. Note which assets run especially vulnerable legacy operating systems and consider ways to segment or cloak them so they can’t be used as gateways into the rest of the OT environment.
 
Regular risk assessments help identify vulnerabilities in the supply chain and their risks to business processes. Continuous monitoring of networks, assets and communications can detect anomalous behaviors and flag potential threats. Operators should update operating systems, firmware and software as soon as patches become available since exploitation of unpatched vulnerabilities is a favorite tactic of threat actors.
 
Adhering to cybersecurity standards like IEC 62443 helps secure the OT supply chain by providing a structured and comprehensive framework that addresses cybersecurity across the entire lifecycle of OT systems. Its strict requirements for suppliers ensures they implement robust security practices during product development and maintenance. Additionally, IEC 62443 emphasizes incident response, continuous monitoring and collaboration among all stakeholders in the supply chain.
 
Perhaps most importantly, operators must vet their vendors’ cybersecurity practices. Those who fail to meet standards should be avoided at all costs. Be sure to maintain communication channels with vendors to keep track of vulnerabilities and patches as they are made available. 
 

The road to OT supply chain security

OT environments are attractive targets to nation-state threat actors and sophisticated hacker syndicates. Adequate defense requires constant vigilance supported by automated tools capable of detecting even slight variances in operational behavior. New regulations, including NIS2 in the EU, recognize the importance of securing these facilities and demand stronger counter measures against existing and future threats.
 
OT cybersecurity doesn’t happen overnight, it requires a long-term commitment. With the right effort in place, organizations can maximize the security posture of their facilities as they minimize the risk of supply chain attacks.