Manufacturers Alliance conducted a brief Q&A with Dawn Cappelli, Director of Operational Technology – Cyber Emergency Readiness Team (OT-CERT) at Dragos, to discuss current cyber threats in manufacturing.

Q1. Why is operational technology (OT) security important in today’s manufacturing environment?

In 2024, Dragos tracked 1,693 ransomware attacks against industrial organizations – an increase of 87% over 2023. What is especially relevant to this audience is that about 70% of the victims were in manufacturing. Manufacturing is the top targeted sector for a few reasons, including the fact that manufacturing is one of the least mature sectors in terms of OT cybersecurity due to lack of regulations. This makes manufacturers attractive targets since the chance of a successful compromise is much higher than in other, more mature sectors. If a manufacturing plant is impacted by ransomware, recovery is extremely complex and difficult, leading to a better chance of the victim paying the ransom.

Q2. What threats to OT security should manufacturing leaders be aware of and how should manufacturers prioritize these threats?

While ransomware is the predominant cyber threat in manufacturing, the hacktivist group Dragos tracks as Bauxite, also known as the CyberAv3ngers, has impacted food and beverage as well as chemical manufacturing in the U.S., Australia, United Kingdom, and Israel. Hacktivists traditionally used low sophistication attacks like Distributed Denial of Service attacks and website defacements to impact victims that suit their ideological motives. However, in recent years, some hacktivists, including the CyberAv3ngers and Cyber Army of Russia Reborn, have aligned with state actors to carry out attacks resulting in denial of control, loss of availability, loss of control, loss of productivity and revenue, and loss of view in industrial operations.

Q3. Where do you start on the OT security journey?

Dragos OT-CERT provides free resources for any organization with an industrial environment – to assist them in creating a foundational OT cybersecurity program. OT-CERT content follows the SANS Five Critical Controls for Industrial Control Systems – the controls that are the most pressing and are designed for an ICS/OT cybersecurity strategy that can be flexible to an organization's risk model. OT-CERT has more than 2,500 members in 64 countries, with 67 free resources currently available in the OT-CERT portal. Others tell you WHAT you should do – OT-CERT tells you HOW, with templates, demonstration videos, a free OT ransomware tabletop exercise, worksheets, toolkits, and guides. OT-CERT also holds member-only meetings once a month, where members collaborate directly with Dragos experts and each other. In short, OT-CERT is more than just resources – it is a community where we all work together to raise the maturity of the ecosystem.

Q4. How can you incorporate OT security into an overall cybersecurity plan?

First, information technology (IT) and OT staff should work together to assess the risks to your plants. This is where the company’s revenue comes from, yet often, CISOs neglect to assess the probability and potential impact of a cyberattack in their plants. The current OT cyber threat environment needs to be understood and factored into your risk analysis. Then use the SANS Five Critical Controls to develop a strategy to improve your OT security.

After that is completed, most CISOs need to convince leadership to support an OT cybersecurity program. OT-CERT provides resources created by a working group of approximately 30 OT-CERT members. The presentation contains slides for your leadership to explain why IT and OT security are different; describe the OT cybersecurity threat environment, quantified risks to your company and mitigation strategies; and present the financial plan needed to mitigate the highest risks.

"Obtaining leadership support and resources can take time. Once you receive funding, you should focus on visibility and monitoring, since the chance of a threat already being in your plants is high. But in the meantime, you should not sit around and wait! "

Members from IT, security, and plant engineers should conduct a tabletop exercise, create an OT incident response plan, assess your plants’ architecture and network segmentation, ensure your remote access is secure, and adjust your vulnerability management program to identify and address serious vulnerabilities now, rather than later or never.

Q5. Many may think you can just isolate your manufacturing operations. Tell us why this isn’t possible for most manufacturing plants?

Plants used to be more isolated. Now, smart manufacturing requires constant communication between enterprise resource planning (ERP) systems in the IT environment and the plants. This communication results in increased productivity and is necessary to compete with other advanced organizations. Those connections to IT mean the plants are not air gapped. It is important to understand this since most compromises in OT begin in IT and move into the OT environment due to improper network segmentation.

In addition, the COVID pandemic forced most manufacturers to limit entrance to their plants to essential personnel only. During this time, contractors, original equipment manufacturers (OEMs), and engineering firms accessed the plants remotely, and the productivity gains and convenience resulted in remote access becoming standard operating procedure in most companies. Those remote connections create a security risk. Because the plants are not air gapped, it opens the door to compromises in OT as a result of insecure remote access mechanisms.

Q6. As a previous CISO at Rockwell Automation, how was OT security organized and how were you involved? Who do you think should own OT security?

As CISO, I was responsible for OT security. I brought together members of IT and security, as well as plant managers and plant engineers to build our manufacturing security strategy together. In a 4-day workshop, we walked through every detail of the NIST Cybersecurity Framework (NIST CSF) – since the SANS Five Critical Controls did not yet exist. As we dug into the details over those four days, the IT team came to understand why OT is different than IT, the OT team came to respect how IT’s tools and capabilities could help them, and the two teams became a single team that created a strategic roadmap that we executed together for the next five years.

I believe CISOs should be responsible for OT security, but they MUST get IT and OT to work together to build an effective program.

Q7. What tools can you use to protect your OT environment?

The SANS Five Critical Controls for ICS:

OT Incident Response Plan
Defensible Architecture
OT Network Monitoring and Visibility
Secure Remote Access
Risk-Based Vulnerability Management

Q8. How can manufacturers ensure their operations leaders are trained and up to speed on the latest security threats to OT?

The CISO should communicate new threat intelligence to operations leaders on an ongoing basis. They should communicate media reports of compromises in OT environments so that operations staff understand that the threat is real. They should also report on actual incidents that have happened at the company, so they realize that “it does happen here!” It is also important to communicate frequently with plant floor workers. They need to understand WHY it is important not to plug USB drives into the plant floor machines, for example.

We identified OT-specific security awareness training and communications as “low hanging fruit” at Rockwell. It was one of the first tasks we worked on, because we realized how important it was to communicate relevant information to the plants. The information that is meaningful to the office workers is very different than what is pertinent to operations personnel.

Q9. How will the geopolitical landscape impact cybersecurity threats to manufacturing in the next 1-2 years?

Today’s geopolitical climate is driving increased concern for cybersecurity in industrial and critical infrastructure. State actors are aligning with hacktivists, and hacktivists are beginning to use ransomware against their targets. The lines between the types of threat groups are blurring. It is important that manufacturers realize that they are behind other sectors and are an easy, attractive target to many different threat groups. There is no time to waste – using OT-CERT free resources is a great way to get started quickly while putting together a strategy and secure funding for the needed new tools. Dragos has seen threat groups shift their focus to new sectors, so the tools being used against other critical infrastructure sectors today could easily be used against manufacturers tomorrow.

About Dragos

Dragos is the global leader in industrial cybersecurity, committed to safeguarding critical infrastructure from increasingly sophisticated cyber threats. Founded by elite experts in ICS threat response, Dragos provides industry-leading OT threat intelligence, technology, and services to protect the essential systems that underpin modern civilization.

Opinions expressed by contributing authors are their own.

Featured

Dawn Cappelli

Director of OT-CERT, Dragos

Dawn Cappelli is the Director of OT-CERT (Operational Technology–Cyber Emergency Readiness Team) at Dragos. Dragos OT-CERT provides free resources for the industrial control system (ICS)/OT community that are developed to support asset owners and operators of industrial infrastructure. As cybersecurity risks in OT environments continue to rise, many organizations struggle with the resources or expertise to address them, especially small to medium-sized businesses (SMB). OT-CERT was created with these organizations in mind. In addition, vulnerabilities discovered by Dragos’s Threat Intelligence team are publicly disclosed through OT-CERT. Dawn coordinates with teams from across Dragos to create OT cybersecurity resources suitable for the SMB community. She also builds and organizes an OT-CERT partnership network of global public and private sector leaders and partners to enable and replicate best practices across industries and expand the Dragos commitment to help mitigate shared ICS/OT challenges.

Dawn was CISO for Rockwell Automation from 2016-2022 after serving as Director, Insider Risk. Previously she was founder and director of Carnegie Mellon Software Engineering Institute CERT Insider Threat Center. She started her career as a software engineer programming nuclear power plants for Westinghouse. She co-authored the book, “The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud),” which was inducted into the Cybersecurity Canon, which is a list of must-read books for all cybersecurity practitioners.