In an era where digital transformation has become synonymous with progress, the manufacturing sector is at the forefront of technological advancements. As the lines between OT and IT environments continue to blur, these innovations come with an increased risk of cyber threats that can disrupt the very heartbeat of industrial operations.
This evolving threat landscape calls for a profound shift in how we approach cybersecurity and communication to protect operational data. This shift is not just a technological upgrade; it's a cultural evolution towards a more secure and connected future in manufacturing.
The Cybersecurity and Infrastructure Security Agency (CISA) consistently endorses out of band (OOB) communications — separate, dedicated channels that are not part of an organization’s primary network — but never explicitly links it to a broader OOB management strategy that uses alternate communications paths to remotely manage network infrastructure devices.
The two should be intimately tied together, especially as the line between information technology and operational technology becomes less distinct in manufacturing. When done correctly, OOB communications can help unlock the full potential of effective OOB management.
CISA's Stance
In the aftermath of the SolarWinds supply chain compromise, CISA highlighted the difficulty of ousting attackers from compromised networks. Attackers were actively surveilling all actions within those networks, including discussions of findings, resolutions and mitigation strategies. Recognizing that these conversations could be monitored, CISA recommended implementing operational security measures to safeguard sensitive operational data during cyber incidents, including OOB communications.
CISA views OOB communication as a linchpin in safeguarding operational data during cyber threats, especially post-SolarWinds and Lapsus$ incidents, explicitly mentioning it in its own playbooks. According to the CISA Cyber Safety Review Board's report on the attacks associated with Lapsus$ and related threat groups, highly effective organizations leveraged OOB communications to coordinate responses — outside of compromised day-to-day operational channels like email, Slack, Teams, etc. — beyond the reach of threat actors.
Without it, adversaries can gain a significant advantage over incident responders for current and future attacks, taunting and demoralizing victims and influencing remediation and response coordination strategies.
Not all OOB Communications are Created Equal
In the face of increasingly sophisticated adversaries, a growing list of exploits and zero-days that can lead to a complete compromise of SaaS collaboration apps, and increased regulatory demands for oversight of cybersecurity and incident response programs, it's crucial to differentiate between traditional OOB communications and the more nuanced approach of secure OOB collaboration. The former is any alternative to day-to-day channels, while the latter is a strategic evolution that demands three specific requirements to ensure enhanced security, resilience and control:
- Standalone functionality. It must be independent of the primary network with no on-premise dependence, and it cannot be a duplicate of existing tools.
- Heightened security measures. It must safeguard against insider threats and third-party breaches with end-to-end encryption (unlike typical encryption-in-transit or encryption-at-rest) that surpasses conventional methods, ensuring a compromised username or password won't provide access to an attacker.
- It cannot sacrifice controls. It must provide you the ability to implement user policy controls and meet records retention requirements. Importantly, it achieves this without reintroducing on-premise dependency.
In November 2021, CISA recommended OOB management for sensors and security devices. Originally for network infrastructure, OOB management seamlessly applies to IoT and manufacturing devices. This broader perspective positions OOB communication not just as a reactive measure but as a critical line of defense for fortifying operational resilience. OOB management, coupled with secure OOB collaboration, becomes essential for ensuring continuity of operations when day-to-day communication channels are compromised.
CISA says the purpose of OOB management is to perform corrective actions without allowing the adversary to observe these changes. However, this guidance doesn't address the effective delivery of operational insights to decision-makers or the need for secure platforms for discussing these decisions. This gap poses significant risks, especially in scenarios where precise coordination is crucial, such as shutting down manufacturing processes in a specific sequence or optimizing production under changing conditions.
Insights such as production levels, speeds and on-hand supplies could even be exploited by a frustrated and impatient attacker who wants to escalate damage and compel negotiations with diminished leverage.
Real-World Implications
Real-world incidents, such as the 2017 NotPetya ransomware attacks on giants like Maersk, Merck, FedEx, Norsk Hydro, Mondelez International and others, provide insights into the challenges posed by compromised internal communications.
Mondelez, a food manufacturer, lost 1,700 servers, 24,000 laptops, access to all internal communications channels and, eventually, more than $100 million. WhatsApp phone trees and Yammer served as makeshift solutions, but Yammer was undersecured while Whatsapp was end-to-end encrypted but lacked enterprise control. Neither were officially sanctioned prior to the incident, and both took time to implement and manage.
They get an “A” for adaptability, but this emphasizes the need for preparedness — solutions that don't just serve as a contingency plan but integrate seamlessly into the operational fabric.
The need for timely decision-making and business continuity during crises underscores the requisite role of secure OOB collaboration. It's not about abandoning existing channels or making it harder for attackers to exploit them. Rather, it’s providing an alternative, secure and enterprise-grade platform for sensitive communication, where important information is protected by strong, end-to-end encryption at the user and device level. This makes it significantly more challenging for attackers to gain access to valuable content, even if credentials are compromised.
The ideal setup is multifaceted:
- OOB management tools exclusively for making changes and managing infrastructure configuration, settings, etc.
- A secure OOB collaboration solution, which becomes a hub for discussions and decision-making before leveraging (sparingly) OOB management tools.
- One-way data diodes (optional) for when data must be exfiltrated from the most critical of networks while physically blocking access to the network.
- A secure gateway to ensure safe delivery of operational insights to intended recipients in the OOB collaboration hub, using independent outbound connectivity and end-to-end encryption.
Some industrial sites, from nuclear reactors to government facilities, have been hard to monitor in real time due to regulations, age of equipment or safety concerns, leading to separate, isolated networks. Data diodes, a class of security technology, allow one-way information sharing from these isolated networks to others who need the data, while keeping the networks physically separate.
In recent years, these data diodes have become more affordable and easier to maintain, matching the cost of industrial firewalls. When used as part of an OOB communications deployment, they add an additional layer of security and help extract and deliver vital information to key decision makers.
Securing the industrial heartbeat demands a holistic approach that combines the strategic guidance from CISA, the evolution of secure OOB collaboration, and the industry's collective commitment to innovation and security. Industrial production lines cannot afford downtime, but as cyber threats become increasingly sophisticated, traditional security measures are proving insufficient.
