Operational Technology Cybersecurity for Automotive Industry: Learnings From an IBM OT Security Architect

Operational technology (OT) refers to industrial systems and controls that perform physical work, such as Programmable Logic Controllers (PLCs) and Supervisory Control and Device Acquisition (SCADA) systems. OT systems are ubiquitous across all critical infrastructure industries, such as Oil and Gas, Automotive, Energy, Water Utilities, and Transportation. OT infrastructure is very vital to any nation’s security to ensure the delivery of essential services to its citizens. The ever-increasing attacks on critical infrastructure, such as the Colonial Pipeline attack in the US, the cyber-attack on Ukraine’s power grid causing outages, and the cyber-attack on Toyota’s production plants in Japan are only some of the very few examples of these. Given the absolute criticality of this domain, OT cybersecurity is getting the highest priority from all nations, such as the creation of the National Cybersecurity Strategy in the US and the EU Cybersecurity Act. 

In this article, a leading OT Cybersecurity expert from the US, Krishna Tata shares his learnings on the need for building comprehensive OT cybersecurity programs specifically for the automotive industry. Krishna is a highly regarded OT cybersecurity expert who has built several cybersecurity products for the IBM security products portfolio, including award-winning ones such as IBM QRADAR SIEM and SOAR and has built their OT security practice, which is one of the largest teams of OT security professionals in the world. Krishna has been engaged in cutting-edge OT cybersecurity product development and research at IBM and has been helping critical infrastructure clients since 2015 in addressing critical security issues. 

In this article, we tap into his expertise to discuss the importance of identifying and assessing risks, implementing security controls, and continually monitoring in the context of the automotive industry. He also provides examples of how these strategies can be applied in real-world scenarios based on his experience working with clients in the automotive sector.

What Are the Unique Characteristics of the Automotive Industry as It Relates to Cybersecurity?

The automotive industry is a term loosely applied to organizations that are engaged in the design, development, manufacturing, servicing, and repair of automobiles. It not only refers to automobile manufacturers but also to parts manufacturers, the service industry, and other ancillary organizations that support the motor vehicles ecosystem. 

The automotive industry has a few unique characteristics that make it a very attractive and easy target for cyberattacks. The industry is generally at the forefront of innovations in automation and leverages newer technologies, such as IoT sensors and robots, in their manufacturing. On the other hand, their factories also use a wide network of legacy OT devices that are integral to their assembly line manufacturing process. This makes it a unique case for cyberattacks. If the defense strategy focuses on newer technologies, such as robots or IoT sensors, then the legacy devices, such as PLCs and SCADA systems, are left unsecured. Not to mention, they have a huge network of vendors and suppliers that provide various parts used in the making of vehicles. A hole or vulnerability in a supplier network can be catastrophic for the automobile maker. The cyber-attack on a supplier, Kojima Industries, in Japan in 2022 brought down Toyota’s production operations across 14 plants for over 24 hours. This resulted massive loss of production financial as well as reputational impact.

What Are the Major Cyber Threats Facing the Automotive Industry Today?

The automotive industry, at its core, is a subset of manufacturing industries, albeit very advanced and complex in its operations. Every plant generally has multiple ‘lines,’ which refer to assembly lines. Several operations such as oil checks, quality control, installing seats, installing safety harnesses, installing engines, manufacturing engine parts, and so on. Every plant generally manufactures a particular model of a certain vendor. For example, the Honda East Liberty Plant in Ohio manufactures the Honda CR-V, Acura MDX, and Acura RDX models, while the Anna Engine Plant (AEP) manufactures engines for all models across all plants. 

The biggest threats come from being able to compromise the line operations at plants to disrupt production. Another major threat emanates from being specifically able to compromise lines responsible for safety equipment in vehicles responsible for maintaining safety systems in cars. These can have far-reaching ramifications in not just production outages but also the quality of the vehicles manufactured,

How Does Security of Connected Vehicles Tie to OT Security? How Do They Differ?

Every vehicle manufactured today is a complex computer on wheels. The F-150 Ford truck today has 150 million lines of code running on it. The complexity of the code being used and connectivity such as Wifi, Near-field communication (NFC), and Bluetooth further complicate the security apparatus of modern vehicles. Use of open-source code, if not thoroughly tested for static and dynamic exploits, could have backdoors that can be triggered at will. Also, opening up cars to different connectivity options increases the threat vectors. As one remembers, it wasn’t very long ago when all car companies were offering in-built Wifi in cars, where basically the car has a hotspot. Once ethical hackers showed how easy it was to remotely control them and cause catastrophic incidents such as crashing them, companies quickly started dropping these. The GM OnStar RemoteLink system, for example, was shown to have a massive vulnerability that enabled remote tracking of the device, unlocking, and remote start.  Consequently, ‘Disconnected’ cars have exploded exponentially in recent years, and over-the-air (OTA) updates, which were the rage once, have become a premium commodity only offered if they’ve been extensively security tested. 

While connected vehicles talk about onboard car electronics, circuitry, and microcomputers, the OT ecosystem is what supports the manufacture of those cars and the electronic components they use. Both go hand-in-hand, and without robust security controls at the plant level for OT equipment, cars on road running complex systems and software can never truly be secure.

IBM's OTCY Approach for Automotive Industry

IBM's Operational Technology Cybersecurity (OTCY) approach is a holistic end-to-end cyber-physical program that helps our automotive build comprehensive operational technology (OT) cybersecurity programs. This is built on our deep understanding of the automotive industry, including OT vendors who make OT devices of PLCs, SCADA, and RTUs, such as Mitsubishi, Schneider Electric, Fanuc, Yokogawa, etc. For example, Fanuc is a manufacturer or robotic controllers that control various line operations art plants and Mitsubishi makes various models of PLCs using it’s GXWorks platform. Our in-depth understanding of the protocols associated with each vendor, such as Melsec for Mitsubishi and ENET/IP for Fanuc, is what puts us in the pole position for OT security. Our approach helps customers manage and monitor devices, networks, and data, identify and protect critical assets, and respond to incidents quickly and effectively. Our approach is built on IBM's proven Security Transformation Framework, which has been used by hundreds of organizations worldwide to improve their security posture. In addition, our QRADAR SIEM product provides powerful security analytics for security alerts. We are able to automate remediation actions using the QRADAR SOAR product with no disruption to normal operations. We align our approach closely to the Purdue model, which is a standard used in industrial automation and building cybersecurity solutions to the OT networks across the world. Purdue model alignment is critical in understanding networks and designing suitable cybersecurity programs," says Krishna

Two Principles for Successful OTCY Programs

Assuming that the reader has some level of familiarity with operational technology (OT) and cybersecurity, these are two high-level principles that are critical for success when implementing an OT cybersecurity program:

1. Understand the Nuances of OT Environment and Architecture

Every OT network has its own origin story and its own vendor makeup. It is essential to understand the vendors, their proprietary protocols, the controls needed, and their architectures. This ensures risks are properly assessed, and controls are designed accordingly. A deep understanding of the overall architecture, system components, how they interact with each other, what protocols they use, and what vulnerabilities exist in them is critical. Additionally, it's important to have visibility of any legacy systems and end-of-life systems and how they might interface with new OT technologies.

2. Define Clear Roles and Responsibilities for OT Cybersecurity

Security monitoring and operations is a 24x7 job, just like in the armed forces. As the saying goes, you snooze, you lose. It's imperative that there is a clear understanding of who owns what and who's responsible for specific tasks. Therefore, someone should be assigned as the OT cybersecurity program owner (or champion), given the responsibility for defining roles/responsibilities and overseeing the program. Other critical roles include:

• OT cybersecurity teams: These teams should have an intimate knowledge of the OT environment and architecture in order to properly assess risks, develop controls, and support incident response. This can either be a dedicated OT security team or security staff that works within an industrial automation group or control systems group.
• IT security teams: While IT may not have as much overall visibility into OT assets as OT/controls staff or cybersecurity teams (due to segmentation between IT and OT networks), they still need to be involved in policies/procedures, system updates/patches, access controls, etc. It's essential that both IT and OT departments work together so that security improvements wrap around both environments adequately.
• Executive leadership: Executive leadership support is key to all the concerned parties and teams working together and in the defined strategic direction.

Evolving Cyber Threat Landscape of Automotive Industry

As automotive manufacturers evolve into an electric vehicles (EV) world and increasingly seek to build secure networks, their threat landscape will continue growing. Within the plants, threat vectors include improper segregation of OT and IT networks, internet connectivity to OT devices, improper access to 

PLCs, RTUs or SCADA systems, insecure supplier or vendor networks, and systems are the biggest threat surfaces. For connected vehicles, WIFI, Bluetooth, near-field communication (NFC), and other Radio Frequency (RF) protocols present the biggest challenge.  

OT systems at plants have been traditionally air-gapped from the rest of the company's networks and also the internet. However, cloud services and IoT sensors are proliferating extensively, resulting in even OT systems being connected to external networks and even the internet. This has tremendously increased the number of threat vectors and their risk of being hacked at the plant level from either internally or from supplier networks. The Toyota example mentioned earlier is a case in point.

The threat landscape for OT is constantly changing as new vulnerabilities are discovered and new attack techniques are developed. Unfortunately, this makes it difficult for organizations to keep their OT systems secure. To address this challenge, organizations need to have a comprehensive security program in place. "The program should include policies, procedures, and technologies that are specifically designed for OT systems. It should also be tailored to the unique needs of the organization's ICS environment. For example, an OT cybersecurity program for an Automotive company will be distinct from one built for a Power company. Though there are overall commonalities, there are also important distinctions based on the industry," added OT Cybersecurity expert Krishna Tata. Automotive organizations can learn from the experiences of others when it comes to building their own OT security programs. IBM has worked with many different organizations on this issue, and their security architects have gained a lot of insights into what works and what doesn't.

The Future of OT for Automotive

With the newer push to Electric Vehicles, sophisticated OT manufacturing processes, more connected protocols such as Bluetooth NFC, and an increasing number of AI digital assistants in cars, the threat vectors will only grow. Manufacturers will eventually find ways to move away from open-source code into a more closed-knit ecosystem of code and libraries. OT manufacturing in automotive will increasingly use Robots to do a lot of activities from vendors such as Fanuc and Motoman. IoT sensors will proliferate with connected devices across plant floors to control various operations and collect telemetry data. With this, the investments in OT security will only continue to grow. How successfully organizations can secure their legacy devices at plants will determine how robust their manufacturing is. “The technology stack at plants will include industrial intrusion detection systems, OT firewalls, and Secure Remote Access devices, which will play a key role. The future of OT security is an important topic for critical infrastructure industries as the world becomes increasingly digital. As industries move towards Industry 4.0 and the Internet of Things, it is important to consider how these technologies will impact security. There are many potential benefits of Industry 4.0 and the IoT, but there are also new risks that need to be considered. We are in for interesting times for OT cybersecurity.” concludes Krishna. Coming from one of the foremost experts in OT cybersecurity, these are prescient words that will need to be kept under close consideration for a safer and more secure world of automotive manufacturing and OT cybersecurity.