Case studies

Cybersecurity challenges and solutions in the consumer goods sector

Credit: Bert van Dijk/Getty images.

Powered by

Nozomi Networks, Claroty help consumer goods companies secure OT environments

Hackers look for vulnerabilities and easy access points through which to infiltrate company databases and systems. Increasingly, operational technology (OT) assets and industrial control systems (ICS) are weak points in companies’ cybersecurity defences. In 2021 cybersecurity vendor Mandiant published a report claiming that successful cyberattacks on internet-exposed OT assets were increasingly frequent. This is impacting the consumer goods sector. For example, in June 2020, the building automation system of an Israeli food and beverage company was breached. Building automation systems control various electric and mechanical processes such as heating, ventilation, and air conditioning (HVAC), lighting, and access control.  

Nozomi Networks and Claroty are cybersecurity vendors specialising in securing companies’ OT environments. GlobalData interviewed both Claroty and Nozomi Networks to understand the factors creating vulnerable OT environments.  

Firstly, the convergence of IT and OT is accelerating. More and more OT assets are connected to both the internet and the company network. As a result, hackers can infiltrate a company’s network via internet-connected assets, including factory floor machines, building automation systems, HVAC, lighting systems, and staff management systems.  

The number of internet and network-connected OT assets is growing for numerous reasons. Matt Ziegler, technical product marketing manager at Claroty, explained that companies sometimes want assets set up in this way so that they can monitor their operational output. Ziegler also pointed out that the pandemic had accelerated the need for remote access to these OT assets. 

Julian McMenamin, regional director for the UK and Ireland at Nozomi Networks, explained that internet-connected equipment is more easily maintained by the equipment manufacturers: “If you're selling a large piece of equipment to your customer, you want to know that it's installed, it's up and running, and you can check in from time to time.” As a result, manufacturers make the equipment internet-connectable, and the equipment’s instruction manual will suggest an internet connection.  

This contributes to a further problem: the employees who install these OT assets (electricians, manufacturing engineers) are often familiar with OT but unfamiliar with IT and cybersecurity. Therefore, the equipment is installed according to the instruction manual's directions. This results in OT assets being connected to both the company network and the internet, often on open IP addresses, without a firewall or other security apparatus.  

Secondly, companies often have insufficient visibility over their OT assets. The global manufacturing network of a leading consumer goods company can (and often does) span multiple continents, comprised of hundreds of manufacturing facilities, and including hundreds of thousands of individual OT assets from PLCs to assembly-line robots. A crucial part of network security is monitoring the traffic transmitted to and from the OT and IT assets that collectively constitute the network. Invisible assets mean unmonitored network traffic, which is how malware can slip through. As McMenamin puts it, “You cannot protect what you cannot see.”  

Thirdly, manufacturing facilities often contain all kinds of OT, varying in vendor, age, and model. This makes it difficult to standardise the software running on each machine, making it difficult to ensure the entire network operates according to the company’s cybersecurity protocols. Even when assets come from the same vendor, McMenamin explains that the software running on these assets will often depend on the asset’s installation date rather than a coordinated company policy.  

Fourth, McMenamin and Ziegler agree that IT-centric cybersecurity personnel are often insufficiently familiar with OT to ensure the cybersecurity of OT environments. Ziegler argued that legacy cybersecurity vendors are not yet fully proficient in OT cybersecurity. McMenamin suggested that the well-known names in cybersecurity are not typically fully proficient. The hundreds of millions of dollars in investment that industrial cybersecurity companies such as Claroty and Nozomi Networks attracted in 2021 are certainly evidence of a growing demand for, and perhaps a limited supply of, OT cybersecurity expertise.  

These factors mean OT environments are vulnerable to cyberattacks, which can have devastating consequences for consumer goods companies. According to McMenamin, an outage in a dairy manufacturing facility during production hours could result in systems cooling and becoming clogged with solidified dairy products, which would take weeks to clean before production could resume.  

A few hours of downtime at a meat processor due to compromised machinery would result in an entire batch going off. An attack on the OT environment of a pharmaceutical company could result in highly valuable intellectual property being stolen. Extended periods of downtime for any consumer goods company could freeze its entire supply chain. For these reasons, consumer goods companies should prioritise securing their OT environments. 

Coca-Cola uses Sangfor Technologies’ Endpoint Secure to protect its bottling facilities

In 2019 Coca-Cola partnered with Sangfor Technologies to improve the cybersecurity of its bottling facilities in China. At the time, businesses across China were threatened by the Driving Life virus, which could evade traditional virus detection systems by regularly mutating and could spread through networks quickly. According to Sangfor Technologies, its endpoint security solution, Endpoint Secure, eliminated Driving Life and secured Coca-Cola’s systems in minutes.  

Endpoint Secure combines threat detection and a next-generation firewall to filter out malicious traffic directed toward the device. To prevent malware from being downloaded onto a device, Endpoint Secure seeks out malicious domain names, domain generation algorithms, and remote installation, the tell-tale signs of a hacker attempting to install malware onto a device. If the hacker bypasses these security measures undetected, Endpoint Secure uses behaviour detection to find and destroy viruses encrypting files on the device. If the device is successfully compromised, Endpoint Secure can automatically isolate the device from the rest of the network to prevent viruses from spreading.  

According to Sangfor Technologies, a big issue with traditional virus detection solutions is their inability to identify malware with features that differ from those listed in the feature stores used by traditional virus detection solutions. As a result, these traditional virus detection solutions struggle to detect viruses that regularly mutate. Sangfor’s Endpoint Secure uses AI to detect these unknown viruses by analysing thousands of virus features to detect similarities.  

Sangfor Technologies continues to develop and improve its endpoint security capabilities. In January 2022, it published patents for technologies that automate virus feature extraction and improve traffic auditing. Cybersecurity vendors should develop their security solutions in this way to keep up with cybercriminals, who are continually evolving their methods and tools. 

P&G improves its OT security with TrapX’s DeceptionGrid

In 2020 Procter & Gamble (P&G) sought to improve the cybersecurity of its manufacturing facilities. William Fryberger, the director of enterprise security and operations at P&G at the time, claimed that the company’s manufacturing facilities were filled with unsecured legacy equipment. However, all this equipment could not realistically be replaced with cutting-edge standardised technology without impacting production. Instead, a solution was needed to improve the cybersecurity of these OT environments without disrupting business operations. In addition, Fryberger said that the solution needed to provide OT visibility, be easily deployable, and be “100% passive” (requiring minimum employee input to detect threats).  

P&G decided to use TrapX’s DeceptionGrid. DeceptionGrid protects OT networks by deploying decoys throughout the network that deliberately resemble real network-connected assets. The idea is to present attackers with attractive targets that will alert the organisation and provide actionable intelligence about any malicious threats directed toward them.  

According to Fryberger, “Using the baits, using the traps gives us increased visibility and awareness of anything that could potentially be happening in our environment.” Fryberger praised the accuracy of TrapX’s threat detection, placing it “in the top one or two in terms of fidelity.” Because of this accuracy, P&G could monitor the network more efficiently. According to Fryberger, “With TrapX, our 12-hour days turned into 10-hour days.”  

P&G is a leading adopter of cybersecurity in the consumer goods sector. The company is not only a leading hirer of cybersecurity personnel but is one of the few consumer goods companies that has published cybersecurity-related patents in the last four years. By partnering with TrapX, P&G sensibly supports its internal cultivation of cybersecurity talent and technologies with external expertise. 

GlobalData, the leading provider of industry intelligence, provided the underlying data, research, and analysis used to produce this article.   

GlobalData’s Thematic Intelligence uses proprietary data, research, and analysis to provide a forward-looking perspective on the key themes that will shape the future of the world’s largest industries and the organisations within them.