IT/OT SOC GUIDE

Addressing the Rising Threat of

Industrial Cyberattacks with IT/OT
Convergence

Addressing the Rising Threat of Industrial Cyberattacks with IT/OT Convergence 1

The rise of digital technologies brings a new level of cyber complexity to manufacturing
operations like chemical plants and processing facilities. Does your industrial enterprise
have adequate cybersecurity programs in place to prepare for these expanded risks?

The State of Industrial Cybersecurity

Industrial systems were once deemed low in cyber risk due to their self-contained often proprietary
technology. However, the landscape has changed with the transition to the cloud and the increased
connectivity of operational technology from the Industrial Internet of Things (IIoT). Hackers
and criminal organizations are now targeting industrial systems for financial or political gains.
Consequently, IT and industrial control systems (ICS) security practitioners view the threat level to OT
and IoT systems as high or critical across various industries.

Asia-Pacific is the most Manufacturing tops the Last year saw a 140%
cyber-attacked region, list of attacked industries surge in cyberattacks
accounting for 31% of across the Asia-Pacific against industrial
all incidents remediated region, with 48% of cases2 operations3
worldwide1

Attacks that impact operational technology can lead to real-world consequences beyond mere system
delays. Some of the most notable ones in recent times include:

Toyota (2022 & 2023): In 2022, the car manufacturer was forced
to shut down 14 factories in Japan for over 24 hours after a virus
infected a file server. The lost output equaled about 13,000 vehicles.
In December 2023, Toyota Financial Services had to shut down
systems after Medusa ransomware exfiltrated data, holding it for an
$8 million USD ransom.4

Johnson Controls (2023): The ransomware gang The Dark Angels

exfiltrated over 27 TB of data from the multi-national manufacturer.
The cost of remediating the attack totaled $27 million USD, according
to SEC filings.5

Applied Materials (2023): The multi-billion-dollar semiconductor

supplier became the victim of a supply-chain ransomware attack that
disrupted shipments, costing firms $250 million in lost sales in the
second quarter of 2023. As organizations become more connected,
especially in the manufacturing sector, these kinds of attacks have
increased, as threat actors seek out weak points in the supply chain.6

1
2023. IBM. Cost of a Data Breach Report 2023 3
2023. Security Intelligence 5
2023. Security Week
2
2023. IBM. Cost of a Data Breach Report 2023 4
2022. CNN 6
2023. The Record

Addressing the Rising Threat of Industrial Cyberattacks with IT/OT Convergence 2

Global Cyberattacks on the Rise

2021
2017
Malicious RDP 2022
Triton
Unauthorized remote control is
A computer virus intended to take control of Virus Infection
targeting Triconex SIS water treatment facilities in the
caused an explosion at a United States and cause their A famous Japanese car
petrochemical plant in the contamination. manufacturer had to shut
Middle East. down 14 factories in Japan
for over 24 hours after a
virus infected a file server.
The lost output equaled
DarkSide Ransomware
NotPetya about 13,000 vehicles.
The ransomware disrupted the
This ransomware caused
largest pipeline facility in the
damage to about 10 billion
United States, which supplies
computers in various
industries worldwide.
2018 45% of the East Coast diesel,
gasoline and jet fuel.
Shamoon 3
US President Joe Biden
Data removal malware urgently declared the incident
2016 at one time affected oil a serious cyberattack.
and gas companies in
Shamoon 2 Southern Europe and
the Middle East.
Another type of
malware that cleans
data is once again
affecting oil companies
in the Middle East.

2023
The Dark Angels

2020 Johnson Controls was the

victim of a ransomware attack
In 2023, the Asia offices of
Wasted locker Johnson Controls were
breached, causing a virus to
Ransomware attacks spread across the
2019 smartwatch vendors. organization. The Dark Angels
took credit for the attack, and
exfiltrated over 27 TB of data.
Ryuk
This type of ransomware
Milum
primarily targets oil and It is an APT (Advanced
gas companies and leaves Long-Term Threat) Ransomware;
2015 them with only manually
operated equipment.
designed to gain remote
control of the device.
Supply-chain
Applied Materials became
BlackEnergy3 the victim of a supply-chain
ransomware attack in
Spear phishing was used LockerGoga Ekans February 2023 that
to disrupt power plants in disrupted shipments cost.
Ukraine, causing hundreds This type of ransomware
The main target of this
of residential areas to lose can delete data and
ransomware attack is car
power during the cold specifically attacks
manufacturers.
winter. production units.

Ragnar
This ransomware mainly
attacks energy suppliers
in North America.

Addressing the Rising Threat of Industrial Cyberattacks with IT/OT Convergence 3

New Rules of OT Security
Asia has a rapidly evolving digital economy and technology. However, with this innovation has come an
increase in cybercriminal activity, and, consequently, a need for stronger cybersecurity.

The manufacturing sector in Asia is the most targeted industry by cybercriminals. Manufacturing
entities are appealing targets for extortion due to their minimal tolerance for operational downtime.
Despite a large number of cyber incidents, more than one-third (36%) of organizations lack an incident
response plan and are therefore vulnerable to attacks.7

Given the increased risk, regulators around the world are implementing new regulations, directives,
and frameworks governing OT security. These include:

The EU Agency for Cybersecurity (ENISA) The National Institute of Standards

has developed a set of guidelines for and Technology (NIST) has released
securing industrial control systems in the a new concept paper for the NIST 2.0
EU, which provide recommendations on best Cybersecurity Framework to increase the
practices for securing OT systems.8 ability to support critical infrastructure and
other organizations as they try to minimize
cyber risk.9

The NIS2 Directive, which will be The Cyber Incident Reporting for
implemented in October 2024, will notably Critical Infrastructure Act requires
affect OT environments by imposing more critical infrastructure owners and operators
stringent cybersecurity requirements to report cybersecurity incidents within 72
and expanding the range of affected hours.10
sectors, thereby increasing the number of
organizations that must comply.

By 2027, 75% of security teams will have on-boarded at least five tools to manage
cyber-physical systems (CPS) security in operational, production, or mission-
critical environments, up from just two today.11 —

7
Kroll. State of Incident Response 10
Cyber Incident Reporting for Critical Infrastructure Act
8
ENISA 11
2023. Gartner. Market Guide for Operational Technology Security
9
NIST

Addressing the Rising Threat of Industrial Cyberattacks with IT/OT Convergence 4

Cybersecurity for Critical IT/OT
Traditionally, SOCs are tasked with preventing, detecting, and responding to cybersecurity threats
and incidents, along with meeting regulatory obligations. However, they typically do not encompass
industrial systems within their mandates. Yet, there’s potential to extend SOC investments to include
Operational Technology (OT) domains.

These self-contained and often proprietary operational technology systems, which businesses rely
on for value and revenue generation, are frequently overlooked in traditional IT security operations
centers (SOCs). Consequently, we’re witnessing a troubling increase in cyberattacks targeting
industrial operations.

What is Involved in Holistic

Cybersecurity?
For more on the elements involved in a holistic
approach to cybersecurity, read our whitepaper:
IT/OT Security Operations Center |
Protecting the Industrial Enterprise

Holistic cybersecurity is a comprehensive programmatic approach to IT/OT security that

starts with raising awareness and conducting vulnerability assessments and penetration
testing and culminates with the implementation of essential cybersecurity and digital
forensics services like an IT/OT Security Operations Center (SOC).

The holistic approach considers the breadth of assets and systems under protection. By integrating
both IT and OT assets, the IT/OT SOC ensures coverage across all critical domains.

Yokogawa combines the latest regulations, directives, and frameworks to develop its methodology
for its groundbreaking OpreX IT/OT Security Operations Center (IT/OT SOC) — an advanced security
service that helps industrial enterprises monitor and enhance their IT and OT network security
holistically. Detect, identify, and respond to security threats to protect your most valuable systems and
ensure business continuity.

Addressing the Rising Threat of Industrial Cyberattacks with IT/OT Convergence 5

Yokogawa IT/OT SOC operates as a centralized managed service to monitor and protect
the availability and integrity of these business-critical systems for a fault-free operation.

Detection of known Quick incident Ultimate collaboration,

Pro-active defense
and unknown threats response flexibility, and support

Automated incident workflow

with orchestration tools Cyber Threat Intelligence

Elastic cloud for a fast,

scalable, and unified
ML and AI-based SIEM approach

CORPORATE LOG & EVENT

Real Time Analysis

SENSORS & FIELDS | PROCESSES

DMZ & DCS | Layer 0-3.5

IT Network Security Monitoring OT Network Security Monitoring

Real Time Monitoring Value added Dashboards

IT/OT SECURITY
IT SOC SERVICES OPERATIONS CENTER OT SOC MANAGED SERVICES

IT/OT SOC Start-Up Service

Level 1-3 SOC Analysts Risk Analysis & Compliance
IT/OT Security Monitoring Service
Incident- Dashboard Threat Intelligence
and Report Incident Response Training
OT Security Consulting
Threat Intelligence Assessment Service (incl. PenTest) (Security Program)

Forensic Service

CUSTOM USE CASE & TRAINING CYBER THREAT INTELLIGENCE

Use cases creatiay Monthly Real-time analysis of IT/OT
SLA Report; Playbook events and log
SIEM & SOAR
Elasticsearch | Cloud | Automation | Collaboration
Orchestration | Service Organization | Incident Mgt
INCIDENT WORKFLOW GENERATE INCIDENT TICKET

IT DATA PROCESSING & ANALYTICS OT MONITORING

Machine Learning | Artificial Intelligence | Analytics IloT, Incident, Firewall, Edge, Event Dashboards | Analytics

Addressing the Rising Threat of Industrial Cyberattacks with IT/OT Convergence 6

Yokogawa SOC Services

IT/OT SOC Start-Up Service

Yokogawa customizes monitoring logs to align with your unique cybersecurity

risks and proposes necessary security risk mitigation measures and related
security services.

IT/OT Security Monitoring Service

Yokogawa offers real-time security incident notifications for cyberattacks

and unauthorized access. It also provides incident reports through real-
time dashboards and conducts regular meetings to explain monitoring
reports, offer risk mitigation advice, and prevent cyberattacks.

Incident Response Training Service

Yokogawa provides security playbooks for incident responses and risk

mitigation strategies, as well as standard operating procedures (SOP) for
incident analysis and remediation by CSIRT.

Cybersecurity Vulnerability Assessment (VA)

Yokogawa’s vulnerability assessment service is a comprehensive analysis that

identifies vulnerabilities and prioritizes risks — a unique service that ensures
compliance and encourages continuous improvement.

Penetration Testing

Yokogawa can incorporate your existing PenTest tools or introduce our own
proven methods to simulate cyber-attacks to identify weaknesses, with a
focus on the differences in approach between IT and OT environments.

Digital Forensic Services

Yokogawa can conduct a wide range of activities aimed at uncovering

digital evidence of cybercrimes, security breaches, fraud, and other illicit
activities in a legally sound and admissible manner.

Addressing the Rising Threat of Industrial Cyberattacks with IT/OT Convergence 7

Reduce Operational Risk and Increase
Cybersecurity Resiliency
Built specifically for industrial environments, Yokogawa OpreX™ IT/OT Security Operations Center
(SOC) helps you manage and secure your operational technologies alongside your IT — for greater
control over your devices, networks, and users. Leveraging predictive AI and machine learning
technology, Yokogawa’s comprehensive managed service ensures you stay ahead of the risks with
intelligent cyber threat detection capabilities.

ML and AI-based SIEM Always-on protection

detect unknown threats
Log and event information is
Abnormal activities and constantly collected and examined
sophisticated attacks are quickly using cyber threat intelligence to
flagged and resolved. detect suspicious activity in real time.

Automated workflows Seamless integration with

for a faster response existing infrastructure
Tasks are coordinated, executed, Easily integrate the Yokogawa SOC
and automated to minimize with existing security and data
human error for a rapid resolution. management systems.

Addressing the Rising Threat of Industrial Cyberattacks with IT/OT Convergence 8

 Ready to Build a More Resilient Business?
Leveraging over 100 years of deep process industry domain experience, Yokogawa is a leading
technology provider of industrial innovation, including security, control, automation, digitalization,
and testing and measurement.

Global
As part ofSecurity
our GlobalNetwork
Security Operations Network, our SOC experts provide managed service to
protect the world’s most valuable industrial operations.
Yokogawa’s network of global Security Operations Centers stretches across the world. They collaborate and share
Global Global
Security
expertise
Contact and Security
toNetwork
usbest practices Network
in theiror
learn more relentless
request pursuit of robust cybersecurity. Our clients benefit from comprehensive
a demo.
intelligence, better preparedness, swifter response, and improved resilience.
Yokogawa’s
Global
Yokogawa’s Security
network ofnetwork
Network
of global
global Security Security Operations
Operations Centers across
Centers stretches stretches
theacross
world.the world.
They They collaborate
collaborate and share and share
expertise and best practices in their relentless pursuit of robust cybersecurity. Our clients benefit from comprehensive
expertise and best practices in their relentless pursuit of robust cybersecurity. Our clients benefit from comprehensive
intelligence,
Yokogawa’s better preparedness,
network of global swifter
Security response,
Operations
intelligence, better preparedness, swifter response, and improvedand improved
Centers
Singapore resilience.
stretches
resilience.
(CoE & Lab) across the world. They collaborate and share
expertise and best practices in their relentless pursuit of robust cybersecurity. Our clients benefit from comprehensive
intelligence, better preparedness, swifter response, and improved resilience.

Netherlands (SOC) Japan (CoE & R&D HQ)

Global Security
Operations Network

Romania (SOC) Thailand (SOC)

Yokogawa’s Security Program

India (Lab/SOC)
Every enterprise has its own, unique security requirements. That’s
Yokogawa’s
Yokogawa’s
why Security Security
our consulting-led Program
starting Program
point is always to help our clients
understand and quantify their risk profiles, identify critical data
Yokogawa’s
Every assets,
Every and
enterprise assess
enterprise
has its own,
Security
their
has current Program
security
its own,security
unique unique strategiesrequirements.
security
requirements. and That’s
levels ofThat’s
why our protection.
why our consulting-led
consulting-led starting
starting point point istoalways
is always help our to clients
help our clients
understand Every
and enterprise
understandquantify has risk
and their
quantifyits own,
their unique security
risk identify
profiles, profiles, requirements.
identify
critical That’s
critical data
data
IT/OT
why SOC
our
assets, and is a part
consulting-led
assess of
their starting
Yokogawa’s
current point is
Security
security
assets, and assess their current security strategies and levels of always
Program
strategies to that
help
and focuses
our
levels of on
clients
protection. ing
understand
protection.
deliver and
resilient quantify
cybersecuritytheir risk profiles,
services and identify
solutions to critical
reduce data
cyber
in theand
assets,
risks process
assessindustries.
their current IT/OT SOCstrategies
security builds onand levelsofof
decades
protection.
IT/OT expertise
SOC is ainSOC
IT/OT industrial
part of automation,
is Yokogawa’s
a part best practices
of Yokogawa’s
Security Security
Program inthat
cybersecurity
Program
focuses thatonfocuses on
architecture
deliver ing design,
resilient and plant and
cybersecurity enterprise
services operations
and
delivering resilient cybersecurity services and solutions to reduce cybersolutions knowledge
to reduce to
cyber
ensure
IT/OT
risksainsafe
SOC
the and issecure
a
process partenterprise.
of
industries. IT/OT
Yokogawa’s SOC
Security
risks in the process industries. IT/OT SOC builds on decades of builds
Program on that focuses
decades of on
deliver
expertiseing inresilient
industrialcybersecurity
automation, services
best and
practices
expertise in industrial automation, best practices in cybersecurity solutions
in to reduce
cybersecurity cyber
Deliveredin the
architecture
risks
architecture design, asand
aprocess
managed
design,
plant and
and service,
industries.
plant andYokogawa’s
enterprise enterprise
IT/OT
operations IT/OTon
SOCoperations
builds
knowledge SOCknowledge
decades
to of to
ensure contributes
andasecure
expertise
ensure
a safe toindustrial
in
safe the
and timely
secure implementation
enterprise.
automation,
enterprise. of security
best practices updates and
in cybersecurity Yokogawa security Program combines over decades of
continuous
architecture monitoring
design, andofplant security performance
and enterprise to solveknowledge
operations the to expertise in industrial automation, best practices in
fundamental
Delivered Delivered
ensure a safe
as a managed challenge
as a managed
and secureofenterprise.
service, keeping
service,your
Yokogawa’s enterprise
Yokogawa’s
IT/OT SOC security
IT/OT SOC at the cybersecurity architecture design, and plant operations
highest level. knowledge to ensure your safe and secure operations.
contributes to the timely implementation
contributes to the timely implementation of security updates and of security updates and Yokogawa security Program combines
Yokogawa security Program combines over decadesover
of decades of
continuous Delivered
continuous
monitoring asmonitoring
aofmanaged
security ofservice,
securityYokogawa’s
performance to solveIT/OT
performance to solve
the SOC the expertise in expertise
industrialinautomation,
industrial automation,
best practicesbest
in practices in
fundamentalcontributes
fundamental
challenge tochallenge
thekeeping
of timelyofimplementation
keeping
your enterprise of security
your enterprise
security at updates
security
the at and
the cybersecurity
cybersecurity architecture
Yokogawa
architecture
design,
security and design,
Program
and plant operations
plant operations
continuous
highest level. monitoring of security performance to solve the knowledge toknowledge ensure yourto ensure your
safe and safecombines
secure
overoperations.
and secure
operations.
decades of
highest level. expertise in industrial automation, best practices in
fundamental challenge of keeping your enterprise security at the cybersecurity architecture design, and plant operations
highest level. knowledge to ensure your safe and secure operations.