Case Study : Purple Team to Secure ICS in Meat Production

 

Introduction

The meat production industry heavily depends on Industrial Control Systems (ICS) to optimize operations, boost efficiency, and guarantee product quality. However, as the threat landscape expands, safeguarding these systems has become an urgent priority. This case study dives into the use of purple teaming in a meat processor that we worked with.

Used correctly, purple teaming enables an organization to determine where gaps are in its controls and fix them, in a cost-effective way.

Client Background

Our client, a leading player in the meat production sector, recognized the need to bolster its Industrial Control Systems (ICS) infrastructure’s security. The company’s meat production process involves complex machinery, automated systems, and interconnected devices that control various stages of production, from slaughtering to packaging.

Challenges

Our client faced several challenges in securing its ICS infrastructure. These included:

1. Legacy Systems: The presence of legacy systems made it challenging to implement modern security measures due to compatibility issues and outdated software. 26,000 vulnerabilities were reported in 2023, older systems may no longer be supported by manufacturers so will not receive updates (unless costly extended life agreements are entered into)
2. Increased Cyber Threats: The rise in cyber threats targeting industrial environments has become a growing concern for organizations like our client. . These incidents can lead to production disruptions, financial losses, and reputational damage. The most well known attack on a meat processor was the JBS attack, which resulted in the company paying  an $11m ransom.
3. Regulatory Compliance: Adhering to industry-specific regulations and standards was crucial for our client. Failure to comply with these requirements could result in fines, sanctions, or even loss of certification. For example, the Food Safety Modernization Act (FSMA) requires food processing facilities to implement preventive controls to protect against intentional adulteration, including cyber attacks that could compromise product safety. The end of January saw the introduction of the Farm and Food cybersecurity act
4.  Reliability: Downtime is not acceptable in this environment, there are multiple implications, all of which have a financial impact. Any testing has to be extremely cautious, a concern which is heightened by the legacy systems.
5. Specialized Equipment: There are many proprietary protocols, engineering tools, and wireless and operational technologies that are unique to ICS. It is critical to understand these technologies and the risk they could pose to the operating assets and the company as a whole.

These challenges underscore the importance of implementing robust cybersecurity measures tailored to ICS environments. With that in mind the decision was made to conduct a purple team assessment.

Why Purple Team?

Reduce risk: As discussed, the environment was considered high risk, the ongoing communication occurring during the purple team reduced the risk of any issues. The operations team were fully aware of what was going on and were involved in all aspects of testing.

Increase ROI: Our client spends a considerable amount on security tools. The purple team provided an opportunity to identify ways to maximize what was being provided by existing tools. As with all our engagements whenever a problem was identified we reviewed the clients existing controls to determine if they could be utilized. We have seen tools not used to their full potential in far too many places.

Improve Defense: The client wanted to improve the defensive posture of the environment. In this case defined as lowering the probability that an external attacker who had gained a foothold on the network could disrupt operations.

Cost Effective: The client wanted to get the most from their security budget, purple teaming was seen as a way to get the benefits of a red team with a real time assessment of controls, and apply fixes. In some cases it can be more effective to assume the external perimeter has been breached and start testing internally, then spend time (and money) on trying to breach externally.

Outcomes

The purple team identified a number of areas for improvement which were identified, while many of these were immediate security control modifications there were also some broader areas identified, specifically:

1. Network Segmentation:Network segmentation is a strategy that involves dividing a network into smaller sub-networks to isolate critical components and limit the spread of threats. In this case, some network segmentation had been implemented to protect the ICS infrastructure. However, gaps were identified where lateral movement of threats within the network was possible which required remediation.
2. Security Updates and Patch Management: Regular security updates and patch management are essential for addressing vulnerabilities in both operating systems and ICS software. Missing patches were identified and their ability to be exploited determined. Where possible these were remediated. Where remediation was not possible the use of detective security controls was reviewed and implemented.
3.  Incident Response Plan: On the blue team side some gaps were found in the  incident response plan. An ICS incident response is not exactly the same as a more typical infrastructure plan, the outcome is the same (minimize the impact of an incident) but the technology environment is different and the impact of an event can have real physical impacts which need to be considered.  The gaps were subsequently remediated and the plan retested.

Conclusion

Securing Industrial Control Systems in the meat production process is a critical undertaking that requires a proactive and comprehensive cybersecurity strategy. Our clients use of purple teaming to help achieve this goal illustrates the benefits this approach can provide.  As cyber threats continue to evolve, and budgets continue to stay flat, or reduce, the benefits of purple teaming becoming clear.