Beacon Security
ManufacturingVulnerability Assessment

OT Vulnerability Assessment for a Multi-Site Manufacturer

November 20, 2024

Background

A multi-site discrete manufacturing group suffered a ransomware attack at their European production facility that encrypted HMI workstations and disrupted PLC communications, halting production for 11 days. The total financial impact exceeded $15M in lost production, recovery costs, and contract penalties.

While the European site was being recovered, the group CISO engaged Beacon Security to conduct a rapid OT vulnerability assessment at their largest remaining facility to determine whether the same attack vectors existed and to close any critical gaps before they could be exploited.

The engagement was authorized directly by the board with a mandate to complete the assessment within three weeks.

Note: All identifying details have been removed to protect client confidentiality.

The Challenge

The facility presented conditions typical of manufacturing environments that have undergone digital transformation without corresponding security investment:

No OT Asset Inventory The only documentation was a network diagram produced during the original PLC installation eight years prior. Neither IT nor plant engineering teams were aware of approximately 60% of the devices communicating on the OT network. Nobody could definitively answer the question: "What is connected to our production network?"

Unreviewed IT/OT Connections A recent Industry 4.0 connectivity project had created multiple paths between the enterprise network and the production floor. Firewall rules had been added reactively as connectivity requirements emerged, with no overarching security architecture. The same flat-network condition that enabled the ransomware to reach PLCs at the European site existed here.

Legacy Equipment Spanning 15 Years The facility operated PLCs from three different vendors across installations spanning over 15 years. Several units were running firmware versions at end of vendor support with publicly known vulnerabilities.

Persistent Vendor Remote Access Four equipment vendors maintained persistent VPN connections active 24/7 for intermittent maintenance needs. No session recording, monitoring, or termination policies were in place. Credentials were shared among vendor staff.

Our Approach

Beacon Security conducted a phased passive OT vulnerability assessment over a three-week period, specifically designed to produce actionable results quickly given the urgency of the situation.

Phase 1: Rapid Scoping (Days 1-2)

A two-day on-site workshop with operations, IT, and engineering teams established the assessment scope. We reviewed the ransomware incident report from the European site to understand the specific attack chain and ensure our assessment targeted the same vectors.

Key agreement: all assessment activities would be passive and non-intrusive. Every data collection activity required sign-off from the shift supervisor.

Phase 2: Passive Network Monitoring (Days 3-7)

Network taps were installed at three critical collection points:

  • The IT/OT network boundary switch
  • The main production floor network switch
  • The inter-zone connection between assembly and packaging lines

Passive collection ran for five days during normal production operations, capturing all network communications without injecting a single packet.

Phase 3: Asset Discovery and Vulnerability Correlation (Days 8-12)

Traffic analysis identified 87 communicating OT assets, compared to 34 listed in existing documentation. The additional devices included unregistered HMIs, engineering laptops permanently connected to the OT network, and several devices with no clear ownership.

For each asset:

  • Device type, manufacturer, model, and firmware version identified from traffic signatures
  • Known CVEs correlated against discovered firmware and software versions
  • Network communication patterns mapped and analyzed for anomalies
  • Comparison against the European site attack chain to identify matching conditions

Phase 4: Architecture Review (Days 13-15)

Working with operations and IT, we documented the actual versus documented network architecture, identified all IT/OT boundary connections, and reviewed firewall rules against the reality discovered through passive monitoring.

Phase 5: Emergency Briefing and Full Report (Days 16-21)

Given the urgency, we delivered an emergency briefing on Day 16 covering the 4 critical findings requiring immediate action, followed by the complete report with all 34 findings on Day 21.

Key Findings

Critical Finding 1: Direct Unfiltered PLC Access One production PLC controlling a critical assembly process was directly accessible from the enterprise network through an undocumented connection created during the connectivity project. This was the exact same attack vector used in the European ransomware incident.

Remediation: Immediate network isolation applied within hours of the emergency briefing.

Critical Finding 2: Default Credentials on HMIs Two HMI workstations were operating with manufacturer default credentials. Both were reachable from the enterprise network. An attacker with enterprise network access could have logged into these HMIs and modified production parameters.

Remediation: Credentials changed within 24 hours of notification.

Critical Finding 3: Undocumented Device An engineering laptop that had been left permanently connected to the OT network was discovered running outdated antivirus signatures and connected to both the OT network and the corporate Wi-Fi simultaneously, creating an unauthorized bridge.

Remediation: Device removed immediately. Policy established for engineering device management.

High Finding: End-of-Life PLC Firmware Six PLCs running firmware with publicly known vulnerabilities for which no patches exist. The same firmware versions were deployed at the European site.

Remediation: Vendor engaged for upgrade assessment. Compensating network controls applied within 48 hours.

Outcome

The assessment was completed with zero production disruptions. All 4 critical findings were remediated within 7 days of the emergency briefing.

Deliverables Provided:

  • Complete OT asset inventory (87 assets) with network connectivity map
  • Vulnerability report with 34 findings across 4 severity levels
  • European incident attack chain comparison analysis
  • IEC 62443 gap analysis establishing Security Level 1 baseline
  • Remediation roadmap targeting Security Level 2 within 6 months
  • Executive summary for board reporting

Immediate Impact:

  • Attack vectors matching the European incident identified and closed within 7 days
  • OT network visibility established for the first time in the facility's history
  • Vendor remote access converted to monitored, on-demand model within 14 days
  • OT security monitoring solution procurement initiated immediately

The facility subsequently engaged Beacon Security for a network segmentation implementation project, and the assessment methodology was adopted as the standard for all remaining plants in the group.

Beacon Security conducts rapid OT vulnerability assessments for industrial environments. Contact us to discuss your assessment requirements.

Back to Case Studies
Industrial infrastructure
OT Cybersecurity Experts

Your OT Environment Deserves
Expert Protection

Generic IT security tools fail in industrial environments. Talk to our OT security team and get a clear picture of your exposure within days, not months.

Book a Free Assessment+91 98259 94220
IEC/ISA 62443 Aligned
NIST 800-82 Compliant
OTCC Ready
ECC Aligned
Zero Operational Disruption