Industrial Cybersecurity: With great power comes great responsibility
Author : David Pownall, VP Services at Schneider Electric
11 February 2021
The Industrial Internet of Things (IIoT) has given rise to many new opportunities. This progress, however, depends on processes being well protected. From sensors to the cloud, openness is essential to uncovering business insights from process and IT data. The benefits of this transparency, however, brings a new set of challenges.
Cybersecurity is not just about people stealing data or intellectual property. Those same transparent networks are used to operate machinery. If these signals and indeed all data flowing on industrial networks is compromised it could lead to a dangerous incident.
Whilst there’s a lot to be gained by crossing the digitisation frontier, it’s critical that this is done securely. Industrial digitisation cannot be carried out before strong, reliable cybersecurity is established.
Starting from the ground-up
Industry requirements and standards such as ISO27001 can provide a consistent framework for industrial cybersecurity strategies. There is also a vast selection of cybersecurity solutions to help plant operators implement these standards. Like safety, cybersecurity also comes down to culture and education. Successful cybersecurity initiatives always involve people, processes, and technology from the start.
Companies tend to move through three different levels of maturity when it comes to cybersecure digital operations: awareness, active management and finally, security excellence. It’s essential that companies recognise this process, and continually push themselves to move from the most basic, fundamental policies to a fully-fledged, end-to-end lifecycle approach to security.
Building the foundations
Cybersecurity starts with awareness. It pays to do the basics well because many cybersecurity incidents are accidental – simple mistakes and human errors that are due to a lack of education and awareness. Addressing this type of risk should be a priority first step and lays the foundations for a successful cybersecurity strategy.
An effective first step in achieving this foundational security is by building it into company culture and employee experience. Cybersecurity is not the sole responsibility of the IT team. It’s therefore vital that security training is built into the employee lifecycle, for all team members. From recruiting to onboarding to employee development and succession planning, education, awareness and training is critical. By making everyone, everywhere responsible for cybersecurity, you can move employees from simply executing their traditional tasks to recognising that implementing and adhering to cybersecurity best practices is now part of their core responsibilities.
Leveraging technology for active management
Once a basic culture and understanding of cybersecure behaviours is established, companies should continue to improve their cybersecurity strategies by adopting an active management approach. Active management cybersecurity strategies are designed to defend against more opportunistic or deliberate attacks. Most larger companies will typically have comprehensive organisation-wide cybersecurity processes in place with cybersecurity teams whose job it is to regularly review the performance and metrics of these processes.
To reach this level of maturity, available technologies should be leveraged to plug the gaps that human efforts can’t necessarily fill. This technology comes in the form of anti-virus software and firewalls, installed across enterprise networks. Some organisations may even implement automatic monitoring, to bolster security 24 hours a day, 7 days a week.
To protect a facility from attacks that cause downtime, loss of intellectual property or other operational damage, active management is a must. However, at this level, enterprises are usually only protected from threats that originate inside their four walls. This level of vulnerability is unacceptable for critical infrastructure or anyone whose operations demand the next and highest level of protection.
Protecting the entire value chain
At the most secure end of the cybersecurity spectrum, organisations integrate security excellence into their processes, from end-to-end. This level of protection aims to prevent deliberate, skilled attacks on industrial control systems. Security Excellence is about protecting not just the facility itself, but the entire value chain.
Cyber protection is even more critical where complex software from multiple sources connects to drive a business, and as cyber-attacks become more sophisticated and malicious, viruses or malware are more likely to enter via external parties such as partners, suppliers or even customers. Whilst many organisations are increasing their spending and commitment to cybersecurity internally, only 15% of businesses have reviewed the risks presented by their suppliers (Gov.uk, 2020). These external vulnerabilities are especially threatening to industrial organisations, who interact with a vast number of external parties on a daily basis.
In this way, protecting others is an important part of protecting yourself. Ongoing training and development programs should be put in place and best practices shared with supply chain members and customers – it is not enough to assume that your partners are implementing the same precautions as you are. Technology such as automatic monitoring should also extend to the supply chain and customers via Security Operations Centres (SOC).
As the future becomes increasingly digital, reaching a robust level of cybersecurity will involve an end to end, lifecycle approach. To fully embrace the power of digitisation, it’s important to first make sure that cybersecurity is covered from the three angles of people, process and technology. Any future changes to control systems, networks etc. must also take into account and address any potential impact on cybersecurity. Businesses who do this successfully can securely and confidently enjoy their digital and connected future.
Contact Details and Archive...