The pace of technological innovation in industrial manufacturing has accelerated drastically in recent years—for better and for worse.
The Internet of Things (IoT) continues to take hold across industry, and driving the most value from it requires manufacturers to unify their operations and business processes in some way. The most logical method for doing so is bringing closer together the IT functions that have historically controlled the business with the operational technology (OT) functions that have historically controlled the manufacturing process. The business synergies and financial implications of doing so make it a no-brainer for manufacturers to pursue, if they hope to maintain or increase operating profit.
But just as manufacturing technology has advanced, so too have the risks. IoT-enabled open platforms and interconnected systems have opened new doors for cybercriminals, leading to a rise in the frequency and severity of cyberattacks. A common approach to enabling an industrial IoT environment is the application of sensors across the plant. These sensors, while able to provide astounding amounts of valuable business and operating data, are also gateways into the systems that control our most critical, volatile processes and infrastructure. The dark web has opened the door for low-level cyber criminals to access advanced hacking techniques, enabling them to attempt high-level cyber-attacks that are intended to cripple systems and wreak havoc, even catastrophe.
Never before has cybersecurity—and risk mitigation—been more critical. And for many in the manufacturing industry, the first question is: Where do I turn for help?
Follow Standards and Best Practices—From the Top
Cyberattacks affect many industries and are increasingly being implemented on a geopolitical level—as many of today’s progressively bold, innovative attacks are perpetrated by malicious actors, such as nation-states, who have unlimited time, resources and funding. As such, defense strategies and protocols set by governments can make an impact.
In 2013, the United States government directed NIST to develop a framework that would become an authoritative source for cybersecurity best practices. Other countries around the world have similar standards or are actively working on local versions. In some countries such as France, these standards are even carrying the weight of law. These cybersecurity standards create an ordered, structured approach to addressing cybersecurity challenges. They can help translate vague, fear-based concerns around cybersecurity into commonsense risk analysis, risk tolerance assessment and risk avoidance.
Yet even where robust, updated governmental cybersecurity standards do exist, industry standards should be learned and regularly reinforced. Perhaps most essential is IEC 62443, the rigorous standard for industrial automation technology that works to safeguard operations across multiple layers. Yet cyber threats change by the day, and as such these standards are always being refined. A strong security culture has its foundations in a close tracking of and adherence to evolving standards, protocols and best practices.
Make the Financial Argument to Leaders
Cybersecurity standards—both on governmental and industry levels—are the guiding principles that manufacturers should abide by. But every manufacturer, every plant, faces different risk factors and organizational challenges.
Even with the proliferation of standards and high risk of cyberattack in today’s connected world, manufacturing leaders aren’t taking it seriously enough. It is time to shift the conversation away from the fear of a cyber-attack to something understood in all boardrooms—reliably contributing to (or simply protecting) the bottom line. Cyberattacks and data breaches cost manufacturers billions each year worldwide, and the damage to brand reputation can be incalculable. Also, insurers worldwide are limiting how much coverage these companies can buy to protect themselves from cyberattacks. Further, in many regions, insurance premiums are now calculated on responses to simple questions about how organizations are adhering to cybersecurity best practices.
Cybersecurity inherently incorporates risk management, and the argument to business leaders should meet them at their level—dollars and cents. Being reliable in delivering is a fundamental part of the economy, and the risk of a cybersecurity attack threatens a manufacturer’s ability to be a reliable part of the supply chain.
Assess Plant Risk, Implement Cybersecurity Plan
With the buy-in of business leaders, there are steps manufacturers can take to protect themselves—and their bottom lines. By knowing their plant’s cybersecurity position and business leaders’ appetite for risk tolerance, they can start to understand the difference between where they’re managing cyber risks and just how much gap there is to close.
A savvy preliminary step is ascertaining the value of manufacturing processes and company assets to the organization and potential attackers. This involves calculating the size of security risk. For example, if the plant were to go down for a day due to a cyberattack, the loss of production would be equal to $XX.
No two organizations have the same infrastructure, so leaders responsible for cybersecurity need to determine where security risk management functions should integrate into the organization’s infrastructure. These functions can take the form of many things: risk avoidance, mitigation, acceptance or transference.
From there, modeling the cyber-threat landscape can help in analyzing security threats and gaps specific to an organization’s industry and specific plant. The zone and conduit methodology is an effective way to segment and isolate devices or systems according to security levels. Every network connection to the plant’s control and safety systems must be identified and secured. Threats are constantly evolving as new skills, techniques and tools emerge, so the zoning and conduit approach may require expert help.
Perhaps most importantly, people are the first and best line of defense. From discerning personnel screening requirements to stronger employee training, security must be part of the operations lifecycle to plug every hole. Every team and person must take ownership of their own security, adhere to industry standards and follow vendor documentation for system configuration to ensure optimal security. Everyone in the industry has a role in developing this stronger cybersecurity culture.
Continuously Monitor and Adjust
Cybersecurity isn’t something you can set and forget. Any manufacturing cybersecurity plan must be a living, breathing document that is regularly analyzed and updated to respond to an evolving threat landscape. Program elements such as bug patching and threat monitoring must be ongoing. A cybersecurity risk management plan is not a single event but a continuous operation.
The industry tends to take a “if it ain’t broke, don’t fix it” approach to how we operate. But we must change this model, and our culture, when it comes to cybersecurity. Plant safety, reliability and ultimately profitability are counting on it.
Navigate the New Risk Management Landscape
Aggressive, innovative cyber-attacks are a permanent part of the industrial landscape. They are a fixture, and we as an industry must be more assertive to prevent them.
There needs to be a shift from reactive to proactive cybersecurity management through compliance with evolving industry standards, agreement that cybersecurity is a journey not a destination, and a commitment to standing together in the face of cyber threats. Let’s not wait for a catastrophe to happen to ensure the safety and security of manufacturing operations and the long-term protection of the people, communities and environment we serve.
Andy Kling has more than 35 years of software development experience and has worked in the Industrial Control Systems (ICS) development organization at Schneider Electric since 2001.