We are in the midst of a technology revolution, with the world becoming more connected than ever. But with great connectivity comes great threats. The digitisation of every aspect of our lives means that there is a growing reliance on technology not just in our homes but across businesses and industries too. A dependence that will leave us all vulnerable if our connected systems are breached.
The past decades have seen the manufacturing industry embrace the digital revolution. Emergence of new technologies such as cloud computing and the Internet of Things (IoT) has brought down barriers, enabling industries to grow and advance like never before. But, much like in the consumer world, these open platforms and interconnected systems have created more opportunities for cyber criminals, leading to a rise in the frequency of cybersecurity attacks.
High profile attacks like the 2017 WannaCry outbreak have highlighted the urgent need for organisations to upgrade their safety measures and rethink traditional cybersecurity approaches. So, how can the manufacturing industry protect itself while still embracing new technology that enables them to grow and deliver the best possible results?
Creating and spreading awareness
Certain industries, notably in critical infrastructure environments such as power, oil and gas, water and wastewater and nuclear facilities, show a high level of awareness and appreciation of the need for a comprehensive security strategy. They tend to have detailed cyber security plans and procedures in place and their investment of time and capital in protecting their assets is considerable.
However, many organisations in other industries, notably manufacturing, are either unaware of the risk of cyber attacks or reluctant to implement security strategies in their enterprises, as investments in cyber security do not appear to have a tangible return-on-investment (ROI). This leads to a complacent ‘wait and watch’ approach that only mandatory regulation or the unfortunate instance of a cyber-attack may change.
Given the uncertainty of the regulatory landscape today, this mindset is most likely to persist. Furthermore, the daunting nature of cyber security leads to low uptake of planning and implementation among many companies; This means analysis does not end up leading to action and a total system overhaul remains a vision, rather than a reality. These businesses need a means of visualising, managing, and mitigating risks and threats in their systems.
Addressing the barriers
To help address these barriers, organisations need to collaborate with each other to understand the unique characteristics of the industrial environment. The key to this will be building a Defense-in-Depth approach to your cyber security. Defense-in-Depth is a hybrid, multi-layered security strategy that provides holistic security throughout an industrial enterprise and is expected to become a security standard in factories of the future. It includes people, processes and technology across an extended digital ecosystem to bolster a company’s cybersecurity posture.
With this Defense-in-Depth approach it is vital that organisations adopt a step-by-step plan which includes identifying the biggest impact to their organisation in terms of a security breach, zoning in on which specific area of plant operations is linked to that impact, outlining what the biggest vulnerabilities are in relation to that area of operation and lastly minimising or eliminating those vulnerabilities.
Once complete, organisations can move on to the next impact-area-vulnerability issue. Rather than revamping an entire system at once and falling victim to “analysis paralysis”. This step-by-step approach not only ensures that the significant changes with the highest impact are affected immediately, but also ensures the organisation does not spread itself too thinly.
Building a cyber-resilient culture
We must understand that security is everyone’s problem. It must be integrated into every business, at all times, becoming part of each employee’s daily actions.
In most companies, a lack of cybersecurity training represents a big gap in terms of overall readiness and digital security. A comprehensive programme must account for the human element in a digital ecosystem. More than just hardware and software resilience, security rigor includes a process and plan that define the roles and responsibilities of employees and workers. It defines the types of actions and activities that are allowed to be performed, and includes clearly communicated consequences for noncompliance.
Ongoing learning and enablement about cybersecurity is essential. When developing your training programs, businesses need to think about creating basic level awareness sessions to expert-level courses, depending on the roles of your individual employees. It’s important, too, to integrate both an understanding of the ISA / IEC 62443 standard and, more important, learning how to apply it across the business, operation, or function.
Protect the industry against future threats
Cybersecurity is a constantly evolving space, with attackers persistently developing new and advanced technology and skills to compromise data and systems. The disruption of operational systems can have a far-reaching and potentially catastrophic impact to your business both in the short and long term. Whereas previously companies have sought to meet these escalating challenges individuals, the future is far more collaborative. Today, businesses are working together to develop cross-industry skills, combined with open technology and transparent communication to fortify businesses and keep plants running smoothly.
VP Industrial Automation at Schneider Electric
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.