EU directive's £17 million threat 'has put cyber security on the process agenda'
10 Jul 2019
The threat of massive multi-million pound fines for failing to safeguard against cyber security risk has made it impossible for manufacturing companies to ignore the issue at board level, says a leading information security expert.
Anthony Young, founder-director of Bridewell Consulting, told Process Engineering that the elevation of cyber risk ranked as one of the key outcomes of the new Networks and Information Systems (NIS) security directive.
“I think it’s one of the main benefits of these directives and regulations in that... it suddenly makes it a board level agenda item because the fines can be up to £17 million for a company found in contravention.”
“So suddenly there’s a big thing flashing at the board: ‘we’ve got a financial risk to our organisation’ - as well as the reputational damage as well as what could happen in terms of the potential loss of life and safety.”
The NIS directive passed by the EU in 2016, came into force in the UK last year, coinciding with the General Data Protection Regulations (GDPR).
The UK regulations provide legal measures to boost cyber and physical security of network and information systems critical for the provision of digital and essential services. So-called critical national infrastructure include the energy, chemical and various process sectors in addition to transport and health.
It suddenly makes it a board level agenda item because the fines can be up to £17 million for a company
Anthony Young, founder-director, Bridewell Consulting
Young, whose firm was one of the first to receive approval for its consulting services from the National Cyber Security Centre and from the Council of Registered Ethical Security Testers (CREST) for its cyber penetration testing, said there was a wide variation in responses within the manufacturing and process sectors.
He compared the developing situation to the advent of cyber security in banking, when larger organisations led the way with adoption of new protocols. However he said, manufacturing presented particular challenges that required an engineering perspective.
“You don’t want someone from a purely cyber background working in a pure engineering area and you need someone who understands how all the different SCADA and control systems work,” he cautioned.
“There are slightly different sorts of risks in that sort of O/T environment to an IT environment. A lot of the systems are very old and haven’t been updated, a lot of them weren’t designed to be connected to the internet. As systems started to be opened up ...[those that] have been in the past closed, are at risk and that’s what’s been targeted a lot.”
While the largest international companies have quickly adapted to the connected world thanks to abundant resources of financel and skilled personnel, cyber security is a more daunting prospect for smaller enterprises, acknowledged Young.
You don’t want someone from a purely cyber background working in a pure engineering area and you need someone who understands how all the different SCADA and control systems work
However, by focusing on five key steps, manufacturing firms could ensure compliance with the new regulations he said. These include:
Security awareness – encouraging all employees “from receptionist to MD” to notice variations in machine behaviour and report these
Risk analysis around I/T and O/T systems – checking security controls and updates before introducing new systems promising to monitor all devices or boost productivity
Understand the nature of specific cyber threats to the business – third party equipment and staff’s personal USBs may present a more genuine security threat than hostile states or hackers
Segregation of systems – as many manufacturing firms have grown through acquisitions and mergers and operate with “a jumble of IT and OT”
Good understanding of penetration testing and its application – checking physical as well as cyber security against intruders
In one instance said Young, his company breached a windfarm's safeguards during a commissioned penetration test - by the simple expedient of picking a substation lock.
“There was no other security and then we could have basically overriden the wind turbines and shut them down one by one. We even noticed they had wifi and so we could have done it from there without even having to go inside.”