Ever-changing and increasingly sophisticated cyber threats, limited internal experience and a lack of cybersecurity culture prevents manufacturers from safeguarding their operations, warns Emerson’s Michael T. Lester...
Manufacturers, utilities and operators of critical infrastructure face increasing and more sophisticated cybersecurity threats. Attacks are constantly evolving, as commoditised malware and advanced technologies provide new attack capabilities to threat actors. The motivation for cyberattacks is still mostly financial gain, but nation state actors are increasingly involved and there are increasing numbers of attacks targeting the industrial control space from various threat actors.
Effective cybersecurity requires staying updated on the latest threats, performing real-time inventory of assets, improving threat-detection capabilities, ensuring equipment and devices have the latest defence measures, patching and updating systems, and improving incident response capabilities. In addition, policies and procedures, workforce upskilling and periodic training are all key aspects of cybersecurity that should be deployed to protect critical systems by following a risk-based approach.
Within manufacturing, engineered solutions with higher capital expenditure costs creates reluctance to update systems and a slow rate of change
For manufacturers looking to unlock the potential of the Industrial Internet of Things, cybersecurity is a major concern. The need for effective cybersecurity is well known, but there is not great understanding of the subject within the industry. Designing and implementing IIoT technology requires new skills and cybersecurity expertise. New solutions can introduce new threat vectors if not implemented and maintained securely.
Protecting against vulnerabilities
Within manufacturing, engineered solutions with higher capital expenditure costs creates reluctance to update systems and a slow rate of change. Outdated systems that are not patched or well protected with a defence-in-depth approach are most vulnerable.
Users must prioritise the actions they will take in response to identified threats and attacks, and create a roadmap of those actions. This includes implementing and regularly testing incident response and back-up/recovery plans for all the people, processes and technologies in their organisation during the lifecycle of each. Even something simple like user account management must address each user’s lifecycle from when they are first authorised to when they leave the organisation.
There is increasing need for collaboration between IT and OT stakeholders to implement new systems and services that help an organisation digitally transform. In developing a cybersecurity strategy, IT and OT stakeholders must understand each other’s strengths and how to achieve business goals whilst maintaining the highest levels of security.
Each expertise brings something different to the table, with IT having a highly standardized process and OT having a more engineered solution. The goals of both stakeholders need to be reviewed and requirements established to avoid gaps and risk to operations. Automation suppliers can make secure deployment of systems more successful by providing a layered portfolio of security controls, procedures and services that enhance system security and help end users prioritise cybersecurity assessments.
Organisations must consider cybersecurity during the front-end engineering and design of a control system project. Too often cybersecurity defences are added later, and this is more expensive and rarely as effective as building cybersecurity into the project. This is referred to as the ‘Shift Left’ concept. Secure by design, coupled with an appropriate cyber risk analysis, should include a review of security features and controls to ensure their effectiveness against the growing cyber threat landscape.
To support the business justification of a cybersecurity initiative, assessments can be used as a risk reduction metric that represents the progress of cyber initiatives implemented thus far and the potential protection afforded by deploying additional cyber protections. A good way to justify cybersecurity capabilities can be through the ‘Shift Left’ concept, where each euro of proactive security spent is equal to over 60 euros of reactive security.
If an attack does happen, the best way to overcome it is to have a well-documented and practised incident response plan. In short, overcoming an attack does not go well without cybersecurity features, controls and a well-thought-out plan.
It’s a culture thing
When cybersecurity is not part of the culture of an organisation, its personnel create a significant cyber risk through unintentional actions that result in vulnerabilities. A pervasive cybersecurity culture reduces risk from both external and internal threats. Upskilling personnel on new technology and related cybersecurity helps to create a cybersecurity culture. It is critical to create training opportunities for employees to increase their technology and cybersecurity competencies. Upskilling can take time but educating the workforce to consciously accept cybersecurity responsibility and accountability is a good first step. If cybersecurity is no longer someone else’s responsibility, people will naturally ask a lot more questions and work with those who have expertise to prevent unintentional consequences.
Cybersecurity requires more than just technology. Cybersecurity requires behaviour and culture change. A deep-rooted understanding across the entire organisation of the ‘why’ and ‘how’ of cybersecurity is critical to driving meaningful behavioural change. It is therefore important to build a cybersecurity culture that encompasses people, processes and technology.
Michael T. Lester is director of cybersecurity strategy, governance and architecture at Emerson