Establishing and implementing a cyber security program requires cooperation from many groups
Digitization is advancing rapidly as more companies automate systems and connect to the Internet of Things. Though many benefits come from automating tasks and sharing data via the Web, this shift in technology brings in a new design concern: security.
Cyber security’s rapid rise as a central element in networking and communications poses challenges for industrial strategists, who must secure the enterprise, devise training and policies for employees and get corporate managers to fund and support these efforts.
It’s critical that managers rise to meet these daunting challenges. Connectivity is going to happen because it allows companies to integrate suppliers, partners, service providers and the end customer in the value chain. If security isn’t addressed in a comprehensive fashion, industrial operations will be vulnerable to the types of attacks that affected a range of retailers and others with unfortunate regularity.
That’s already happening. A survey of industrial and control system operators found that a third had seen system breaches within the past 12 months. European manufacturing and process industries pegged their security-related revenue losses at 27 million Euros in the last five years.
Creating these security programs requires input and action from a range of corporate teams. While technical solutions usually get most of the attention, training and personnel are also critical.
“One study found that 95% of security problems could be attributed to human error,” Martin Kunz said at a recent Siemens conference. His presentation is titled “How Industrial Cyber Security protects and enables the digital future.”
Kunz, product & business development manager for Plant Security Services at Siemens Industry, added that people are perhaps the most important factor in security programs. Phishing attacks and some ransomware programs like Wannacry rely on social engineering and use e-mails to entice employees into opening malware programs. Employees need to understand the problems that can arise and know how to prevent them, for example, by not clicking on e-mails from unknown senders or inserting USB sticks from unexpected sources.
Protective technologies start with products like firewalls, but extend to the connections with suppliers, clients and the cloud. Vendors should be vetted in part by their commitment to cyber security. While a strong, focused effort at the start of a corporation’s security project is important, planners need to understand that security programs must constantly evolve. Hackers move quickly, so strategies designed to thwart them must also be nimble.
Some companies will be able to create and enact security programs alone, others will be well-advised to outsource the task. If security is among the corporation’s core technologies, managers should be able to build a solid protective architecture. Though most corporate executives understand the need for cyber security, it may be necessary to build a business case to ensure that there’s enough funding and support to get the program up and running.
As the plan is being developed, the company’s products will help determine how much protection is needed. The higher the product value, the greater the protection should be. Regulatory requirements will be important in some fields, Kunz noted.
Once the risk and risk assessments have been completed, planners need to define policies such as controlling access. Setting password requirements and determining who has access to various entrance points are basic steps. Companies must also establish plans for managing patches and managing security technologies.
Baseline communication levels should be examined so users are familiar with normal patterns, which makes it easier to spot anomalies, Kunz said. Other countermeasures include removing unused software and whitelisting equipment so some machines can’t accept data from unauthorized machines.
Standards like IEC 62443 can help guide developers, providing best practices and other information. As companies implement these best practices and tweak them to their operating environment, many entities will need to contribute. It’s important to get top executives on board to ensure that proper funding and time is allocated and maintained. .
Information technology (IT) and operational technology (OT) teams should be able to work together. IT teams typically have a better understanding of cyber security, but they lack insight into how the operational side of the business works. OT teams know what needs to be done to get products out the door, but they often don’t understand how operational tasks mesh with front office activities.
However, there’s often tension when IT and OT interact. It might be necessary to find someone who can act as mediator to keep the two groups focused on the end goal, Kunz noted. The most effective solutions typically come when the two teams share information, describing problem areas and cooperating to find solutions. This sharing also extends to Information Sharing and Analysis Centers. ISACs have been established in industries like automotive so competing companies can share information about attacks. This sort of cooperation helps all members respond to emerging threats.
Within the corporation, it’s important to get support from corporate managers who can help provide funding and manpower. Often, OT staffers can work with IT and safety personnel. These groups’ security concerns are closely related. If there are breaches in OT, they can easily move into the IT and/or safety realm. If hackers gain control of any industrial equipment in the plant, they can potentially cause major safety concerns.
“Managers need to report the number of critical vulnerabilities and explain what could have happened if they had not been fixed,” Kunz said. “If an attack has the potential to cause $10 million in damages, managers may approve $1 million to prevent it. Also, if your company has cyber insurance, that will help with the premiums.”
Companies would be wise to start implementing security strategies in the near term. Digitalization is becoming a necessity as global competition gets more intense. Protecting the company’s digital footprint is a critical need for companies that want to join the Internet of Things and gain the benefits of connectivity.
For more information, click here.
Have an Inquiry for Siemens about this article? Click Here >>