04 September 2023
Suzanne Gill finds out that when it comes to cybersecurity the role of the human cannot be overemphasized. As industrial cybersecurity risks increase it is vital that all employees have a good understanding of their role in helping to ensure safe and secure operations.
As more industrial organisations converge their operational field machinery with their company IT – in a bid to improve efficiency, reduce cost and gain a competitive edge – their plants have become more vulnerable to cyberattacks.
“IT systems are designed to be open and interconnected, while OT systems are typically designed to be closed and isolated,” explained Michael Metzler, Vice President Horizontal Management Cybersecurity for Digital Industries at Siemens. “This makes it easier for cyber criminals to gain access to OT systems through IT systems. Cybersecurity is therefore becoming increasingly important for industrial companies, and this has led to the creation of industry-wide standards such as IEC 62443, which deals with operational technology security in automation and control systems. The standard, which is broken up into sections, discusses both technical and process-related elements of cybersecurity for automation and control systems.”
Michael went on to explain that, when developing a cybersecurity strategy for an industrial plant, it is important to keep in mind its unique risks and vulnerabilities. “Industrial plants, for example, often use specialised, proprietary software and control systems that may not be as well-secured as more widely used systems. Additionally, industrial plants may be targeted by nation-state attackers as well as by criminal and hacktivist groups, who may be motivated by financial gain or political or ideological goals.”
To reduce the risks of cyberattacks on industrial plants, companies are advised to adopt a defense-in-depth approach which involves implementing multiple layers of security to protect the plant’s networks and systems. This can include:
Plant security: Plant security employs various methods to prevent unauthorised actors from physically accessing critical components, ranging from conventional building access to the securing of sensitive areas by means of key cards. Furthermore, it should encompass processes and guidelines for comprehensive plant protection. These range from risk analysis to the implementation and monitoring of suitable measures, all the way to regular updates.
Network security: This involves protecting the plant’s networks from unauthorised access and attacks. This can include measures such as firewalls, intrusion detection systems, and other security technologies to protect the plant’s networks and systems. To protect the automation network in an industrial plant against unauthorised access, network security monitors all the interfaces between the office network and plant network as well as remote maintenance accesses with the aid of network access protection, network segmentation, encrypted communication, and Zero Trust principles.
System integrity: This involves ensuring that the plant’s systems are configured and maintained in a secure manner, and that they are running the latest software and security updates. This can include measures such as access controls and encrypted communication to protect the plant’s Industrial Control Systems (ICS) and Operational Technology (OT). Regularly conducting penetration testing and vulnerability assessments to identify and address vulnerabilities is important to maintain the system integrity. Automation systems must be protected against access and manipulation attempts. Communication within the systems, program code, and intellectual property are particularly in need of protection.
Michael also highlighted the importance of taking non-technical measures, such as providing cybersecurity training to employees, developing incident response plans to respond quickly and effectively to cyber incidents, creating a culture of cybersecurity awareness throughout the organisation, and collaborating with other organisations and agencies to share information and intelligence about potential threats are also important to ensure the overall security of the industrial plant.
In conclusion, Michael said: ”The return on investment for cybersecurity systems in industrial plants can be difficult to quantify, as it can be hard to measure the costs and benefits of preventing a cyberattack that may never happen. However, cybersecurity is an important consideration for the continuity of business operations, and the potential costs of a cyberattack can be significant, including financial losses, damage to reputation and loss of trust, and even physical harm to people and the environment. The cost of implementing cybersecurity systems and measures is relatively low when compared with the impact of a cyberattack, which makes it imperative for industrial plants to invest in cybersecurity.”
A programmatic approach
The ‘best-of-breed’ days – where security vendors provided solutions for specific security challenges – are long gone, according to Cindy Segond von Banchet, OT Cybersecurity Lead at Yokogawa Europe. ”These ‘point solutions’ from the early security days tapped into the domains of endpoint security, mobile security, network security, and database security among others,” she said. “With digital transformation – the ‘lift and shift’ of applications to the cloud, and the adoption of Software as a Service (SaaS) the cybersecurity solutions market has transformed from a best-of-breed approach into a more integrated platform-oriented approach in recent years, and in this new hyperconnected world, the attack surface has become huge!”
In Gartner’s latest Predictions 2023 report, it is stated that by 2025 a lack of talent or human failure will be responsible for over half of significant cyber incidents. To bolster cyber defence strategies and capabilities, organisations need to adopt comprehensive cybersecurity programs, which combine expertise in industrial automation and best practices in OT cybersecurity architecture to ensure secure operations.
According to Cindy, a holistic approach should encompass risk assessments; policy and procedures; business case formulation; design and implementation of cybersecurity measures; managed services; and employee awareness and training.
“Any approach to IT/OT cybersecurity should start with understanding and quantifying risk profiles, identifying business critical assets, and assessing existing security strategies and levels of protection. If done well, it will result in a roadmap that enables organisations to implement applicable cybersecurity controls in the right order of priority and leveraged to current cybersecurity challenges,” she said. “To help counter the lack of cybersecurity talent and reduce the potential of human failure, security awareness training should be a mandatory part of any Industrial Cyber Security Program.
“Alongside training, organisations should also consider investing in Managed Security Service Providers (MSSP) who specialise in IT/OT security operations. Having the network monitored 24/7 can lay the foundation of a cyber defence strategy. In cybersecurity industry we often say ‘You cannot protect what you do not know you have in your network,’ so it is important to start monitoring your network to manage and protect your assets from threats.”
As digitalisation moves forward and attackers’ skills improve, cybersecurity has become an ever-increasing challenge and technical cybersecurity measures often relies on human expertise to function correctly. “Attacks using social engineering or phishing-like campaigns are becoming more sophisticated over time and attackers are starting to employ artificial intelligence (AI) technology which will further increase the threats,” said Dr Lutz Jaenicke, Corporate Product & Solution Security Officer, Phoenix Contact GmbH & Co.
Lutz believes that training and development of employees is vital. He said: “Cybersecurity specialists can be hard to find and also cybersecurity needs to be top of mind for everyone involved in the IT or OT information system. As IT and OT melt together, training as well as technical concepts need to be harmonised between these two areas. Cybersecurity governance for IT and OT needs to work hand-in-hand.”
In conclusion, Lutz emphasised that every employee needs to be made aware of the cybersecurity risks in their daily work. Today there often is not more than a token cybersecurity training session, lasting just a few minutes – this will never meet the actual level of risk so most industrial organisations do nees to improve their training and awareness of cybersecurity issues.”
Contact Details and Archive…