Advancing to IIoT means back to security basics
Manufacturers may see advantages to the Industrial Internet of Things (IIoT) and Industrie 4.0, but the backbone of their plant, the control system, wasn't built with cybersecurity in mind, and many companies aren't addressing this potentially serious issue.
With the industry headed into digital transformation via smart manufacturing and Industrie 4.0 and the Industrial Internet of Things (IIoT), company leaders look at these initiatives as opportunities they need to jump on—and fast.
They can gain a competitive advantage through new service-enabled business models, disruptive new products, a more agile supply chain, and efficient operations. However, the systems that end up being the backbone of the manufacturing enterprise, the control systems, are not built with security in mind. On top of that, a survey released by Honeywell shows adoption of cybersecurity is low.
The survey, "Putting Industrial Cyber Security at the Top of the CEO Agenda," was conducted for Honeywell by LNS Research. It polled 130 strategic decision makers from industrial companies about their approach to the Industrial Internet of Things (IIoT), and their use of industrial cybersecurity technologies and practices.
Slow or low adoption could mean either manufacturers will move forward with the digital transformation and remain insecure, or they will be delayed in their movement forward and lose valuable time and potential revenues until they adopt a security program.
Either way, it appears companies at the vanguard of employing security already, have a leg up on any potential competitors. It can also mean more companies are still at the beginning of creating a security program.
"I think everyone knows they have a problem now, but they are not quite sure where to start," said Seth Carpenter, software engineer and cyber security technologist at Honeywell. "There is a long way to go. Awareness is a good first step. We can’t do anything unless there is an agreement that something needs to be done. The next step is putting funding behind these programs. Sometimes it is not throwing money at it, it can really be building up the culture in the organization where you are thinking of security and putting responsible officers in there making sure they are reporting out on cybersecurity and it is going all the way up to the C-level and the board."
The survey’s findings included:
- More than half of respondents reported working in an industrial facility that already has had a cybersecurity breach
- 45% of the responding companies still do not have an accountable enterprise leader for cybersecurity
- 37% are monitoring for suspicious behavior
- Although companies are conducting regular risk assessments, 20% are not doing them at all
"One of the things I found interesting was when they were asked if they had a breach at their plant, most people normally don’t want to talk about it, but here quite a few people admitted they had a breach," Carpenter said.
The survey found there has been low adoption of cybersecurity measures, however, awareness is through the roof, the question remains on when will manufacturers establish a timetable for adopting a security program.
"It is a combination of things," Carpenter said. "We know we should brush out teeth and take our vitamins, but sometimes you just say, I will go to sleep right now. It is hard without that driving factor or a really good business case behind it. We are at a point where there is a lot of awareness of what is happening. We see attacks in every industry like healthcare, banking, financial institutions, the awareness is there. I think that is the first part where people recognize something needs to be done. They might not know where to start. So, they say we need to do something about it, but that can be daunting. It is like eating the elephant, you have got to figure out the little bite I can take on this."
A good first step for a manufacturer is conducting an assessment.
"There are really good cybersecurity maturity models users can map their processes to so they can get started," Carpenter said. "Sometimes the hardest part is taking the first step and think here is what we are going to get and here is where we want to be and putting together that plan."
Traditionally, security has been seen as a cost center, but in reality, it can end up viewed as a business enabler that keeps systems up and running by eliminating unplanned downtime.
"That is one of the trickiest parts of security," Carpenter said. "When I invest in a manufacturing line, I see I am producing 20% more product. That is tangible and I can put a dollar value on that. If I spend the same amount of money on a cybersecurity program how do I measure success? How do I show my boss and my bosses boss, ‘Hey, we did a really good job here.’ I think there needs to be a mindset shift to see this isn’t a problem where we are dumping our money into because we have to, instead this is helping us maintain our machines and giving us the uptime numbers we need."
The report issued three recommendations:
1. Use an operational excellence model of people, process, and technology capabilities to enable digital transformation and build industrial cyber security capabilities into the model.
2. Focus on best practices adoption. Start with the basics like firewalls and access controls; over time move to more advanced topics like network architecture, risk management, and activity monitoring. Build a roadmap based on increasing people and process maturity that considers risk and equates safety with security. If people capabilities are limited to start, consider augmenting with external professional services that have information technology (IT) and operations technology (OT) experience.
3. Focus on empowering leaders and building an organizational structure that breaks down the silos between IT and OT. A common approach across these disciplines is critical for success in industrial cyber security and it can only be done by investing time and energy in the soft skills of change management.
"We know this is complicated, we are talking systems that have been up and running for years and years, let’s face it if it is not broken, don’t fix it," Carpenter said. "So, getting visibility into the assets can be difficult. You have to know what normal looks like."
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, firstname.lastname@example.org.
See related stories from ISSSource linked below.
Click here to register to download the report.