Digital transformation needs a solid cybersecurity plan
A digital transformation cannot occur without a solid cybersecurity plan. Unfortunately, there are plenty of manufacturers today that are just beginning this transformation process.
Assessing cybersecurity readiness for a single site can be daunting, but there is hope. A user has to start with a basic assessment of what they have and what it’s connected to.
When that is done, the user can conduct upfront planning and create a course of action.
“Some users do not feel they are in an unsafe place,” said Rick Gorskie, a global manager for cybersecurity at Emerson Automation Solutions during a presentation entitled, “Assessing Cybersecurity Readiness: From a Single Site to an Entire Enterprise,” at the Emerson Global Users Exchange in San Antonio, Tex. “There are working models of people thinking information technology (IT) infrastructure would provide protection. Many people think it is IT’s job to handle security. I am here to say that is not the case.”
While Emerson always talked about cybersecurity at previous user group conferences, this year’s effort was impressive in the breadth of coverage they gave the subject.
Best practices for users
Gorskie said many of his customers feel their security posture is better than average. But the reality is that that may be more of a pipe dream than anything else.
That is why he feels manufacturers should start off with a basic assessment of their site.
There are seven key categories/vectors a user should look at:
- Network security
- Workstation hardening
- User account management
- Patch and security management
- Physical and perimeter security
- Security monitoring
- Data management
Once that assessment comes out there should be a report looking at what issues should be addressed first; that is the beginning of the journey toward a more secure environment.
“Most users will be ready to start immediately after doing an assessment,” Gorskie said.
Users need to understand one of the biggest issues facing them is patching. Patching has been an ongoing issue for years and with continuous processes, like a refinery, running for years on end, users don’t feel they have time to implement patches. With ransomware incidents like WannaCry and NotPetya that worked off a patched Microsoft vulnerability, manufacturers felt the crush of not patching a patched vulnerability. It cost some companies hundreds of millions of dollars.
“Patching the most important thing to do, and we don’t do it,” he said.
Once the user is ready to start their cybersecurity journey, they need to move to create policies and procedures, Gorskie said. “It is not rocket science, it is something we do every day.”
Gorskie related examples from creating security procedures to safety procedures.
“If you don’t follow safety procedures, you will eventually be let go,” he said. “Security should be the same way. It is about doing the right thing and making sure you follow it.”
While he said OT security is different than IT security, there needs to be a change in mindset on the plant floor. There are plenty of tasks IT people do on a daily basis, Gorskie said, but there are some things OT does daily.
“Cybersecurity is not a set it and forget it,” Gorskie said. “We use some of the IT techniques and apply it to the OT space.”
When it comes to security, manufacturers can’t just have security for security’s sake, rather they need to incorporate security into desired business results.
But in the end, according to Gorskie: “It all starts with a basic cybersecurity assessment. Do the assessment. Start the journey.”
Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This article originally appeared on ISSSource’s website. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, email@example.com.
Keywords: Cybersecurity, information technology, IT
Many manufacturers are beginning the process of making a shift toward digital transformation.
Many companies believe their cybersecurity posture is strong, but oftentimes it isn’t.
Cybersecurity starts with an assessment of where the company can improve.
What positive changes can your company make with a cybersecurity assessment?