Double interest in cybersecurity
Cybersecurity interest at company’s board level is helping to create discussions, convergence, and collaboration of efforts from operations technology (OT) and information technology (IT) specialists. While spending continues to increase to upgrade technologies and behaviors to combat cybersecurity threats, there is no cure-all answer. These were the views of Walter Sikora, division manager, cyber security services, ABB industrial automation division, in a discussion with CFE Media at ARC Forum in February. His perspectives and advice follow.
OT personnel, including those with automation and controls responsibilities, are getting smarter about cybersecurity risks and why they need to protect operational assets. However, many organizations still lack the maturity level required to use effectively advance security technologies such as network anomaly detection or purchasing a subscription to indicators of compromise (IOC).
Most OT personnel should focus their attention to the basics such as perimeter access controls, segmentation, system hardening, security patching, endpoint security, and malware protection along with periodic assessments and awareness training.
In process industries, it’s impossible to have a safe and reliable system without affording some serious attention to cybersecurity. In the past few years, more attention has been given to measuring the number of incidents and sharing information.
For example, Sikora said in February the CEO of one company who suffered a cyberattack in June of 2017, shared they lost 10 days of production with more than $200 million in bottom-line losses, recovery requiring purchase, and configuration of 45,000 new computers in 10 days.
Leadership on sharing this type of information is needed to make the industry aware that the threats and risks are real.
Automation vendors can help customers understand and mitigate risks and sustain production by offering related cyber security services to help prevent attacks from impacting operations. Operation personnel can calculate the return on investment (ROI) of these services if they consider the cost of a cyberattack on their operations if they take no measures to protect their assets.
Educating the organization on cyber risks is key, especially since many hackers still gain access through phishing schemes. Also, the notion of system isolation no longer apply; as systems running on 10-to-15-year-old software often are vulnerable to exploits that can be transferred by way of mobile devices like USB keys, laptops, or an operator who wants to charge their cell phone by plugging into a workstation. Think again about helping others in your organization understand cybersecurity risks and mitigations.
Equally important is educating the IT personnel, who often lack detailed knowledge of plant-floor intricacies but have discipline to offer valuable assistance regarding change management and criticality of mitigation actions, with a side of healthy paranoia they can benefit from learning how operation systems function.
Those serious about addressing risk can use key performance indicators (KPIs) related to security. Many companies, especially the largest ones, have implemented and report security measures to their leadership and board of directors to communicate the effectiveness of their security programs and to show value of the investments being made or where they need to be made.
Even so, in many cases, organizations are insecure when best practices are not properly implement or continuously sustained. OT personnel have been developing a better understanding of the complexity of security concepts and how to implement cyber protection of their production systems but they still need to collaborate with the operational system suppliers.
Mark T. Hoske is content manager, Control Engineering, CFE Media, email@example.com.
Keywords: IT, OT, industrial cybersecurity
- Cybersecurity improves when information technology and operations technology personnel collaborate.
- Continued cybersecurity training is important.
- Seek help from automation vendors for cybersecurity assessments.
Is your organization treating cybersecurity education like safety, an ongoing and persistent process?
ABB offers cybersecurity help.