Five steps to improve OT, ICS cybersecurity awareness in manufacturing
To manage risk in manufacturing plants, it's essential your team understands the potential threats and is appropriately prepared to take necessary actions.
Manufacturing cybersecurity is less well known but can pose even greater financial, operational and safety risks than IT security. The impact can be catastrophic – from disruptions to manufacturing lines, to power outages, to water quality impacts, to potential for critical medical supplies to become tainted. Add to this the human safety elements that can be caused by malicious changes to manufacturing processes, which can place employees or neighbors to manufacturing plants at risk.
However, there are many individuals in large and small companies who understand this threat and are trying to make a difference. They are attempting to explain the risks and the potential solutions to management teams. Here are five ways to increase operational technology (OT) or industrial control system (ICS) cybersecurity awareness in your organization:
- Provide easy-to-digest reading that explains the possible risks and impact of cyberthreats in industrial environments. Two suggestions are Andy Greenberg’s article in Wired on NotPetya’s impact on Maersk and Rob Smith and Rebecca Berry’s article in the Wall Street Journal on the security “back door” into the U.S. power grid. For a longer read, try Kim Zetter’s book Countdown to Zero Day about Stuxnet.
- Introduce cybersecurity into current planning exercises. In almost all industrial or critical infrastructure organizations, there are a range of processes that attempt to quantify and prioritize risks – from business continuity planning to hazops planning. Instead of trying to create an entirely separate effort from the start, get people to agree to include cyber as a key component of these exercises. This will not necessarily get you a full assessment, but it can raise the awareness enough to begin a deeper dive.
- Bring OT/ICS representatives into the cybersecurity leadership team. In many organizations, chief information security officers (CISOs) and security leadership are aware of the risk, but they receive pushback from process control or operations leadership. A good solution for this is to bring experienced, well-respected controls system leaders onto the cybersecurity leadership team, exposing them to the security risks on information technology (IT) so they can help translate them into the OT environment.
- Engage in an assessment. Obviously, this requires budget and time. The good news is that even a very small, inexpensive assessment can carry significant weight. It is a fast, inexpensive way to demonstrate with hard data how the ICS/OT risks compare to the overall cybersecurity risks in the organization. If more budget is available, you can pursue a more comprehensive assessment, but you don’t need to be stymied if budgets are slim initially.
- Explain the potential revenue benefits; not just the costs. In many cases, new regulations are placing greater emphasis on cybersecurity. Getting out in front of these requirements will enable organizations to potentially save costs and get ahead of competitors in potential contracts. Perhaps the most obvious area here is in the defense industrial base, where the Cybersecurity Maturity Model Certification (CMMC) standards will soon be in effect. Companies with processes in place and in compliance stand to reap significant benefits.
As they say, “admitting you have a problem is the first step to recovery.” The above suggestions can be an initial step in that journey.
– This article originally appeared on Verve Industrial’s website. Verve Industrial is a CFE Media content partner. Edited by Gary Cohen, Product Manager/Senior Editor, CFE Media and Technology, firstname.lastname@example.org.