With the blurring of the line between IT and OT (information technology and operational technology), emerging technologies such as big data, predictive analytics, cloud computing, edge computing, wireless communication, cyber-physical systems and the like are increasingly being adopted across enterprises in every manufacturing industry.
The expected value of closing the IT/OT divide is that companies would be able to better understand and control not just their manufacturing operations in real time, but their business performance too. This dependency of the business on operational data will attract malicious actors. However, that level of business control requires complex new layers of connectivity.
Connectivity is only as good as the security solutions and practices you have in place. Connecting components to one another and to outside networks will undoubtedly increase the attack surface, which is particularly troubling when you begin connecting legacy distributed control systems, safety systems and other industrial control system components.
Most of the systems that automate, control and make safe critical manufacturing processes – especially in our most volatile industries, such as refining and power generation – were installed years, even decades ago. They were not built to sustain or withstand today’s type of cyber security assaults, and for the most part they are not inherently cyber secure.
Cyber security threats are coming at us from every direction, not just from our corporate networks. Operational networks were simply not built for connectivity, and carefully thought-out security protocols are being ignored for the benefit of data access to drive productivity gains.
Unfortunately, threat vectors now extend even to base-level assets. Attackers can target anything from a connected thermostat to a wireless field device in order to cause danger. This heralds a new type of aggressive, innovative cyber attack for industrial control systems, which are becoming increasingly accessible over the internet, often inadvertently.
The actors, too, have changed, and they are becoming more sophisticated every day. Attack techniques, tools and lessons are readily available on the dark web, which means low-level cyber criminals have access to the information they need to attempt more serious attacks.
What this means is we are facing a new reality and geo-political climate where malicious actors have unlimited resources and motivation to carry out cyber attacks. That means the global manufacturing industry needs to come together to improve our overall cyber security culture.
We know critical infrastructure is increasingly a target of attack, being ransomed or even shut down by malicious actors, as can be seen through the denial-of-service attacks on the Ukrainian power system in 2015 and 2016.
This is why, as an industry, we must take a multi-pronged approach to combat security threats.
Firstly, suppliers and end-users have to reinforce their commitment to processes by implementing a risk-based, defence-in-depth approach to securing their industrial control systems. They also need to strengthen, implement and adhere to the latest industry standards and follow supplier-provided guidelines, recommendations and practices when it comes to securing their systems.
Secondly, along with a stronger commitment to processes, all parties, including suppliers, end-users, third-party providers, integrators, standards bodies and other industry organisations and government agencies, have to come together to develop and maintain stronger unifying standards and best practices when it comes to technology.
Suppliers also have to reinforce their commitments to improving product security across their supply chain and development process and educating end-users on what they need to do to capitalise on the product’s cyber security features.
Thirdly, we have to put more investment and focus on our people. The best cyber protection we have is an educated workforce. In many cases, they are the first and last line of defence. It’s not enough to have manuals on a shelf – CISOs need to develop a culture of cyber security.
We must ensure that everyone across the organisation is trained, with clearly defined and understood responsibilities and procedures. Steps to both ensure that employees are following and strengthening your security practices, as well as adhering to best practices, must take priority.
Cyber security is ubiquitous
Everyone, everywhere, is responsible for cyber security. We need to establish new levels of collaboration and openness to drive true change. Cyber security is not limited to a single company, industry or region. It is an international threat to public safety, and it can only be addressed through collaboration that extends beyond borders and competitive interests.
The entire industry must collaborate openly to educate and train our workforce, strengthen our technology and install stronger unifying standards. This is the clearest path toward securing the world’s infrastructure, which, in turn, ensures the long-term protection of the people, communities and environment we serve.