By David Pownall, VP Services at Schneider Electric
Continuous innovation is probably one of the more important, if not the most important aspect of success. However, our desire to leverage innovative ideas can also bring us into risky territory. This is especially true in the context of the Industrial Internet of Things (IIoT).
Whilst IIoT benefits industrial facilities in many ways, this increased connectivity also poses a number of challenges and potential vulnerabilities. Between sensors, remote monitoring systems and the cloud, openness is essential to uncovering business insights from process and IT data. To truly reap the benefits of IIoT, industrial digitalisation projects must be built on a foundation of security.
When they hear cybersecurity, most people will think of data or intellectual property theft. However, those same transparent networks are also used to operate machinery and major industrial facilities. If these signals and indeed all data flowing on industrial networks are compromised it could pose a threat to a facility’s finances, and its safety.
Whilst there’s a lot to be gained by crossing the digitisation frontier, as many have seen over the past year, it’s critical that this is progress is made securely. Industrial digitisation cannot be successfully carried out before strong, reliable cybersecurity is established.
A journey, not a destination
Industry requirements and standards such as ISO27001 can provide a consistent framework for industrial cybersecurity strategies. There is also a vast selection of cybersecurity solutions to help plant operators implement these standards. Much like health and safety, a cybersecure facility requires enduring commitment and maintenance. In particular, ongoing efforts to create the right culture and educate the workforce on cybersecure practices is vital. Effective cybersecurity strategies always involve people, processes, and technology from the start.
Companies tend to move through three different levels of maturity when it comes to cybersecure digital operations: awareness, active management and finally, security excellence. It’s essential that companies recognise this process, and continually push themselves to move from the most basic, fundamental security policies to a fully-fledged, end-to-end lifecycle approach to cyber defence.
Cybersecurity is everyone’s job
Awareness is step one of any cybersecurity strategy. Many cybersecurity breaches and incidents are accidental – simple mistakes and human errors that are due to a lack of education and awareness – so it pays to get the fundamentals right. Addressing these basic kinds of risk should be a priority when embarking on an industrial digitalisation project and lays the foundations for a successful cybersecurity strategy.
An effective place to start in achieving this foundational security is building it into your company’s culture, training and employee experience. Cybersecurity is not the sole responsibility of the IT team, as it is often assumed. It’s therefore vital that security training is built into the entire employee lifecycle, for all team members. From recruiting to onboarding to employee development and succession planning, education, awareness and training is critical. By making everyone, everywhere responsible for cybersecurity, you can move employees from simply executing their traditional tasks to recognising that implementing and adhering to cybersecurity best practices is now part of their core responsibilities.
Technology for efficient management
Having trained teams in cybersecure behaviours and created a culture that appreciates the importance of these, companies should further develop their cybersecurity strategies by adopting an active management approach. Active management cybersecurity strategies are designed to defend against more opportunistic or deliberate attacks. Most larger companies will typically have comprehensive organisation-wide cybersecurity processes in place with cybersecurity teams whose job it is to regularly review the performance and metrics of these processes.
To reach this level of maturity, available technologies should be leveraged to plug the gaps that human efforts can’t necessarily fill. This technology comes in the form of anti-virus software and firewalls, installed across enterprise networks. Some organisations may even implement automatic monitoring, to bolster security 24 hours a day, 7 days a week.
To protect a facility from attacks that cause downtime, loss of intellectual property or other operational damage, active management is a must. However, at this level, enterprises are usually only protected from threats that originate inside their four walls. This level of vulnerability is unacceptable for critical infrastructure or anyone whose operations demand the next and highest level of protection.
At a fully mature level if cybersecurity, security excellence will be interwoven with every stage of a company’s processes, from end-to-end. At this level, protection defends against deliberate, skilled attacks on industrial control systems. Security Excellence is secures not only a singular facility, but the entire value-chain.
Cyber protection is even more critical where complex software from multiple sources connects to drive a business, and as cyber-attacks become more sophisticated and malicious, viruses or malware are more likely to enter via external parties such as partners, suppliers or even customers. Whilst many organisations are increasing their spending and commitment to cybersecurity internally, only 15% of businesses have reviewed the risks presented by their suppliers (Gov.uk, 2020). These external vulnerabilities are especially threatening to industrial organisations, who interact with a vast number of external parties on a daily basis.
In this way, protecting others is an important part of protecting yourself. Ongoing training and development programs should be put in place and best practices shared with supply chain members and customers – it is not enough to assume that your partners are implementing the same precautions as you are. Technology such as automatic monitoring should also extend to the supply chain and customers via Security Operations Centers (SOC).
The future is digital and technology is ever-evolving, so reaching a fully mature level of cybersecurity requires more than a single initiative – a lifecycle approach is essential. To fully embrace the power of digitisation, it’s important to first make sure that cybersecurity is covered from the three angles of people, process and technology. As control systems, networks etc. evolve, so too must cybersecurity strategies and tools. Businesses who successfully commit to this can securely and confidently reap the many rewards to be had in the digital and connected future.
Read the latest edition of PCR’s monthly magazine below: