As the Internet of Things (IoT) continues to take hold and transform the global industrial manufacturing and critical infrastructure industries, the threat of increasingly aggressive, innovative and dangerous cyber-attacks has become progressively concerning. And with good reason. Taking advantage of all the financial benefits the IoT implies requires manufacturers to unify their operations and business processes in some way. That means bringing closer together the IT functions that have historically controlled the business with the operational technology (OT) functions that have historically controlled the manufacturing process.
A common approach to enabling an industrial IoT environment is the application of sensors across the plant. These sensors, while able to provide astounding amounts of valuable business and operating data, are also gateways into the systems that control our most critical, volatile processes and infrastructure. Never before has cybersecurity been more critical.
But it’s not only related to industrial control system technology. Just as manufacturing technology has advanced, so too have our adversaries. Cyber-attacks and attack methodologies, what we call attack vectors, are far more sophisticated than they were just a few years ago. On one hand, many of today’s progressively bold, innovative attacks are perpetrated by malicious actors, such as nation-states, who have unlimited time, resources and funding. On the other, the dark web has opened the door for low-level cyber criminals to access advanced hacking techniques, enabling them to attempt high-level cyber-attacks that are intended to cripple systems and wreak havoc, even catastrophe.
Regardless of their motivations, be it financial, political or social gain, these high threat level attacks can have significant impacts on public and environmental health and safety, as well as on national security, foreign relations and even international economics.
It’s time to change the game
The ramifications of high threat level cyber-attacks extend across the global industrial and business landscape, but taking the issue head-on requires a new way of thinking. In general, the manufacturing industry is conservative in nature. Once the systems that control, automate and keep safe volatile processes, e.g. converting crude oil to gasoline, are installed, they are intended to operate continuously, safely and reliably for decades. Replacing or upgrading these systems is not only costly, it is especially dangerous because it opens multiple risks to the safety of an operation, which can lead to disaster. Therefore, the industry tends to take a “if it ain’t broke, don’t fix it” approach to how we operate. But we have to change that model, and our culture, when it comes to cybersecurity.
Everyone in industry is responsible for cybersecurity. We all need to take ownership, and we all have a role in developing a stronger cybersecurity culture. With lessons learned from recent cyberattacks, we in industry must evolve and improve our practices to address new threats and commit to educating our customers on how to adhere to security best practices. But how?
Revolutionize our security culture
Taking a three-pronged approach can revolutionize and affix a more robust security culture.
First, industrial control system vendors must reinforce their commitment to strengthening their products and educating end users on how to best take advantage of the cybersecurity features embedded within their industrial control systems. From there, these end-user organizations should continually apply best practices to significantly reduce their risks:
- Assess, identify, minimize and secure: Manufacturers should first perform a risk and threat assessment and gap analysis, determine appropriate levels and establish zones and conduits as a way to segment and isolate similar devices or systems according to security levels. It’s important to be aware of every system network connection, and then ensure they have all been secured. This also helps in the event of an attack: if zones are established, investigators only need to take down portions of the operations, saving organizations valuable costs and impact on revenue.
- Harden the safety system: If unnecessary services, ports and protocols aren’t being used, they should be disabled. Every available security feature should be enabled, with robust configuration management practices to complement them.
- Manage training and expectations: Once the requirements for each specific industrial control system and device have been established, managers then need to establish expectations for performance and hold individuals accountable for their performance. This starts with extensive, ongoing training on industrial control system security for all operators and administrators.
- Think: cybersecurity is a journey, not a destination: Security can never be viewed as a one-off project. New threats, attack techniques and technologies are continually being developed, so security protocols must be regularly reviewed and updated. End users must apply and strengthen cybersecurity measures across the lifecycle of a device or system, and not just as an “add-on” when it is first operational. That means continually monitoring and assessing the security of every system and device, as well as their networks and interconnections.
Adhere to industry standards, protocols and best practices
Second, a strong security culture has its foundations in the industry standards, protocols and best practices most manufacturers already know. However, these standards are always being refined, and many industrial organizations cannot keep pace. Cybersecurity protocols can sit idle within organizations, as the professionals who should be paying attention bypass them, or worse, don’t understand them well enough to adhere.
The industry as a whole—encompassing suppliers, end users, third-party providers, integrators, standards bodies and other industry organizations, even government agencies—must make themselves aware of these standards, educate and train those who need to know them and then implement and always adhere to them. Tighter implementation of cybersecurity best practices thereby leads to more robust security review within all industry control systems and embedded device systems.
Collaborate across competitor lines
The third thing we need to do is drive new levels of collaboration and transparency. Industry leaders must commit to being open, especially when it comes to sharing knowledge and lessons learned from cyber-attacks.
Cybersecurity isn’t limited to a single company, industry or region. It’s an international threat to public safety that can only be addressed and resolved through collaboration that crosses borders and competitive interests.
In the face of increasingly bold, innovative attacks—perpetrated by malicious actors who have unlimited time, resources and funding—every government agency, vendor, end user, third-party provider and systems integrator needs to take part in open conversations and drive new approaches that allow installed and new technology, as well as the industrial workforce that relies upon them, to combat the highest level cyber-attacks.
Aggressive, innovative cyber-attacks are a permanent part of the industrial landscape. They are a fixture, and we as an industry must be more assertive to prevent them. A unified commitment to transparency that promotes openness—across competitive lines—can help drive needed change.
This is our call to action. We must commit to strengthening our technology and standards, to educating and training our workforce and, most importantly, to driving new levels of collaboration and transparency. This is the clearest path toward ensuring the safety and security of global infrastructure and the long-term protection of the people, communities and environment we serve. Let’s not wait for a catastrophe to make this happen.
Gary Williams is the Senior director, Technology, Cybersecurity & Communications for Schneider Electric