An effective cyber-security strategy for industrial automation systems relies on three interlinked elements: people, processes and technology.
The first of those can be the hardest to get right.
Much of the value delivered by modern industrial automation comes from increasing levels of integration. Companies in many sectors rely on the ability to monitor and control equipment remotely, to collect and share data, and to analyse that data to drive operational and business decisions.
These advances have brought new risks, however. Industrial automation systems can be valuable targets for malicious actors – from amateur hackers, to organised criminal groups or state-sponsored organisations. And greater connectivity means more possible access points for those attackers. There’s no easy fix for industrial cyber-security. Organisations involved with automation systems need to consider the security implications of every decision they make, from technology selection, to operating policies and maintenance processes.
They also need to think about their people. While the popular perception of cyber-attack involves remote groups finding and exploiting technical weaknesses in security infrastructure, the majority of real-world attacks rely on human fallibility. Authorised users can be tricked into disclosing passwords or installing malicious software using carefully crafted ‘phishing’ emails. Disgruntled employees can be incentivised to pass on access credentials. Old, weak or default passwords can be vulnerable to simple and widely available hacking tools. One study suggests that 60 per cent of all cyber-attacks against businesses are conducted or enabled by insiders, and three quarters of those events involved malicious intent1. Managing and mitigating these risks requires a systematic approach. Based on experience, we have summarised six key good practice suggestions that should be considered by any organisation with potentially sensitive industrial operational technology (OT) infrastructure.
Invest in appropriate capabilities
Your organisation’s dedicated IT security team should be sized and skilled to manage the complexity and risk level of its systems. Even in businesses with extensive, complex and business critical infrastructure, it is not uncommon to find that security is the responsibility of one or two individuals. Technology can improve the effectiveness of security personnel for example, through the use of automated analytics technologies to detect intrusions or unusual behaviour but skilled people are still necessary to create contingency plans and react to incidents when they occur. Where industrial automation security falls under the remit of the corporate IT function, those staff need to understand the particular challenges of automation technologies. And the
rapidly evolving nature of cyber threats means staff must have the time, resources and support necessary to stay current.
Educate and engage your people
Everyone in the business should see cyber-security as a personal responsibility. That means training staff in good practices, such as enforcing strong passwords, keeping access credentials secure and logging out of sensitive systems when tasks are complete. It also calls for cultural change. Operations personnel may have spent much of their careers working on isolated machines, the transition to a connected world, where a security weakness in one part of the system can create vulnerabilities elsewhere, will call for a new way of thinking.
Test your defences
Leading companies verify the effectiveness of cyber-security training by testing their people. They may, for example, send their own ‘phishing’ emails to users asking them to reveal sensitive access information or access potentially unsafe internet links. Analysis of real-world attacks reveals that 12 per cent of recipients click on links presented to them in phishing mails2. Crafting highly tailored ‘spear-phishing’ mails can be a useful way to check and reinforce good practice among staff involved with the organisation’s industrial automation systems. Staff evaluation and review processes should consider security risks, including checking that employees have received suitable training, ensuring access permissions are updated as roles change, and watching for signs of dissatisfaction or inappropriate behaviour.
Facilitate best practices
Wherever possible, good security practice should be built into system design. This can be facilitated in many ways, from providing strong password generators wherever users create or update access credentials, to ensuring that individuals are given access only to the systems and functions necessary to fulfil their roles. Preventing the use of removable media or enforcing encryption can help to reduce data theft.
Learn from bad experiences
Nobody is proud of failures in their cyber-security, but breaches and violations of good practice are inevitable. Rather than keeping these issues quiet, the best companies use them as a learning tool. Sharing the details of an issue in one part of the organisation can reveal opportunities for improvements elsewhere, and can be a powerful way to further reinforce the importance of vigilance across the business.
Think about the supply chain
All industrial automation systems rely on external suppliers and partners. Those partners may develop, install or maintain significant parts of the system, or they may provide services that require them to connect to it. The nature of their work means those external organisations are part of your cyber-security infrastructure. You need processes in place to ensure they are playing their role. That can include audits and assessments of supplier security technologies, policies and processes, as well as the inclusion of security-related terms in contracts and service agreements.
Your organisation’s people are a critical-link in the cyber-security chain. With the right processes, training and support in place, a company can turn the human factor from a significant vulnerability into a key strength.