Why industrial cyber security must be built in, not bolted on
Cyber-attacks on industrial control systems are a real – and growing – threat. In one survey of infrastructure firms, more than half admitted that their networks had experienced attacks during the last 12 months, and the majority noted that those attacks were becoming both more frequent and more sophisticated.
Yet while asset owners acknowledge the need to protect their systems against cyber-attack, many still fall into the trap of doing too little, too late. Here are four common problems that can lead companies to an inadequate industrial cyber-security approach, and what to do about them.
1. Failure to understand the vulnerabilities
Two decades ago, security policies in many organisations relied on physical separation of industrial control systems and enterprise IT networks. That separation can no longer be assumed. The growth of modern monitoring approaches from remote diagnostics to company-wide performance dashboards can introduce links between previously disparate systems, and – if not properly managed – new weaknesses. Other trends are adding the industrial cyber-security challenge. The growing use of PC-based equipment in industrial environments is increasing the exposure of industrial systems to viruses or ransomware attacks. The requirement to mix new and legacy equipment on the same networks can also create unexpected vulnerabilities.
Solution: Cyber-security vulnerability assessment should be built in the design, engineering and change management processes for all industrial assets
2. Failure to quantify the risks
When organisations assess the vulnerabilities of their industrial control systems, they often make an unrealistically narrow assessment of the resulting risks. The direct and indirect costs resulting from the unplanned shutdown of an asset are not limited to the cost of repairing and reinstating equipment. They also extend beyond the cost of lost production during the shutdown period. A successful cyber-attack can result in onerous financial penalties by regulators, and long-lasting reputation damage. Underestimating the risks associated with cyber-attack can skew business-case calculations, leading to underinvestment in security activities.
Solution: Cyber-threat analysis requires a risk-based approach, that considers both the direct and indirect consequences of a successful attack on industrial assets
3. Thinking about security last
In most industrial automation projects, whether new builds or upgrades, software integration is the last step in a complex chain of activities that include the construction of physical infrastructure and the installation and commissioning of equipment. Delivering such projects on time and on budget is always challenging, and when overruns occur, it is often the control system that feels the squeeze. That can lead to dangerous shortcuts in the design, implementation and testing of system security.
Solution: Cyber security considerations need to be built in to projects from the start. Viewing equipment selection and configuration decisions through a security lenses increases both the strength and the cost-effectiveness of asset protection
4. Thinking about security once
Cyber-security is a dynamic and fast-moving activity. Systems must be patched and updated as new threats are identified and new countermeasures developed. When it comes to industrial assets, however, many organisations lack a systematic approach to the distribution and installation of security updates in their industrial assets. Or they may be reluctant to risk disrupting production-critical systems in order to upgrade their software.
Solution: Plan for the unknown. An effective industrial-security approach is designed to evolve. Building the technical and procedural mechanisms for system upgrades into industrial control systems at the design stage helps to ensure security over the long term, without compromising productivity, reliability or asset availability.
Along with the benefits that advanced, networked industrial control systems provide for businesses, they also create new risks and vulnerabilities. To protect themselves, organisations must understand those risks and address them at every stage in the design, commissioning, operation and maintenance of their assets. Effective industrial cyber-security can’t be bolted on as an afterthought, it must be built into everything you do.