Cybersecurity is a critical requirement for organizations to remain afloat and competitive in any industry. Many organizations have ambitions to implement digital strategies but do not fully scale due to cybersecurity concerns. Companies that ignore these concerns then become the next story of increasing reports of sophisticated, socially engineered cyber-attacks on industrial companies. Organizations with weak operational technology (OT) cybersecurity programs face irreparable consequences that affect business continuity and safety of operators and/or the public. Having a practical, effective approach to industrial cybersecurity is the answer.
IT Security Versus OT Security
It is important to acknowledge there are many challenges that present themselves differently in OT cybersecurity versus information technology (IT) cybersecurity programs. For instance, in IT/enterprise cybersecurity, the top priority is to ensure data confidentiality of information is maintained. For OT cybersecurity, this is far down the priority list—the focus is on maintaining availability of operations and data to maintain business continuity and safety. The typical lifecycle of assets in the enterprise (IT) is far less (3-5 years) than what is encountered on the factory floor (20-40 years). These are just a few examples of some fundamentally similar challenges but different realities that Chief Information Officers/Chief Information Security Officers (CIOs/CISOs) and their colleagues face when making decisions on OT cybersecurity.
Standards and Partnerships for OT Cybersecurity
Understanding globally accepted and tested standards is crucial for a successful deployment of a well-protected industrial control system. For industrial cybersecurity, look no further than IEC 62443 as the foundational guideline set by the International Society of Automation and adopted by the International Electrotechnical Commission. IEC 62443 is considered in most industrial settings because it is aimed at plant operators, integrators, and component manufacturers alike, and covers all security-related aspects of industrial cybersecurity.
Partnering with the right organization(s) is equally important as defining the right standard/framework. The right partnerships can strengthen an organization’s cybersecurity posture beyond the boundaries of their own organization. Look for companies that can offer domain expertise within various industries and rich experience in cybersecurity.
Now comes in the super-hero partner to save the day touting a “defense-in-depth” strategy. What does that mean? Is this another buzzword that is being pitched or is this something practical and attainable?
Defense-in-depth is a strategy that employs multiple layers of cybersecurity measures to mitigate the amount of risk that comes with OT cyber-physical systems. This strategy is often analogous to an onion—where the inner-layer of the onion is the target (e.g., the OT device) and the layers around the target are the protective measures put in place. This so-called “onion-model” can be broken down into three simple layers:
- Plant security
- Network security
- System integrity
Plant security focuses on the physical protection and management for automation systems within a manufacturing plant. This layer employs several different methods to prevent unauthorized persons from gaining physical access to critical components, starting with conventional building access, and extending to securing sensitive areas by means of key cards.
For comprehensive plant protection, look for a partner who can help with developing processes and guidelines that can be improved or delivered with tailored services. This can come in the form of basic risk analysis, the implementation and/or monitoring of suitable measures, or deploying regular product updates.
One of the key challenges for maintaining plant availability and consistent communication is to establish adequate protection of easily accessible systems. In addition to availability, the focus is on protecting automation networks against unauthorized access.
Industrial networks and devices must meet specific requirements for use in automation systems and environments that are different than traditional IT-like components and networks. For use in extreme environmental conditions, rugged security devices can be the better fit.
Practical strategies for network security include:
- Network segmentation/cell protection
- User-specific firewalls
- Industrial Demilitarized Zone (iDMZ)
- Network management and transparency tools
- Secure remote access and secure remote access management tools
Whether you want to protect existing know-how or exclude unauthorized access to your automation processes from the outset as a way of preventing faults in your production processes—find a partner that will support you in implementing targeted measures to protect against a variety of threats and design complete solutions for maximum protection.
Most organizations do not utilize integrated security features of OT equipment. Knowing which integrated security features or functions to use can provide comprehensive protection against risks such as unauthorized configuration changes at the control level or unauthorized network access. Depending on the goals in mind, these features can also prevent the copying of confidential configuration data and make any attempts to manipulate these files easier to detect.
Practical strategies for system integrity include:
- Access control
- Access protection and authentication
- Centralized user management for engineering systems
- Communication integrity
- Know-how protection
- Copy protection
- Process automation
The Practical Approach
Industrial cybersecurity is a dynamic topic. Potential hazards, security risks, and defense measures are constantly changing. It’s important to maintain and adapt a strong OT cybersecurity program to remain relevant and competitive in today’s market. It’s equally important to ensure the right partner(s) are there with you during these dynamic times—a leader in industry and one who “walks the walk” for their own organizations.
To do nothing is not an option! Industry is quickly nearing the point which we no longer ask ourselves, “What if we get cyber-attacked? How will we respond?” but instead “When we get cyber-attacked, how will we respond?” Having a proactive, practical approach - like a defense-in-depth strategy - may just bridge the gap.
Opinions expressed by contributing authors are their own.
Marketing Manager for Industrial Cybersecurity, Siemens USA