You don’t need to be an IT professional to know if your enterprise is secure (but you do need to know the right questions to ask)
With the convergence of IT and Operational Technology (OT), and ever since computers have been used in industrial enterprises, cybersecurity is and has been a huge worry for industry leaders. Hackers are extremely clever, with excellent IT skills that can expose even the smallest vulnerabilities. Making your industrial enterprise secure and keeping it that way is an ongoing process and requires the application of significant IT skill. It’s a complex area for business leaders but if you can ask the right (simple) questions of your team, you can quickly evaluate what action to take.
The Ugly Side of Digitisation
Cybersecurity is an ugly boil on the gleaming face of modern industry. You can’t miss it, for all the advantages of industrial computing, networks and connectivity, there’s just no hiding the fact that in cybercrime, there is an ugly side.
In fact, for many industrial enterprises, worries about the vulnerability of their company as it becomes more connected can even hold them back from the productivity, efficiency and flexibility advantages that come with developing a Connected Enterprise approach.
Industrial Cybersecurity and The Poorly Hermit
But there is no safety in trying to stay offline either. As has long-since been shown, even systems that are air-gapped from the internet have network vulnerabilities that clever and determined hackers can, and will, exploit; often with remarkably low-tech consumer devices such as a Raspberry PI.
Keeping systems offline to reduce the risk is akin to becoming a hermit in order to reduce the risk of getting sick – it’s not foolproof, and it comes with significant disadvantages!
The stakes are consistently and widely reported, often front-page news. An internet search for “industrial malware attacks”, for example, gives chilling evidence of ransomware and industrial espionage, and worse – attacks on safety systems that can endanger life on site or beyond the plant gates.
Understanding the Risk
Risk is a part of life – from crossing a road to using the stairs, we all encounter it every day. At a busy road we use a pedestrian crossing, and on stairs there are usually handrails. Everyday mitigations for everyday risk.
Industrial cybersecurity is a similar story – no company is completely safe, but there are various mitigations available that significantly reduce risk, and further preparations that can reduce the impact of a successful cyberattack. Such action plans and recovery approaches should be as normal as a first-aid kit on the plant floor. Unfortunately, basic good practice around industrial cybersecurity is often lacking.
One of the problems is that cybersecurity is perceived to be a complex issue. Moreover, those with ultimate responsibility for cybersecurity practices in industry are seldom those with the IT knowledge that is needed to create the most secure networks. But you don’t need to understand much about cybercrime or even IT networks to understand vulnerability and provide the industrial cybersecurity leadership that your company needs.
You Can’t Secure What You Can’t See!
It starts with visibility. Every company needs an up-to-date inventory of intelligent assets, that’s how you can get visibility. Most industrial systems have grown organically over time – they might not have been designed with the present parameters in mind, and they may contain legacy systems that have been around a long time. Here are some simple questions to ask your network administrators and plant managers, to get better visibility of your intelligent assets:
- How well do you know your assets?
- What does your operational technology network look like?
- How many devices are connected?
- How are they connected?
- Is there a CCTV system? Is that secure?
Secure Your Network
To be cybersecure, we need to build an operational technology network that is fit for purpose. Here are a few simple, but vital questions for the leadership team.
- Are you running any systems that rely on technology that is no longer supported by the vendor? Is that CCTV system from the 90s still running Windows 95?
- Do you have active patch management – the process by which vendors close security vulnerabilities with software updates?
- If a hacker scanned your network, will they find an easy way in?
Taking action to resolve those two key factors of visibility and security should make your enterprise much more resilient. But maintaining this more secure state requires a continuous approach. Secure today, is not secure tomorrow.
Putting into action simple management programmes and responsibilities for keeping patches up to date, verifying additions and changes to the network and regularly assessing vulnerability need to be second nature for your company to take a more cybersecure stance. Moreover, as we know, even with an active plan that follows best practices, your security risk is reduced, not eliminated.
Have a Plan
If your company can answer these questions, then you are in well positioned to reduce the likelihood and the effect of cybercrime.
- What would happen if you suffered a successful attack?
- Would you know it was happening?
- Do you have active, real-time threat detection in place to recognise and isolate abnormalities?
- Is there a disaster recovery or incident plan?
- Backup and recovery solutions standing by?
None of this is hard to understand, nor, with the right expertise from trusted partners, which is readily available, is it hard to implement if your company doesn’t have the IT skills and OT knowledge required in-house.
My advice is not to get lost in the jargon of bits and bytes, and of course, don’t be a cybersecurity hermit – it doesn’t work, and the benefits of connectivity are far too important. Take the time to understand the risks, take the necessary steps to mitigate them, set into train a maintenance programme and know what you will do when you are attacked.