By Rick Huijbregts
By Rick Huijbregts
Manufacturers will continue to be targets of cyberattacks and it is critical to develop a process to lessen risk
The introduction of advanced technologies such as the Industrial Internet of Things (IIoT) to the plant floor has created new challenges for Operational Technology (OT) and Information Technology (IT) professionals. What were once physical-only systems, managed and maintained by OT staff, are now connected by an IT network to an enterprise system. Securing these new cyber-physical systems should be a priority for manufacturers as they begin their digital transformation, but leaders often underestimate the importance of cybersecurity on the plant floor. It is believed the risk of attack is low, and thus securing cyber-physical systems can be overlooked.
For example, PLANT magazine’s 2017 Outlook report revealed that 17 percent of Canadian manufacturers have not taken any steps to defend against cyberattacks. In addition, when you consider that 78 percent rated their concern of a cyberattack affecting them as ‘low’ or ‘medium,’ why would they? Clearly, the industry believes other organizations are much more suitable targets.
The Cisco 2017 Annual Cybersecurity Report, released in January, showed that Canadian organizations rank second-to-last in security capability maturity. Nearly half (48 percent) of our businesses have ‘low’ or ‘lower-middle’ maturity. Across all industries, our organizations are not nearly prepared to deal with dynamic cybersecurity threats.
Add to this the complexity of digitally securing a production facility or shop floor, and it is easy to understand why Canadian manufacturers want to believe cyberattacks are not a significant threat. But the truth is that, compared to other industries, manufacturers operate some of the most high-risk applications over their networks. Any threat to those applications — due to cyberattacks, poor maintenance or otherwise — must be addressed and mitigated. And for the record, manufacturers have been, and will continue to be, the target of cyberattacks. That will not change.
The good news for Canadian manufacturers is that securing their plant floor does not need to be complicated. In fact, when done right, keeping a plant secure in the IIoT era can be as simple as 1, 2, 3: prepare, assess, build.
It is important for manufacturers to develop a security framework that helps them align and prioritize business and security needs. The first step in building that framework is to ask specific questions about their physical and cybersecurity capabilities. For example, IT and OT leaders could ask the following:
• Have we outlined who has access to which machines and devices?
• Do we have centralized control of both OT and IT network security?
• Can our network quickly provision and securely adapt to new connections?
• Have we assessed, ranked and prioritized our most critical assets?
By understanding capabilities and potential gaps in security processes, technologies and practices, manufacturers can better understand what cybersecurity solutions they require.
Although there is no silver bullet to cybersecurity for manufacturers, there are trusted partners who can help. These partners can review the organization’s current infrastructure and make recommendations to help achieve its security goals. Many technology and cybersecurity vendors provide these reviews, often called security assessments. My advice is to evaluate the assessments offered by several vendors, then decide which has the right combination of security expertise, best-in-class products and industry knowledge for your organization.
It is vital that, prior to implementing a new cybersecurity solution, manufacturers work with their selected vendor to build a security strategy and plan. This plan should include both cybersecurity and technology elements — such as whether to leverage virtualization to back up important systems — as well as physical security processes and best practices. Most importantly, a plan provides a roadmap for manufacturers and vendors to follow to ensure projects have measureable goals, outline expected Return on Investment (ROI) and stay on time and budget.
For Canadian manufacturers who aren’t ready for the process above, there are other ways to keep their plant floor secure. I encourage all manufacturing leaders to take the following steps in their production facility to increase cybersecurity readiness:
• Ensure single-use computers are actually single-use,
• Change default passwords on IIoT-enables devices,
• Implement change control,
• Use secure protocols where possible, and
• Use manufacturers’ recommended secure settings.
When it comes to cybersecurity on the plant floor, doing nothing is no longer an option for Canadian manufacturers. The convergence of IT and operational networks through the IIoT has highlighted the risks of legacy control systems that were never designed with cybersecurity as a priority. Although stopping all attacks may not be possible, manufacturers can minimize both the risk and the impact of these threats by working with a trusted partner who can evaluate their current systems.
The IIoT is creating incredible business opportunities for manufacturers by decreasing downtime, increasing sustainability and providing real-time visibility across the plant floor. The right IIoT partner will ensure your network, and everything connected to it, is secure.