A technical evolution has taken place, which has made cyberthreats more potent than at any other time in our history. According to PricewaterhouseCoopers, over half of British businesses will suffer cyberattacks by 2018. As businesses seek to embrace Industry 4.0, cybersecurity protection must be a top priority for Industrial Control Systems (ICS). These attacks are financially crippling, reduce production and business innovation, and cost lives.
In years gone by, legacy ICS were developed with proprietary technology and were isolated from the outside world, so physical perimeter security was deemed adequate and cybersecurity was not relevant. However, today the rise of digital manufacturing means many control systems use open or standardised technologies to both reduce costs and improve performance, employing direct communications between control and business systems. Companies must now be proactive to secure their systems online as well as offline.
This exposes vulnerabilities previously thought to affect only office and business computers, so cyberattacks now come from both inside and outside of the industrial control system network. The problem here is that a successful cyberattack on the ICS domain can have a fundamentally more severe impact than a similar incident in the IT domain. Indeed, cyberattacks cost British industry £34bn a year according to CEBR, so it’s clear that cyberprotection needs to be a boardroom-level discussion that is given as much consideration as safety or high availability.
The proliferation of cyberthreats has prompted asset owners in industrial environments to search for security solutions that can protect their assets and prevent potentially significant monetary loss and brand erosion. While some industries, such as financial services, have made progress in minimising the risk of cyberattacks, the barriers to improving cybersecurity remain high. More open and collaborative networks have made systems more vulnerable to attack. Furthermore, end user awareness and appreciation of the level of risk is inadequate across most industries outside critical infrastructure environments.
Uncertainty in the regulatory landscape also remains a significant restraint. With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system availability is vulnerable to malware targeted at commercial systems. Inadequate expertise in industrial IT networks is a sector-wide challenge. Against this backdrop, organisations need to partner with a solutions provider who understands the unique characteristics and challenges of the industrial environment and is committed to security.
Assess the risks
A Defence-in-Depth approach is recommended. This starts with risk assessment – the process of analysing and documenting the environment and related systems to identify, and prioritise potential threats. The assessment examines the possible threats from internal sources, such as disgruntled employees and contractors and external sources such as hackers and vandals. It also examines the potential threats to continuity of operation and assesses the value and vulnerability of assets such as proprietary recipes and other intellectual properties, processes, and financial data. Organisations can use the outcome of this assessment to prioritise cybersecurity resource investments.
Develop a security plan
Existing security products and technologies can only go part way to securing an automation solution. They must be deployed in conjunction with a security plan. A well designed security plan coupled with diligent maintenance and oversight is essential to securing modern automation systems and networks. As the cybersecurity landscape evolves, users should continuously reassess their security policies and revisit the defence-in-depth approach to mitigate against any future attacks. Cyberattacks on critical manufacturers in the US alone have increased by 20 per cent, so it’s imperative that security plans are up to date.
Upskil the workforce
There are increasingly fewer skilled operators in today’s plants, as the older, expert workforce moves into retirement. So the Fourth Industrial Revolution presents a golden opportunity for manufacturing to bridge the gap and bolster the workforce, putting real-time status and diagnostic information at their disposal. At the same time, however, this workforce needs to be raised with the cybersecurity know-how to cope with modern threats.
In this regard, training is crucial to any defence-in-depth campaign and the development of a security conscious culture. There are two phases to such a programme: raising general awareness of policy and procedure, and job-specific classes. Both should be ongoing with update sessions given regularly, only then will employees and organisations see the benefit.
Global industry is well on the road to a game-changing Fourth Industrial Revolution. It is not some hyped up notion years away from reality. It’s already here and has its origins in technologies and functionalities developed by visionary automation suppliers more than 15 years ago. Improvements in efficiency and profitability, increased innovation, and better management of safety, performance and environmental impact are just some of the benefits of an Internet of Things-enabled industrial environment. However, without an effective cybersecurity programme at its heart, ICS professionals will not be able to take advantage of the new technologies at their disposal for fear of the next breach.
Dave Sutton, Product Marketing Manager at Schneider Electric