Industrial Cybersecurity: good ideas and false myths

Reading time: 8 minutes - Difficulty: advanced

In many manufacturing companies, Industrial Cybersecurity processes are still struggling to get off the ground; this is for a number of reasons, most notably a lack of risk awareness at the top, the complexity of OT networks, and a lack of human or financial resources.
If you recognize your business context in at least one of these cases, and you think you are not taking action, carry on reading and you might change your mind.

What is stopping you from addressing OT Cybersecurity in the company?

Time? Costs? Priorities? Skills and organization? Or maybe all of these.

Despite the initial difficulties, there are numerous situations that have managed to overcome these obstacles. You will find that sometimes consolidating good security practices is all that is required, but other times you will need to change your perspective when it comes to methods and solutions for protecting OT networks. If you accept the challenge, continue reading this article.

 

Some of the most common beliefs about Industrial Cybersecurity suggest that:

1) Systems that do not communicate with the outside world are not vulnerable to cyber attacks

If your systems are not communicating with the outside world, know that the cybersecurity problem still exists. Non-communicating systems could also be subject to physical attack, malware, or DoS (Denial-of-Service) attacks capable of controlling the system or rendering data traffic unusable.

Cybersecurity risks are therefore inescapable, and it is essential to mitigate them by implementing appropriate security measures to protect the OT infrastructure, even when systems are not communicating with the outside world.

 

Read the article:

 

2) Strict procedures on the use of PCs during remote support or production are enough to block cyber attacks

If you think that having well-defined procedures on how to use PCs during remote support or production, with isolated devices that do not allow unauthorized software to run, is the solution, you are right (in part): it is undoubtedly an excellent starting point.

But it is still important to ensure that devices used for remote support and production are protected from cyber attacks without exclusion.

 

One more suggestion:

 

3) State-of-the-art security products protect OT systems without failure

The latest security products undoubtedly offer a good level of security, but they may not be able to protect industrial systems entirely. This is why some additional measures are recommended:

  • OT security technologies, selecting the most appropriate solutions, such as firewalls, antiviruses or end-points specific to OT systems

 

4) For cybersecurity success in the machinery environment, it is enough to implement the IT practices

No, it is not. The IT and OT environments are quite different from each other, and, in particular, OT networks are more vulnerable to threats related to, for example, the operation of equipment and impacts on the physical security of operators.

Because of this, IT security methods and measures may prove insufficient to protect the OT infrastructure, as popular IT firewalls or antiviruses are not designed to protect industrial processes.

 

The best practices we recommend for Cybersecurity OT come under IEC 62443.

IEC 62443 is the most referenced international benchmark for the safety of industrial control systems, created twenty years ago by a group of industry volunteers who were part of the SP99 committee established by ISA, International Society of Automation. The standard was later revised and adopted by IEC, the International Electrotechnical Commission, from which it takes its original name ISA 99/IEC 62443.

 

IEC 62443 suggests the cyber risk analysis tool as a key starting point. This, described in two steps, is applicable as follows:

  • High Level Risk Assessment consists of high-level risk assessment according to the standard process described in IEC 62443-3-2, including business logic analysis
  • Low Level Risk Assessment is performed based on the high-level result, detailing the actions needed to protect the systems and machines most at risk of cyber attack

The information gathered during the analysis is used to correctly draft the Industrial Cybersecurity specifications, i.e., the set of recommendations to be adopted to protect the infrastructure, strictly from an OT perspective.

Also keep in mind that the skills needed to deal with OT cybersecurity are different from that proven by IT specialists.

As much as IT specialists possess valuable expertise, not relying on OT specialists to protect industrial systems could amount to failing to fully meet Industrial Cybersecurity goals.

 

More information:

 

5) It is impossible to quantify how many and what internal resources to allocate to a cybersecurity project

It is not simple, but neither is it impossible. An Industrial Cybersecurity project takes shape by involving a variety of your internal resources, including:

  • Technical staff to learn more about industrial processes and OT technologies
  • Security managers to develop and implement an OT security program
  • Corporate executives to gather primary information on corporate requirements and culture, and safety priorities

The time needed to deal with these resources will depend on the complexity of the OT infrastructure. In general, however, it is important that the involvement of an external specialist provides access to internal resources to make the intervention worthwhile.

 

Some specific examples of activities we could do alongside your internal resources:

  • Collection of data about OT systems
  • Data analysis to identify vulnerabilities and risks
  • Selection of solutions to mitigate identified risks
  • Training of internal staff on OT security practices

 

For example:

By conducting an initial audit of your level of cybersecurity, we can give you evidence of what interventions, what resources and how much time might be needed to move the project forward, planning it with due care, organization and transparency.

Don’t you believe it? Request an initial Industrial Cybersecurity audit.

 

Here is how an initial audit works.

A GAP Analysis is a proven method for highlighting the shortcomings of the OT infrastructure with respect to the cybersecurity requirements outlined in the relevant current standards (including the aforementioned IEC 62443, but also the New Machinery Regulation, the NIS 2 Directive, or the Cyber Resilience Act):

  • We establish the perimeter, i.e., the factories, machines, and plants to be analyzed, based on processing, extension, or geographical location
  • We identify critical issues, through cyber risk analysis, analysis of network infrastructure, control systems and vulnerabilities
  • We define the Improvement Plan. Based on the critical issues found and the risk-benefit ratio, we determine the short- and medium- to long-term interventions
  • We quantify interventions. Estimating the cost of implementing the solutions and the human resources needed to fulfill the project allows your Management to receive a clear and objective view of the investments required for the success of the project

 

Having agreed on the feasibility of the project, the next work phases investigate the following:

  • Detailed Risk Assessment following the best practices of international standards
  • Technical report and detailed specifications on recommended mitigation measures
  • Implementation of countermeasures through the adoption of OT technologies
  • Development of Governance and Procedures related to Industrial Cybersecurity and available to your in-house staff
  • Testing of OT infrastructure and tracking of project results

 

Lastly, by the time you have reached this point, it is clear to you that Industrial Cybersecurity can be done with the right method, pace, and awareness, and we will guide you toward OT infrastructure certification: an additional, challenging, but achievable goal.

We are the only Italian ISASecure® accredited certification body, and this allows us to provide you with the State of Compliance to IEC 62443, proving the success of your projects.

 

Your path to change in terms of Industrial Cybersecurity will demonstrate the value of your vision in the eyes of the different stakeholders, including ownership, your potential buyers, funds or multinational corporations, or security control bodies, and will be a tangible benefit to the security of your production systems and operators.

 

Any questions or comments?

 

Share us your feedback

Do you want to help our page grow? Follow us on Linkedin

 

Go back to the blog
Send this to a friend