Industry 4.0 technologies and the benefits they bring are built on data transparency. From sensors to the cloud, openness is essential if we want to glean business insights from process and IT data. The benefits of this transparency, however, also come with responsibility.
Cybersecurity is not just about people stealing data or intellectual property. Those same transparent networks are used to operate machinery. If these signals and indeed all data flowing on industrial networks is compromised it could lead to a dangerous incident. It’s also a matter of safety.
We’ve always believed there’s a lot to be gained by securely crossing the digitization frontier. So, for us, cybersecurity and industrial digitization go hand-in-hand. Earlier this year Schneider Electric confirmed and strengthened our long-held commitment to cybersecurity by joining more than a hundred other industry thought leaders as part of the Cybersecurity Tech Accord.
What does cybersecurity mean for your plant operations?
Industry requirements and standards such as ISO27001 can provide a consistent framework for your cybersecurity strategy. There are also and plenty of cybersecurity solutions to help you implement these standards. Like safety, cybersecurity also comes down to culture and education. It’s important to always involve people, processes, and technology in your cybersecurity initiatives.
In our experience companies are usually at three different levels of maturity when it comes to cybersecure digital operations.
- Awareness – a basic organizational structure, policy & ad-hoc protection in place
- Active management – organizational accountability, process metrics and some automatic systems
- Security excellence – a dedicated organization and lifecycle approach with fully automatic and adaptive protection across the business’s entire value chain
Cybersecurity starts with awareness
It pays to do the basics well because many cybersecurity incidents are accidental – simple mistakes that are due to a to a lack of education and awareness. If you can address these types of risks, you’re already way ahead.
In 2011 a United States Depart of Homeland Security test showed that 60 percent of people who a found CD or USB stick in the carpark plugged them into office computers to see what was on them. If it had an official logo, that went up to 90 percent.
Stuxnet, hailed as the world’s first digital weapon, apparently made its way into a nuclear plant in Iran via an infected USB stick found in a car park. This shows how important it is to have a basic level of cybersecurity awareness backed up by processes. When paired with a program of continuing education this goes a long way to protecting organizations, but it can easily be overlooked.
Active management will help you step up your cybersecurity
Active management cybersecurity strategies are designed to defend against more opportunistic or deliberate attacks. Most larger companies will typically have comprehensive organization-wide cybersecurity processes in place with cybersecurity teams whose job it is to regularly review the performance and metrics of these processes. Technology including anti-virus software and firewalls are installed across enterprise networks and some automatic monitoring is in place.
To protect your plant from attacks that cause downtime, loss of intellectual property or other operational damage, active management is a must. However, at this level, enterprises are usually only protected from threats that originate inside their four walls. This level of vulnerability is unacceptable for critical infrastructure or anyone whose operations demand the next and highest level of protection.
Security Excellence protects you and your entire value chain
This level of protection aims to prevent deliberate, skilled attacks on industrial control systems. Security Excellence is about protecting not just your facility but your entire value chain. As cyber-attacks become more sophisticated and malicious, viruses or malware are more likely to enter via partners, suppliers or even customers.
Stuxnet is a perfect example because four other companies involved in industrial processing were caught up in un-knowingly spreading the worm. So, protecting others is an important part of protecting yourself. Ongoing training and development programs should be put in place and best practices shared with supply chain members and customers (to avoid innocent mistakes like picking up branded USB keys from the car park). Technology such as automatic monitoring should also extend to the supply chain and customers via Security Operations Centers (SOC).
Like the modern industrial safety discipline, this level of cybersecurity involves an end to end, lifecycle approach. To fully embrace the power of digitization, it’s important to take the responsibility to first make sure cybersecurity is covered from the three angles of people, process and technology. Any future changes to control systems, networks etc. must also take into to account and address any potential impact on cybersecurity. Businesses who do this successfully can securely enjoy their digital future throughout the 21st century and beyond.
As they said in Spiderman, ‘with great power comes great responsibility’.