For many of us, our older siblings are our earliest mentors. That’s because they frequently pass – directly or indirectly – their life lessons down to us. We benefit because, when applied correctly, that knowledge – wisdom, really – can help us navigate through life’s challenges a bit more smoothly, which helps us get ahead.
That scenario can be easily applied to the world of industrial manufacturing, especially when we look at the close, almost familial relationship between safety and cybersecurity. As in many families, where siblings often take on distinct but complementary roles and personalities, safety and security each serve and execute a specific, critical function. Like siblings, they are closely related, with safety being the older, more mature of the two. That means the cybersecurity function can benefit from many of the lessons safety has learned over the years. But more importantly, we are beginning to understand that applying this acquired knowledge to the cybersecurity function in turn can have a positive effect on the safety of the plant.
As industrial manufacturing companies embark or continue their digital transformations, they also continue to shrink the gap between their IT and OT functions. While that frequently improves business and operations performance, it also means cybersecurity risks that at one time affected only the external network can now impact the process control and safety systems, with potentially disastrous consequences.
The changing landscape
As the demand for applications that extract new business value from operational data increases, so too does the number of connected devices, as well as the need for stronger cybersecurity practices and discipline.
When network connectivity expands, the attack surface widens (because each new connection becomes a possible entry point for would-be attackers). That means plant operators and managers not only need to prepare for new sources of data traffic, they need to anticipate the likelihood of increasingly sophisticated attacks.
Studies verify that the scope, power and sophistication of cyber-attacks grow every day. A recent article noted that prominent London tourist attractions have been attacked more than 100 million times in the past few years. Kew Gardens saw an increase in spyware of 526% in 2018, suffering more than 82 million attempts. And when it comes to industry and critical infrastructure, new, stronger and more insidious actors are perpetrating new types of attacks on new targets, like process safety and control systems. That means we must start taking a new, better approach to securing our operations. And that’s where safety – cybersecurity’s older sibling – can help out.
Apply experience to manage risk
Improving the safety of the operation is all about understanding, predicting and then managing risks. And that is the case with cybersecurity as well. So why not apply all that we’ve learned from managing safety risk to improve how we manage and mitigate cybersecurity risks?
Plant operators and managers must constantly monitor and gauge the performance of their assets and operations and then apply trusted solutions to measure and understand their safety profile, i.e., how far can they push their operations without exceeding safety risks. The cybersecurity lifecycle is very similar to safety, meaning operators and managers can apply similar methods, solutions and technologies to understand and mitigate security risks, i.e., how they can improve business performance without risking an incident or attack.
One such practice is conducting a cybersecurity process hazard analysis (CyberPHA), which is a solid tool borrowed specifically from the safety side of the house.
A CyberPHA is a very structured systematic approach to understanding cyber risk. In conducting a CyberPHA, a user can see the real consequence if the system is compromised. It puts cybersecurity vulnerabilities in the right context of the operations, i.e., what if the system shuts down.
Another tool or method is an assessment of the ICS system itself to understand how it is vulnerable. A user would evaluate the ICS by looking at the control system’s design and:
- Reviewing as-built or as-found drawings
- Analyzing network communications, i.e., what devices are talking to what devices
- Analyzing network devices
- Analyzing servers/workstations
- Analyzing ICS devices
- Partitioning the system into zones and conduits
- Reviewing policies and procedures
- Recommending mitigations
Identifying the need to segregate networks, maintaining strict change management protocols, and adding additional host / network-based security controls as a last layer of defense are other safety practices that should be considered to improve cyber defense and to mitigate the risk of cyber-attacks.
Industrial manufacturers are under constant pressure to improve business and operating performance. To maintain a competitive advantage while meeting fluctuating market demands, they work at breakneck speed to ensure more product gets out the door, safely and securely. Advanced, digital technology, what we mostly call the IIoT, is frequently the answer to their needs. And while the resultant increase in connectivity can increase business performance and results, it also increases the risks of cyber-attack. Therefore, security professionals need to leverage the best tools, knowledge and experience available.
Why not borrow what works best from our big brother across the hall? Safety has taught us well. Now it’s time to learn even more. Come take part in “Cyber Summit ‘19”, a virtual event and expert panel discussion on “How does cybersecurity affect safety, and what should you do about it?”.