The Industrial Internet of Things (IIoT) benefits industrial facilities in many ways.
However, this increased connectivity also poses a number of challenges. Between sensors, remote monitoring systems and the cloud, openness is essential to uncovering business insights from process and IT data. To truly reap the benefits of IIoT, industrial digitalisation projects must be built on a foundation of security.
When they hear cybersecurity, most will think of data or intellectual property theft. However, those same transparent networks are used to operate machinery. If these signals and indeed all data flowing on industrial networks is compromised it could lead to a dangerous incident.
Whilst there’s a lot to be gained by crossing the digitisation frontier, it’s critical that this is done securely. Industrial digitisation cannot be carried out before strong, reliable cybersecurity is established.
A journey, not a destination
Industry requirements and standards such as ISO27001 can provide a consistent framework for industrial cybersecurity strategies. There is also a vast selection of cybersecurity solutions to help plant operators implement these standards. Much like health and safety, a cybersecure facility depends on the right culture and education of the workforce. Effective cybersecurity strategies always involve people, processes, and technology from the start.
Companies tend to move through three different levels of maturity when it comes to cybersecure digital operations: awareness, active management and finally, security excellence. It’s essential that companies recognise this process, and continually push themselves to move from the most basic, fundamental policies to a fully-fledged, end-to-end lifecycle approach to security.
Cybersecurity is everyone’s responsibility
Awareness is step one of any cybersecurity strategy. Many cybersecurity incidents are accidental – simple mistakes and human errors that are due to a lack of education and awareness – so it pays to get the fundamentals right. Addressing these basic kinds of risk should be a priority first step and lays the foundations for a successful cybersecurity strategy.
An effective first step in achieving this foundational security is by building it into company culture and employee experience. Cybersecurity is not the sole responsibility of the IT team. It’s therefore vital that security training is built into the employee lifecycle, for all team members. From recruiting to onboarding to employee development and succession planning, education, awareness and training is critical. By making everyone, everywhere responsible for cybersecurity, you can move employees from simply executing their traditional tasks to recognising that implementing and adhering to cybersecurity best practices is now part of their core responsibilities.
Technology for efficient management
Having trained teams in cybersecure behaviours and created a culture that appreciates the importance of these, companies should further develop their cybersecurity strategies by adopting an active management approach. Active management cybersecurity strategies are designed to defend against more opportunistic or deliberate attacks. Most larger companies will typically have comprehensive organisation-wide cybersecurity processes in place with cybersecurity teams whose job it is to regularly review the performance and metrics of these processes.
To reach this level of maturity, available technologies should be leveraged to plug the gaps that human efforts can’t necessarily fill. This technology comes in the form of anti-virus software and firewalls, installed across enterprise networks. Some organisations may even implement automatic monitoring, to bolster security 24 hours a day, 7 days a week.
To protect a facility from attacks that cause downtime, loss of intellectual property or other operational damage, active management is a must. However, at this level, enterprises are usually only protected from threats that originate inside their four walls. This level of vulnerability is unacceptable for critical infrastructure or anyone whose operations demand the next and highest level of protection.
At a fully mature level if cybersecurity, security excellence will be interwoven with every stage of a company’s processes, from end-to-end. At this level, protection defends against deliberate, skilled attacks on industrial control systems. Security Excellence is secures not only a singular facility, but the entire value-chain.
Cyber protection is even more critical where complex software from multiple sources connects to drive a business, and as cyber-attacks become more sophisticated and malicious, viruses or malware are more likely to enter via external parties such as partners, suppliers or even customers. Whilst many organisations are increasing their spending and commitment to cybersecurity internally, only 15% of businesses have reviewed the risks presented by their suppliers (Gov.uk, 2020). These external vulnerabilities are especially threatening to industrial organisations, who interact with a vast number of external parties on a daily basis.
In this way, protecting others is an important part of protecting yourself. Ongoing training and development programs should be put in place and best practices shared with supply chain members and customers – it is not enough to assume that your partners are implementing the same precautions as you are. Technology such as automatic monitoring should also extend to the supply chain and customers via Security Operations Centers (SOC).
The future is digital and technology is ever-evolving, so reaching a fully mature level of cybersecurity requires more than a single initiative – a lifecycle approach is essential. To fully embrace the power of digitisation, it’s important to first make sure that cybersecurity is covered from the three angles of people, process and technology. As control systems, networks etc. evolve, so too must cybersecurity strategies and tools. Businesses who successfully commit to this can securely and confidently reap the many rewards to be had in the digital and connected future.
About the Author
David Pownal is VP Services at Schneider Electric. Schneider Electric’s purpose is to empower all to make the most of our energy and resources, bridging progress and sustainability for all. We call this Life Is On. Our mission is to be your digital partner for Sustainability and Efficiency.
Featured image: ©Duallogic