Industrial companies are immersing themselves in the Fourth Industrial Revolution and increased automation has led to significant efficiency improvements within these organizations. However, this digital transformation shift is also presenting opportunities for the cyber world to take advantage of these companies, especially those that still have – or are adding – outdated operational technology (OT) to their functional infrastructure. Vulnerability and exposure to a company’s OT environment can lead to risks such as cyberattacks, which can ultimately damage product quality and production capability, business reputation, or potentially worker safety or the environment.
OT is often referred to as the space where cyber meets the physical world. Many manufacturers are using legacy systems put in place 30 years ago, which lacked a secure network design, and now these environments are being connected, making them more desirable and available targets. The exposure of OT has increased drastically and, because of this, cyber threats are a key risk factor within this new 4IR world.
So, what are industrial companies doing to mitigate these risks? Many are evaluating different factors to ask questions about OT cyber risks. An external view is important for board and executive reporting. Some external factors for the board to consider include industry collaboration, legal and regulatory, and third-party and cloud risks.
Sharing information with each other is often a point of reluctance for companies but, in the OT world, the status quo must be thrown away. Companies aren’t competing on security as a core function so, rather than withhold information, they must learn from each other’s experiences. How can this be achieved? Through participation in the sector specific Information Sharing and Analysis Center (ISAC), an industry sharing security forum to promote cyber security and a preventative effort toward attacks.
Additionally, the legal environment around us is constantly changing and companies must stay atop the recent rules and regulations. Legal and regulatory is a point of emphasis for companies to consider and understand, for they must know how legal requirements are affecting their business posture from a cyber perspective.
A huge part of today’s business landscape includes third-party relationships, which provide many important functions and utility to the business model, but also comes with much risk. With bundles of sensitive information stored in the cloud, there must be confidence in the security of this information and systems put in place to avoid any possible leaks. Also, practices must be in place to assure that any mistake by a third-party relationship will not put the company’s information in jeopardy.
Just as important as external factors are internal influencers that cannot be ignored. Without a secure internal OT understanding and procedure, the external will not matter. Internal factors to be aware of include protection of critical assets, incident readiness, resource allocation, program maturity, and people and culture.
How do companies take an inventory and protect their critical assets? It’s of utmost importance to be aware of these assets and have measures in place to protect them from cyberattacks. To be aware is half the battle, but preparation is also key. A company must take steps to be cyber resilient. Through the analysis of past breaches and the response taken, a company can avoid past mistakes and move forward. Management must also practice for cyber events with crisis management to increase preparation.
Are you allocating your resources to detection, prevention, protection, and response? Any OT vulnerabilities must be patched once discovered and, if not, procedures must be in place to decide which ones to fix and when. For resources to be allocated correctly and assets to be protected, there must be a framework in place that allows the company to be on the same page with its cybersecurity strategy. This framework can take the form of the National Institute of Standards and Technology (NIST) standards, or a maturity model to help with cyber risk management. Organization is essential in an IT/OT security program.
Above all, people and culture are the foundation of all cybersecurity. Are there systems in place to prevent an insider attack? Training programs must be implemented to inform and educate employees on what to avoid and how to take action if an attack were to occur, whether internal or external. Through the adoption of industry standards, employees will be more aware of the issue at hand. It’s also important to have an IT/OT security program in place to help evolve the culture of security.
Overall, a sound OT security system addresses both the internal and external influencers mentioned above. As a whole, an organization’s ability to be in sync and prepared for possible threats will prove key to a successful system. The preparation is more important than the action itself, for the goal is never to be in the position to utilize the crisis procedure. That being said, cyberattacks are a realistic threat in the Fourth Industrial Revolution and can be detrimental to a company’s success. Companies and boards should emphasize developing a secure OT system; it’s where cyber meets the physical world.