Our readers will be aware of numerous hacking attacks which have been in the news lately.  How do you keep your plant up and running while protecting your company from a cyber threat? I recently read an article by Charles Blackbeard, Business Development Manager, ABB Ability Digital Solutions who has solid advice on some practical steps to take. For the benefit of our members and readers, we’re highlighting an excerpt of his article below.  

“If you own a car, a house, or a boat — just about any ‘big ticket’ item that would be expensive to replace — you protect that asset with insurance. However, when it comes to control system cyber security, this thinking is often not applied. Cyber experts are still struggling to convince senior management to spend money to protect their control system assets,” says Charles. 

Why do companies not invest in cyber security? Partly, it is due to the issue of convincing companies to spend money on something that has no measurable return on investment (ROI). Of course, everyone knows cyber security is important and falls into the general category of risk management.

Common malware

Control system owners do deploy cyber and security solutions as they are aware of the problem and take actions to avoid risks. However, many in the industrial world are still too focused on the big attack or hack, when the more likely risk is common malware that impacts a control system because it is running older, unprotected, and unpatched operating systems.

This risk exists even if the system is ‘air-gapped’ from the business’s network. People often introduce data and software from removable media such as USB drives, exposing their systems to the potential for viruses along the way. As these air-gapped systems become more interconnected to enable integration with business applications, they become increasingly exposed to the internet.

This vulnerability occurs because there is a fundamental disconnect in securing operational technology (OT) versus information technology (IT). As OT becomes more exposed to the internet, it faces the same cyber security threats as any other networked system. As operators have adopted the same hardware, software, networking protocols and operating systems that run and connect everyday business technologies, such as servers, PCs, and networking equipment.

Getting up to cyber speed

When thinking about how to get started to fortify your Cyber Security profile, do not just look for some new technology that claims to mitigate all your risks — it does not exist. Doing the basics well before investing in advanced cyber technologies is the key. To minimise your risks and get the most protection in the least time, you first need to plan and develop a cyber security programme that:

  1. Identifies what assets you are trying to protect
  2. Determines how you are going to protect those assets
  3. Enables intrusion detection and monitoring
  4. Defines incident response processes and procedures
  5. Verifies mechanisms to restore and recover assets
  6. Ensures compliance with all regulatory standards set by local governing bodies

These six steps follow well-trodden ground. All cyber security best practices frameworks can be distilled into these basic steps: identify, protect, detect, respond, recover, and comply. Understanding and managing the risks associated with a cyber attack and then protecting against these or mitigating the consequences can seem a daunting prospect, especially when this needs to be done in conjunction with the day job of keep a plant up and running. But it is being done successfully.

Case studies:

Understanding and managing the risks associated with a cyber attack and then protecting against these or mitigating the consequences can seem a daunting prospect, especially when this needs to be done in conjunction with keeping a plant up and running. The adage of it’s a journey not a destination is very true when it comes to OT cyber security but companies can embark on this journey in small ‘bite-sized’ steps.

www.abb.com 
www.saimeche.org.za

Leave a Reply

Your email address will not be published. Required fields are marked *