"Cyber security for manufacturing is like an insurance"
- Bireswar Roy, Country Business Unit Head – Customer Services, Digital Industries, Siemens
The new economy is a data-driven economy, and hence, everyone needs to be aware of the security concerns. The concerns include data thefts for financial crimes, data thefts for corporate crimes, cyber-attacks on the company’s IT network or also on the operational technology (manufacturing) network. Going beyond the risks could extend to deliberate disruption of operations either by physical intervention by perpetrators or by cyber intervention by people with motives to disrupt. So, organisations will necessarily need to have
Company policies on data access for outsiders, employees, contractors, etc
Risk assessments and drills:
Whether outsiders/visitors have access to restricted areas in a company premises
Slides/videos made for internal usage
Extensive training to employees with regards to the risks and their mitigation
Risk assessments with respect to the manufacturing information pilferage
COVID-19 has dramatically changed the concept of working and getting things done. Remotely accessing one’s assets, troubleshooting, restarting machines, etc are now a necessity. On the contrary, the connected assets immediately open one to the threats of external interference or cyber threats. Organisations need to assess and implement the necessary protection levels to ensure that when their manufacturing assets are connected to the outside world, they do so in a sanitised and protected environment. This means that the approach to security has to be layered. The first and the simplest layer are your people (employees, partners, vendors, etc). This layer can be the most useful and also, the most cost-effective layer of defence. The second layer has to be the IT security layer, which would mean ensuring that your IT systems have the latest firewalls & antivirus, data connections are secure, IT assets are secure, IT networks are safe and IT policies are up to date. The third layer is the Operational Technology (OT) security layer. Here, companies need to have an OT security policy, independent OT networks, OT data security, OT asset security, OT network security, identifying mission critical OT networks and implementing an additional layer of defence to keep them safe and running.
A closer look into the cyber-attacks on the industries show that hackers have found newer routes to hack into the industries based on IT/OT convergence. Hence, the immediate steps for the industry is to:
Set-up an OT security policy to ensure that all vulnerabilities are patched/managed in the OT environment
Move to a more robust, multiple network strategies based on collaboration between IT & OT networks
Implement nest perimeters with network segmentation and individual firewalling for OT networks
Continuously monitor networks for anomalies and have an emergency response team to tackle such anomalies/malicious attacks
Standard secure ecosystem
Cyber security for manufacturing is like an insurance and quality topic; hence, the adoption of cyber security measures must become a competitive advantage within organisations throughout the manufacturing sector rather than regulation driven topic. But still, for the ones who risk their operations, the perils affect the entire ecosystem. Hence, a regulatory framework is being adopted in most countries. There is a need for a standard for Indian Industry as well, which should aim at providing safe operating environment for the manufacturing sector. Industry and government should jointly build an ecosystem based on cyber security standards in which independent auditors would confirm that effective cyber security efforts are in place.
"The shift to remote workers includes shift to remote monitoring"
- Larry O’Brien, Vice President – Research, ARC Advisory Group
Probably the biggest physical cyber security concern is the huge wave of employees that are now working remotely. Many organisations and manufacturing companies are not set up for the volume of remote workers we have right now. This not only applies to desk workers and people in the administrative roles but to operational level people that need access to critical manufacturing and operational level data. This presents an extra requirement for security.
Solutions for remote monitoring
The shift to remote workers also includes a shift to more remote monitoring and remote operation of processes, whether they be in a water treatment plant, gas pipeline, chemical plant or even a smart city application, like intelligent street lighting. Various solutions exist for securing remote access to control systems and production information. These include things like industrial firewalls, unidirectional gateways & data diodes and more. This requires an understanding of the marketplace for industrial cyber security solutions and good security related selection criteria, not just for cyber security products and services but also for control systems, software and related offerings.
IoT-based solutions present their own cyber security challenges. Many IoT and edge platform providers have good cyber security schemes built into their offerings to ensure secure communications and secure connectivity to edge and end devices, but not all suppliers do this, and many end users are finding it a challenge to manage the risks posed by new technologies versus the busines value they provide. Following the guidance laid out in standards like IEC 62443 and the NIST Framework is still the best way to ensure security.
Securing the approach
There are very few laws or regulations that exist in any country to ensure an acceptable level of cyber security in the manufacturing or critical infrastructure segments. Here, in the US, we have NERC-CIP, which applies to the power industry, but I do not think the regulatory environment is going to change anytime soon. Legislators tend to have a poor understanding of cybersecurity overall and certainly are no experts when it comes to the unique requirements of manufacturing. Most of the efforts undertaken by the industry is voluntary. In the future, banks, credit rating firms and insurance companies will most likely employ their own ratings systems for industry sectors and individual companies to measure acceptable levels of cyber security and risk management. We are already witnessing this with the recent initiative by Moody’s and Team8 to establish a standard methodology for measuring the strength of a company’s approach to cyber security.
"Not only ransomwares but human attackers can also cause disruptions"
- Prashant Phatak, Founder & CEO, Valency Networks
What we typically see in the manufacturing sector is the lack of awareness when it comes to the physical aspect of data elements. Even today, a great amount of data is in physical form, such as printouts and documents piles, which needs to be protected mainly from the prying eyes of attackers who are interested in stealing those. Strict controls, such as physically frisking at the front gate, CCTV camera systems and random checks, are key implementations to be adopted. Besides, the confidentiality of these documents, the environmental controls, such as protection from fire and spillage, must be considered, too, because it is generally forgotten that these problems fall under information security.
Security changes due to virus
COVID-19 is making people paranoid about their own health for the righteous reasons; however, the companies are forgetting that a work from home policy needs to be designed carefully, followed by a Bring Your Own Device (BYOD) policy. The information security posture has changed in a sense that now the staff can be targeted while they are at home via a phishing or vishing attack. At the same time, the IT management of a company needs to be wary of the potential attacks on the company’s network infrastructure, while the staff is not around. To address these issues, first a detailed process audit and network audit needs to be performed and a cyber security expert needs to be consulted to control the risks.
In my opinion, IoT security is still not understood properly. It’s not only the ransomware that can cause a disruption but can also be human attackers. Companies seem to be less aware on these challenges, and hence, should look into the security design audit of IoT infrastructure first, followed by a detailed vulnerability assessment. Holistically, companies should invest into an end-to-end approach from cyber security standpoint, as opposed to addressing only a part of it. A management’s mindset that cyber security is not about products but about customised solutions is a key to success.
Strengthening laws of security
As we saw lately, practically every piece of data has some value and hence, it can be stolen. Although the government is addressing information security issues, the width and depth of it is inadequate and also, the pace is slow. Instead of focusing only on the aftermath, a set of strict policies pertaining to various industry sectors are required to be create and imposed. Data privacy of users, patients and citizens in general, is very critical and hence, some quick standard set of rules backed by law are a need of the hour. An apt way to achieve that, would be a law that protects the industries as well as individuals from information security, cyber security and data privacy attacks.
"Build proactive security framework based on next-generation technologies"
- Rajarshi Dhar, Senior Industry Analyst, Digital Transformation Practice, Frost & Sullivan
Modern cyber-attacks include data breaches, Industrial Internet of Things (IIoT) attacks, IP theft, attacks on Industrial Control Systems (ICS)/SCADA systems, connected products and more. Manufacturers need to make sure that not only are their sensors, smart products and mobile applications being protected but also their confidential financial data, customer information, blueprints of future projects and patents that have a direct impact on the company's brand image. IT security is still considered a secondary priority by many manufacturers, which is reflected in the limited security budget allocations. Lack of availability of skilled security analysts round the clock to maintain information security remains one of the major concerns for manufacturing companies.
Securing discrete architecture
COVID-19 has highlighted several drawbacks in the existing cyber security set-up, including lack of automation. During a scenario like COVID-19, using Robotics Process Automation (RPA) and Software-Defined Security (SDS) architectures, manufacturers can minimise manual interventions, thereby reducing the need for a large number of security specialists and threat hunters. As manufacturing units are dispersed and discrete, there is a need for a unified security architecture where security teams have increased visibility across the entire IT infrastructure through a single pane of glass. For employees working from home or connecting from remote locations, solutions like secured VPN, endpoint security and e-mail security would help secure digital assets from eavesdropping, ransomware attacks and phishing attacks. Security concepts, like Zero Trust Security, are expected to be highly beneficial in today’s context, where proactive security is about threat identification, protection, detection, response, recovery and prediction.
The typical IIoT security threats include device hijacking, Distributed Denial of Service (DDoS) attacks, Permanent Denial of Service (PDoS) attacks, and Man-in-the-Middle (MITM) attacks. To secure IIoT devices from these advanced threats, manufacturing companies need to build the right defence system. The first step is to outline the various types of IIoT security threats, the characteristics of attacks, the assets to protect and the prioritisation of risks. Manufacturers then need to identify the list of vulnerable devices and establish access policies for them. Advanced technologies, like voice recognition, biometric and iris scan, should be used in addition to securing access with password management. Any suspicious activity should be flagged off immediately for further scrutiny. Finally, manufacturers should focus on using specialised IoT security solutions that are meant for handling huge volumes of high-velocity data, capable of pinpointing the most devastating threats and minimise false positives.
Proactive central security framework
Manufacturers need to build a proactive security framework. The architecture should be based on next-generation technologies that can address unknown threats. While companies increase their focus on adopting best-in-class solutions, governments should formulate laws that advise manufacturing firms on best practices when it comes to security. Regulatory bodies should come up with industry mandates for manufacturing units and critical infrastructure that includes setting up mandatory Security Operations Center (SOC), conduct regular Vulnerability Assessment/Penetration Testing (VA/PT), end-to-end product assessment, prepare incident response plans and create an internal ecosystem of skilled resources capable of handling advanced attacks.
"Have a holistic approach to address security activities"
- Shinto Joseph, Director – SEA Operations, LDRA
Manufacturing companies have a lot to consider when it comes to physical security. Apart from IoT & data theft, every day there seems to be yet another organisation being a victim to cyber-attacks. Security budget allocation is even tougher given the current pandemic situation. With more cyber security breaches happening, the manufacturers shouldn’t focus on one practice alone, eg, putting an antivirus. Adoption of modern security practices goes beyond traditional perimeter security approach. Training employees on protocols and procedures will produce better results, as they are the most important stakeholder in the line of defence.
Setting priority on security
In this cat and mouse game, awareness and round the clock alertness is the key, backed with the right tools and practices. Identifying goals and setting standards for policies, processes and procedure of security is a priority. Finally, look for gaps in the existing strategy and work on implementing new solutions. Taking an expert audit help as well as building in-house competencies can go hand-in-hand.
Establishing global safety norms
Ideally, we should have a holistic approach where we address security at IT, OT and IoT level so that the entire set of activities are addressed. Most of the time, manufacturers prefer immediately available solutions from the market or retrofit newer cyber security practises in a legacy system. This remains just a stop-gap arrangement, as the threats and the point of vulnerabilities are always on the rise. The trust deficit between countries is increasing day-by-day. It is high time that countries come together and form the right standards for security and enforce it globally, similar to what happened globally for safety practices. In India, we have a cultural issue also which needs immediate attention. Traditionally, we are not that serious about following safety and security practices on the ground. Which means the need of the hour is a joint action by the government and the industry.