Why?

Why is OT Cybersecurity important and why do you need to do something?

Industrial Automation is going through a fast-moving evolving period and nowadays the use of Commercial Off-the-shelf (COTS) computer systems (hardware and software), industrial networks, Edge- and Cloud applications to reduce cost, optimise production to increase the speed to react to operational upsets, allow for production quality improvements, improve uptime and availability and, last but not the least, improve Process Safety. The latest technology is called IIoT (Industrial Internet of Things) and Industry 4.0 and are recognised to be the next big step in industry that will lead us into the next level of Industrial Automation by introducing smartness and is embraced by many enterprises because of its advantages.

However, unfortunately this new technology, such as Industry 4.0 also creates a huge disadvantage that is called the OT Cybersecurity threat. Special software, such as malware, ransomware and other hacking software, has been developed by malicious people to attack systems, databases and other private and governmental networks to steal information, to corrupt information, to hurt networks or to create physical destruction. In the hands of aggressive countries, cyber terrorists, cyber criminals and smart kids this could be a weapon that could disrupts our world of smart computing and our smart plants.

The trend of the cyber threats is growing exponential over time and combined with the increase of applying systems to support Industry 4.0, the likelihood of being a victim of a cyber threat also increases exponentially over time. Even when Industry 4.0 is not applied, the increase in cyber threats is significant and requires action, because of the open protocols and open systems used.

The knowledge in most private companies about Cyber-attacks, malware and cybercrime, mitigation projects and the use of security robust systems, networks and processes are lacking behind compared to what’s feasible today. Most companies only want to take advantage of Industry 4.0 and don’t realise that they create a huge vulnerability of becoming the next victim of a Cyber-attack.

Not only the industry is lacking behind in knowledge, also most of the Manufacturers and Vendors of Industrial Systems are slowly improving their products. Only the large brands of IACS Vendors have an OT Cybersecurity department and react in a proactive manner to the new threats and subsequent requirements.

Legislation and Standardisation is also lacking behind, mainly because of the speed of change. Globally new laws are issued and for instance in the Netherlands the Wbni and in the UK the standards created by UK NCSC, as a reaction to the European NIS Directive, are now mandatory and new standards (e.g. IEC-62443 series) are being developed and issued at this moment.

The industry wants to use the new technology tomorrow but most enterprises are not ready. The management of most End-Users are in great need to be trained and their companies require a new organisation to handle OT Cybersecurity in an operational and safe environment.

The TAPS Training will create knowledge for OT Cybersecurity Engineers and will prepare the staff to start a structured OT Cybersecurity project. This training will not create specialists (skills level and mastery) in certain areas. To create skilled staff the person will need to demonstrate that certain work can be completed successfully and this training is just classroom training and a test at the end to prove understanding.

In this TAPS approach ‘A detailed Framework on the steps to make to implement a Security Program in an industrial plant (OT)’ first 12-basic requirement steps are described to ‘a simple approach’ to secure the End-Users’ Process Control Domain (OT). Most industries, when they can afford it, should continue with the next level of mitigation, as described in this report and training, being a ‘Cost & Impact Effective’ Security Program and should consider the implementation of 37 mitigating actions. These actions should be ranked and should be considered to be implemented using a Risk Assessment.

Depending on the type of industry and the attractiveness of the industry sector, hackers in the past would focus on the End-Users’ company or not. Banking and Governments were the number one victim, because of possible money that could be obtained or for espionage reasons. But with cyber criminals who are only interested to force companies to pay, any company could be a victim now. End-Users cannot say anymore that their industry is not attractive.

Most companies don’t have a supporting organisation and have an OT-Cybersecurity programme in progress and are very vulnerable to the next Cyber-attack. So, what would be the chance that you are impacted by Malware or a Cyber-attack?

It is evident that companies should not only invest in Industry 4.0 only, but also at the same time have to invest in protection and resilience of OT Cybersecurity.

An OT Cybersecurity program is complex and expensive. The cost of a program varies from a few tens of thousands of Euros to several millions of Euros, depending on the size of the company and the level of desired protection. But beyond questions is, that more will need to be done and more should be invested in OT Cybersecurity.

Every house needs a lock on its door, otherwise one day your house will be empty! But also the windows should be closed.

So, we can be conclusive and state that the very first next steps management should take are:

  • Select a responsible person, i.e. an OCO (OT Cybersecurity Officer) or change the role of the CISO
  • Release an initial budget to get started
  • Management will need training, as well as essential staff
  • Set goals and targets to become more resilient to Cyberattacks and define success

Statistics, trends and past experience (successful attacks) has taught us that the Cybersecurity threat is real, can hit organisations hard and a list of evidence can be provided. Within process automation the risk concerning the OT Cyberattacks is now rated as the highest threat that the industry is facing. Every company should have a Cybersecurity plan and should live up to it. Cybersecurity is here to stay and doesn’t go away by itself.

Ted Angevaare,

November 2019

.

Below is a link to a document that can be used to justify the start or continuation of an OT Cybersecurity project in your company. The document can be downloaded free of charge.