By Tim Grieveson, Chief Information Security Officer, AVEVA
In an age of rapid digitization and always-on connectivity, the industrial landscape has never been more ready for transformation. Post-pandemic, companies have learned radical lessons about how to run and optimize systems in unpredictable operational times. As such, global organizations have been compelled take decisive action by putting technology at the very heart of their business processes. Cybersecurity is a key business differential in ensuring these operations are secure and resilient.
With the rapid and significant need to enable remote work and team collaboration, software solutions like Cloud, Edge and IoT can pave the way for improved business performance and procedures. But with great opportunities also come challenges. As such, more complex industry technology solutions demand a heightened focus on cybersecurity and securely enabling the work-from-anywhere culture.
It’s no accident that the latest forecast from Gartner predicts worldwide spending on information security and risk management technology and services is predicted to grow 12.4 percent to reach $150.4 billion in 2021.
Cybersecurity was the top priority for new spending, with 61 percent of the more than 2,000 CIOs surveyed increasing investment in information security this year, the IT research firm said. Security services including consulting, hardware support, implementation and outsourced services represent the largest category of spending in 2021, at almost $72.5 billion worldwide.
According to global cybersecurity analysts, industrial systems are still not yet sufficiently protected against the new and multi-faceted risks of digital transformation, despite being susceptible to increasing risks for many years. In order to be effective, company cybersecurity policies must proactively and holistically pervade the entire organization. A balance should also be struck between mitigating risks and enabling new business initiatives. What’s more, it’s imperative that companies focus not only on training staff but also on selecting appropriate and best-of-breed technology partners who build security into the ecosystem of how they operate as opposed to charging extra or having security as an add-on.
Key security considerations
Industrial businesses that embrace transformation and have a holistic view of cybersecurity are benefitting from diverse technology ecosystem development, including connected devices, edge control, apps, analytics and cloud services, which are enhancing business performance at an unprecedented pace.
It’s vital that your organization’s approach to security is part of the organizational culture – using components that meet recognized standards and include encryption by default. Security must be integral to the design of any process or operation and fundamentally baked into the services that support the operation of your systems and business objectives.
The tsunami of risks focused on operating technology (OT) ranges from the exposure of intellectual property and lost production systems or data to serious fines and reputational loss.
Cybersecurity is a multi-faceted discipline requiring a proactive approach across the business. For your business to be best prepared against threats, it’s important to consider the following elements:
Ensure you invest in your people by providing relevant and timely security training for staff, contractors and third parties, which not only supports your organization objectives but can be used in personal digital lives too. It’s essential to engage all your employees as active cybersecurity ambassadors by educating them on identification, prioritization and understanding the changing security landscape including dangers of malware, phishing, unofficial USBs and social media oversharing so they can behave and act accordingly.
It’s vital to maintain a unidirectional gateway between IT and OT systems, as well as running continuous vulnerability assessments and installing anti-malware solutions for industrial end points, as well as your corporate and lab environments.
Select vendors that will partner with you to protect critical data and understand your security, legal principles and privacy policies. Determine where and how data will be collected, used and stored. Ensure partners include security as a core component of their service offering as opposed to an optional extra. Ensure they take shared responsibility for good cyber hygiene and are transparent on what they can and cannot do to support your business.
It’s important to build a culture of cross department buy-in across management, IT, security and business operational teams for cybersecurity processes. In addition, you should develop,your cybersecurity program to ensure continual improvement ensuring you build in findings from regular audits and vulnerability assessments to ensure systematic risk burn down and capability improvement.
Ensure you change your IoT device passwords from the factory default; extend your security and password policies to mobile devices; and conduct regular intrusion testing and anomaly detection on all devices. Never assume your devices are safe and always validate and include them in your security assessment strategy.
When considering your cybersecurity needs, choosing the right partner is crucial. Software vendors play a key part in your cyber defence strategy. When considering a cloud or IoT partner, here are some key questions to consider:
Where are their cloud services physically deployed?
Where will my data actually reside?
Where and how will my data be captured, stored and used?
How is your information protected – at rest and in motion?
Does your vendor support unidirectional data transfer?
How does your supplier deal with network outages?
How do they handle authentication, authorization and account management?
What is their approach to identity and access management (IAM)?
Are they using a recognized secure development framework?
What is their response to identification and remediation of known and unknown vulnerabilities?
Continuous monitoring and improvement
Do they have proactive monitoring and active security policies in place?
Can they identify abnormal behavior and catch anomalous activity?
What procedures are there to detect and isolate suspicious activity online?
Do they use threat information derived from monitoring to continually improve security controls and techniques?
Do they have a proactive program of internal and external security audits?
How do they deal with ongoing compliance with regulations, such as GDPR?
Do they have a published security statement that you can read?
When you detect vulnerabilities how do they disclose them and how promptly do they remediate?
How do you vet and train your staff?
Do your staff hold relevant security certifications and experience – and do they share this information with you?
Do your staff use third-parties as part of the service delivery and how do they ensure compliance with your security principles?
By including these basic cyber stages in your security strategy, you will take the first steps towards a complete protection strategy. In today’s world of ever more complex cyber threats, a comprehensive security strategy – covering all the basics – is no less than critical for protecting your digital and physical assets.