Industrial Automation Magazine India

A company cyber risk management program needs to be comprehensive

Published on : Tuesday 30-11--0001

The flipside of connectivity is the vulnerabilities that come along. How serious is the threat?
We should not underestimate the potential impacts of threats on industries and the control systems that drive their operations. While not every threat is necessarily going to stem from a malicious attacker, the scale, complexity and accessibility of today’s connected control systems already make them more susceptible to risks than they were just a few years ago. Since we cannot turn back time, it is important to acknowledge what has already grown into an unstoppable trend in both the information technology (IT) and operational technology (OT) domains – nearly everything electrical will eventually become digitally connected to a network too. This means, we cannot afford to ignore today nor tomorrow any threats because they are already adding to the growing cyber risks we have to manage to safeguard the systems on which we rely.

How can organisations address the issues of cyber attacks and IT Security in the age of connected plants?
The value and tangible benefits a company and its staff can gain from having greater remote access to monitor, diagnose and manage systems only serves grow demand for more connectivity in the future. In order to see these results, a company’s cyber risk management program needs to be comprehensive and account for a range of education and training that’s necessary for different job roles to be effective at their job tasks. It’s equally important to make sure there are defined and tested processes for how employees will perform under stress. When combined, smart investments in people and processes will lead to more effective security technology decisions.
One major threat comes from growing proliferation of IIoT devices and storage (cloud). How can users deal with such threats?
Everywhere we look, today’s OT systems and their architectures are heading toward a future where more and more devices and systems hold direct Internet connectivity. There is an undeniable growing demand and reliance on evolving systems to take advantage of remote services and infrastructures for storage, compute and a myriad of active and passive managed services available through these IIoT connections. Some companies consider their expanding edge of the OT domain to more defensible than what they have in place with their legacy systems.  Even though contemporary IIoT and cloud-based architectures are uncovering new threats, in many ways companies can actually enjoy greater return on security investments than to continue to limp along with legacy, unmanageable systems that are locked into a past of one or two decades ago. Not every aspect of OT will be necessary or appropriate for an IIoT solution, so even as companies embrace these types of systems, it remains important to carefully consider what is required and why, while also avoiding the tendency to just do something because you can.
A leading cybersecurity player recently demonstrated internal vulnerabilities like USB devices. Are employees adequately trained?
It’s not always just a people problem that leads to security risks and impacts to control systems. However, undeniably education and training are not effective when they are treated by a company or an employee as a one-and-done affair. Ongoing, relevant educated that’s backed and delivered by security experts can have a positive effect at helping companies many areas of risk while it can also complement a range of other technology and processes decisions necessary to help safeguard operations. Just as attackers change their approach over time – yet they are notoriously known to exploit basic, tried-and-true tactics – it is important for company defenders to think the same way too. Training and education that stresses the foundations of good security practices and what makes companies and their IT/OT domains susceptible to risk are paramount. Extending this to train people to think like an attacker can be even more effective, since this can have staying power too. When people begin to realise that attackers have the ability to define their own rules, their mindsets often change and they not only become more vigilant, but they also more fully recognise their specific role as a defender and the value they bring to protecting their company’s mission.

Do companies compromise security by their unwillingness to spend, attributing it to risk appetite?
Security maturity and program effectiveness cannot be measured by the amount of risk a company is willing to take, nor how much a company spends on their security program, or lack thereof. If there is a disconnect and difference between how a company’s leadership perceives corporate risk when compared to those responsible for managing IT and OT risks, it often leads to unrealistic corporate budgets that fall short of adequately addressing a company’s actual needs. It can also lead to lower levels of an organisation making unauthorised risk-decisions that should be reserved by upper management. This is precisely why open communication between company management and those responsible for protecting a company’s operational objectives is essential. In addition, open communication and building alignment between the top and bottom of an organisation will only help budgets become more reasonable over time to be effective and agile to counteract risk as it evolves.
Is there an ideal solution that reaches a fine balance?
While there is no ideal solution to align company spend with the ability to counteract every risk, an effective and comprehensive security program will take into consideration a combination of technology matched to educated personnel and established and tested processes. Furthermore, an effective security program will evolve over time and be dynamic enough to flex as situations change, incidents occur, personnel shifts and economic conditions vary. Often, educated and well-trained company security professionals become organisational coaches and leaders to help others in the organisation understand risks, but also be prepared to respond in a way that aligns with company objectives with particular priority on helping to safeguard the company’s employees, customers and all extended stakeholders.

Doug Wylie, CISSP, with over 25 years of experience that spans industry, is a seasoned business practitioner and certified security professional who helps companies meet their objectives to better ensure safe, secure, and profitable operations. His efforts have expanded industrial networking and cybersecurity solutions, helped create industry guidelines and best-practices, and enabled companies to mitigate security risks that arise as Information Technology (IT) and Operational Technology (OT) systems converge and grow in complexity.