2017 saw a handful of cyber-attacks specifically targeting industrial control systems, yet many manufacturing organisations still view cyber security with a sense of complacency.
In the UK, currently, there is no legal obligation to declare that your business has fallen victim to a cyber-attack. That represents a significant problem when it comes to how seriously executives view cyber security, making it all too easy for leaders to downplay the risks.
There was no significant increase in the amount of cyber-attacks made during 2017, nor over the past three prior to that, according to Mark McCormick, an industrial IT security engineering consultant at Siemens UK, but that doesn’t mean they aren’t happening.
“There have been isolated incidents within the manufacturing sector, but no major attack has been reported by the mainstream media. That adds to the illusion that there is lots of talk, but nothing really taking place,” McCormick explains.
“If there isn’t a sense of perceived risk, it’s unlikely that any preventative action will be taken to tackle the issue. I still encounter the opinion that, ‘It won’t happen to my business, so why put resources into it’.”
Work with risk
Attitudes are changing, however, with more and more manufacturing businesses seeking expert help to provide comprehensive Threat Risk Assessments, particularly of their industrial control systems.
This helps leaders to understand how much of a target their organisation and data is, where the risks lie, and the corporate cyber security strategy they should adopt.
“Without such guidance, a business can easily invest a lot of time and resource into shoring up protection in the wrong areas, or even the right area but leave openings elsewhere,” McCormick notes. “Executives can work with risk, they can’t work with an unknown.
“The key is to be absolutely aware of your organisation’s infrastructure – every location, asset, node, connectivity portal and operative, as well as more basic things like email and communication protocols.
“Everything needs to be viewed as unknown and untrusted, rather than assuming everything inside your organisation is simply ‘trusted by default’.”
Industrial Internet of Things
Regardless of how complex or simple your network is, if your devices are communicating with each other and an on-premise or remote, cloud-based platform, then information is going to flow between them via the internet.
That exchange still represents a genuine source of concern for many organisations and prohibits them from realising the considerable benefits that smart, connected production offers.
These concerns place an onus on technology providers to better educate the sector and provide executives with greater trust and confidence. It’s also about equipping leaders with the right questions to ask, adds McCormick, such as:
- What level of connectivity is right/relevant for my organisation?
- What protocols, encryption technologies and authentication methods are used?
- What vulnerabilities does the system or device have, and where are they?
- Is there the ability to upgrade or patch the firmware?
- What end-to-end security does the system or device offer?
- Are we comfortable installing and adopting this system or device?
Information flow
One of the most beneficial steps manufacturers can take, according to McCormick, is to break down entrenched business siloes, particularly those which separate IT from the rest of the organisation.
“Information has to flow freely though an organisation in order to become as efficient and productive as possible, as well as offer a superior customer experience,” he says. “Blurring the line between information technology (IT) and operational technology (OT) can create genuine competitive advantage.
“The automotive sector is an excellent example of exactly that in action. Automotive plants require very high availability so production lines are precisely monitored to ensure throughput and output, and automotive engineering teams receive a lot of assistance from IT. That level of knowledge sharing doesn’t necessarily happen to such a degree across other sectors.”
Mindsphere can change that. Mindsphere is Siemens’ cloud-based, open Internet of Things (IoT) platform that connects physical assets to the digital world, and enables powerful industry applications and digital services, such as preventative maintenance, energy data management and asset optimisation.
It offers the secure connection of assets, enterprise applications and legacy databases with hardware or software connectivity solutions, enabling you to run data analytics and make smarter, faster decisions.
Learn more about how Mindsphere can help your company create a secure cyber environment in which to exploit the full potential of data and connectivity here.
Mark McCormick offers further insights into how manufacturers can create a secure IT environment in this video, where he discusses how IoT is reshaping the industrial cyber security landscape, and advises how managers can ensure their teams are fully security conscious.