The dawn of industrial cyber security - not the dusk
The dawn of industrial cyber security - not the dusk
In a recent customer event, Honeywell shared a wide-screen image of the sun across a water line on the horizon. The audience was asked, “is this a sunset, or a sunrise?” With primarily industrial cyber-security professionals in the room, at first everyone was hesitant to answer (many introverts, and many non-English speakers). But with a bit of prodding, the room ended up with a raise of hands, and in fact, the view was somewhat split.

The point of the exercise was to warm up technical teams to the idea of viewing industrial cyber-security differently. Traditionally, the industry has portrayed a heavy focus on the negative. The “sun is setting,” so to speak, as the world falls apart due to cyber-adversaries. In fact, cyber-threats are real, and have markedly changed in recent years. Yet, when considered in context, we could view our world of machines and code far differently, and think about industrial cyber-security as in its early beginnings. With a different line of thinking, both industrial engineers and business leaders of industrial companies may start to develop new ways of introducing brilliant innovations while still limiting risks.

Let me first differentiate between traditional information technology (IT) networks, and those networks protecting turbines, electric grids and other operational assets. In recent years, the term operational technology (OT) has been introduced, and with it, OT cyber security. The Process Control Networks (PCNs) that make up the OT space have defining characteristics that are significantly different than IT. Most notably, their requirements for availability are far more critical, in that a 1500-degree furnace requires a distinct set of time to safely shut down and can't simply endure a reboot as some IT servers can. Hackers in a German steel mill exploited this characteristic in one of the few published cyber-physical attacks we have seen. 

Similarly, the types of equipment traditionally part of PCNs are not changed out rapidly, and may stay in service for decades. Contrast this with IT networks, where some companies upgrade infrastructure every year. Equipment across PCNs was never designed for high levels of connectivity, and certainly not for rapid and frequent software updates. As we saw with the WannaCry cyber-attack - which impacted industrials including energy, construction and shipping companies - old vulnerabilities in software can still be exploited years later.

Considering this unique OT world to date, much of the approach to risk reduction across industrials has focused more on physical safety rather than on cyber-security. Personnel were taught where in the plant they were allowed to enter, or not. Processes for maintenance included reviewing safety manuals and wearing appropriate gear. Technologies of the time were built with physical emergency switches and safety gauges.

Viewed with this lens, interestingly, industrials actually have been implementing known best practices across people, process, and technology. They were simply implementing based on the risks associated with their times -plant visitors disrupting a cable or machine, maintenance personnel incorrectly “fixing” an asset, or machine malfunctions or mechanical part deterioration somehow occurring undetected.

Today and moving forward, the risk of our times is digital in nature. It comes through knowing a specific technical protocol like ModBus and manipulating it to control an asset. Or obfuscating digital machine readings so operators are blind to equipment that might be surpassing safety thresholds.

Approximately 64 percent of industrial companies recently surveyed have started a digital initiative or IIOT, or plan to within the next year. Yet very few have adopted the corresponding levels of security, whether related to people, process, or technology. About half of the industrial companies surveyed don't have accountable cyber-security leaders at the manufacturing plant level (51 percent) or enterprise level (45 percent), and only 37 percent of plants are monitoring for suspicious behaviour. 

We are still at the early stages of industrial cyber-security compared to the maturity of its safety programmes, and compared to how many digital industrial innovations are yet to come. Now is the time to address the different types and levels of risk, and plan security in from the outset. People, process, and technology are still at the core of industrial cyber-security best practices, and these are exactly the aspects of business that digital transformation will overhaul anyway. Pair security with your multi-year initiatives now so that counter-measures are built in every step of the way. Seen from this perspective, the sun is just about rising for industrial cyber-security, not setting.

Contributed by Shmulik Aran, Nextnine global business leader, Honeywell Process Solutions

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media