Smart Industry: Are manufacturers properly investing in cybersecurity? What are most common missteps?
Doug: It’s all too often that companies can find nearly unlimited funds to respond to a cyberattack; yet in their past they have a history where they’ve limited security investments during times when they could have otherwise invested.
Unfortunately, companies must always make difficult decisions in how, where and when they address cybersecurity risks that can affect their businesses. Industrial companies, especially, face substantial challenges to protect their businesses from evolving cyber-risks that can affect the safety and productivity of their operations. Couple this with pressures companies face to prioritize their security investments alongside their safety, maintenance, repair and operations (MRO) budgets, and it’s no wonder why it takes so long for many companies to drive notable and meaningful changes capable of addressing ever-evolving security risks.
Smart Industry: How has the pandemic changed industrial cybersecurity?
Doug: Few, if any Business Continuity and Disaster Recovery (BC/DR) plans could have accounted for the likes of COVID-19 and its widespread impacts on society. At the outset, its effects led to an immediate need for new and modified working models to keep businesses and their respective OT operations running.
Perhaps the most significant changes industrial companies have had to perfect in real time is the combination of how and where OT tasks are performed.
As is often said, the show must go on. The process of producing goods and providing services is the essential engine of most industrial firms, and as such, most industrial companies now consider secure remote-access solutions into their operations as a core part of their most critical of network and system infrastructure.
In many ways, the OT domain is fortunate that this pandemic arrived now, rather than even a few short years ago. Had remote-access technologies not sufficiently matured and already become entrenched in industry, today, many companies would face an even greater challenge and tougher decisions. They would have had to consider more difficult choices such as whether to put more of their employees at risk, or to further reduce production outputs, or in some cases, even to have to shutter operations if their OT systems were otherwise digitally unreachable.
Smart Industry: What is the overall state of understanding vulnerabilities related to industrial OT environments?
Doug: When it comes to impacts from unintentional security incidents and malicious attacks, it’s quite commonplace for OT teams to instinctively dwell on why something happened, and not always give enough attention to what allowed it to happen. In addition, when analyzed, security weaknesses that affect highly engineered OT systems are sometimes oversimplified and merely considered a result of product, system or technology shortcomings, when more correctly, they always include contributing human-factors too.
Companies that recognize and give appropriate attention to these factors develop more comprehensive and effective OT cybersecurity risk-management programs. Such programs also feature well-balanced investments in technology that is closely linked to personnel education and training, management of company policies, and assurance that security-program processes are being followed and maintained too.
Smart Industry: What is problematic about considering OT a subsystem of larger enterprise IT systems?
Doug: In today’s digitally converged world, the operational-technology domain doesn’t operate as a subsystem to information technology, nor is it subservient to IT. In fact, there is very high interaction and codependence of OT systems with IT/enterprise systems, and vice-versa.
For most companies, OT and IT already share common services and infrastructures, at least in part. This directly lends to an essential and immediate need to consider cybersecurity both from the company enterprise-to-the-plant, and from the plant-to-the-enterprise point of view. Furthermore, companies strive for reliability, efficiency, productivity and profitability as universal objectives, regardless if their enabling digital systems sit on a factory floor or inside their corporate office’s data center.
Still, it’s only natural to categorize systems within a company’s operations by their locations, functions and operational characteristics, whom is held responsible, and even by the levels of associated risk. Yet companies need to recognize more and more that the terms OT and IT are constantly blending as digital and physical borders with company-wide systems shift and overlap.
Smart Industry: What is encouraging to you about the current / near future state of industrial cybersecurity?
Doug: Across industry, companies continue to embrace OT cybersecurity as an important consideration to the design and operation of their systems that make and move things. As such, security continues to gain traction and is delivering tangible positive results to those who embrace investment. Admittedly, there remains a long way to go for some industries and specific companies before cybersecurity for OT is truly an integral and reflexive part of their budget and planning processes; nonetheless success stories continue to be written.
Many companies that started their transformational OT security journey months and years ago are now seeing measurable returns in the form of enhanced operational uptime, resiliency, greater productivity, and even reductions in safety and liability risks to their OT systems. For some, such results were underestimated and even unexpected outcomes—albeit, nice surprises. For others, these returns-on-investment came to them even sooner than originally expected. This is why it’s invaluable for companies to share their security experiences with others, and for others to consider these experience within the context of their own companies.
