By Marty Israels, Honeywell Industrial Cyber Security
Today and moving forward, the risk of our times is digital in nature. It comes through knowing a specific technical protocol like ModBus and manipulating it to control an asset. Or obfuscating digital-machine readings so operators are blind to equipment that might be surpassing safety thresholds. As the World Economic Forum recently reported, cyberattack represents the third highest risk facing the entire world in 2018.
Approximately 64% of industrial companies recently surveyed have started a digital or Industrial Internet of Things (IIoT) initiative, or plan to within the next year, according to LNS Research. Yet very few have adopted the corresponding levels of security, whether related to people, process, or technology. Half don’t have accountable cybersecurity leaders at the manufacturing plant level (51%) or enterprise level (45%), and only 37% of plants are monitoring for suspicious behavior.
We are still at the early stages of industrial cybersecurity relative to how quickly the threat landscape has evolved. As we all know, however, once we have experienced the compelling benefits of new computing and communications technology—like a 20% reduction in unit downtime or a 13% drop in maintenance costs thanks to digitally connected plants—there is no going back.
Lessons from the past
So how do we move forward? One way is to identify what has worked in the past, and adapt those lessons learned for the future. Safety programs for industry are an interesting parallel, exposing some perils and victories that could be similar for today’s industrial cybersecurity leaders.
In 1931, for example, when construction of New York’s Empire State Building was completed, worker safety was in its infancy. While water carts and food were supplied at every floor for 3,500 workers, photos remind us that safety procedures were not so routine. Workers did have protective gloves—but dangled precariously on beam edges and cables without harnesses or hard hats. Eventually, the skyscraper earned the “world’s tallest building” accolade, and all 102 stories were built in merely 13 months.
Those pioneering industrialists pushed ahead despite the risks, and without really understanding how to institute safety measures relative to risk. (Why water for workers, but not harnesses?) It was nearly 40 years later, in 1970, when the U.S. Congress established worker-safety and health-hazard requirements in the form of the Occupational Safety and Health Administration.
Sure enough, many visionary industrial leaders were already far ahead of that standard, competitively touting worker-safety records to win new bids. Others less prepared, however, had to embark on expensive and time-consuming safety catch-up measures, losing business, as well as the ability to attract top talent along the way. (Who wants to apply for the Dangling Steel Welder position?)
Today, as digital connectivity transforms industry, we are excited by similar technological achievements, measured more by real business outcomes than number of stories or physical height. We know it’s now possible to increase gasoline production by 8%, or reach full asset capacity in six months instead of in years. It’s possible by connecting industrial systems from edge to enterprise, and turning data into actionable insight to improve the bottom line. Leading companies, from Honeywell to oil & gas supermajors, are focusing on security built into IIoT as a fundamental requirement, not as a bolt-on afterthought.
Where we differ from history, however, is having readily available information and guidance about industrial cybersecurity risk and how to reduce it, as we unlock massive new digital benefits. Experts have already developed industrial cybersecurity maturity models, and mapped out how to develop and run programs that realize risk-reduction goals.
Secure as you modernize
Perhaps most exciting is that forward-thinking industrials are drawing from guidance (such as defense-in-depth recommendations from the U.S. Department of Homeland Security’s ICS-CERT) to layer in security measures as they modernize. Rather than standing on its own, security is part and parcel of the next industrial transformation.
For example, power companies that are consolidating control rooms to save on costs are implementing secure remote-access technologies as they centralize, enabling technicians to safely access remote plant locations through one secure connection. Pulp and paper companies short on industrial cybersecurity staff are drawing up new partnership contracts with equipment vendors to provide the right security skillsets as a service. Already, the foreseeable risks are being offset by people, process and technology security measures.
We have the unique opportunity to keep security on pace with digital innovation. Just as worker-safety needs changed when we sent humans 102 stories up, industrial cybersecurity will keep evolving as we send terabytes of data across plants and remotely adjust 1,000°F furnaces. New cybersecurity standards, methods and technologies are being built into the fabric of the IIoT, and equipment will use new design requirements that address digital-plant protection.
Of course, there are many subtleties and differences as we draw any parallels to history. But if you’re reading this in the year 2018 and you’re involved in the creation of a smarter industry, you can’t miss this generation’s leadership opportunity—where and how can you build industrial cybersecurity measures into your transformation? Or will you choose to leave your company dangling from rooftops?
BEHIND THE BYLINE