The industrial sector is large, complex and heterogeneous. This poses a few challenges for cybersecurity service providers and the industry itself when it comes to security.
Share the post:
The industrial sector is lagging behind other verticals in terms of cybersecurity, based on the numerous audits and consulting projects Orange Cyberdefense has carried out in the past eight years. This is the case across chemicals, utilities, heavy industry and automotive organisations. We could even say that the level of maturity in Industrial Security is similar to where IT security was in the 2000s.
We observe a few common vulnerabilities in our audit and consulting projects in this sector:
- general lack of awareness of the systems inside the factory and their level of connectivity
- poor cyber security hygiene such as lack of antivirus or password-protected terminals
- absence of network segmentation;
- insufficient or non-existent direct remote access controls;
- light, inappropriate or defective levels of security in operational processes
- lack of systematic security patching
Though this picture may seem bleak, it is encouraging that there is strong awareness about security from organisations in the industrial sector . We are clearly starting a phase of cybersecurity implementation in the industry. This is likely to be a long journey because it concerns tens of thousands of sites worldwide, and implicates thousands of interconnected companies, large and small. This is especially important for industrial sites undergoing digital transformation – towards Industry 4.0 – and thus increasingly dependent on connectivity, networks and IT in general.
For greenfield industrial sites, security solutions “by design” are being adopted by equipment vendors and organisations. For existing sites, it will be necessary to step up security. But the main challenge is not to figure out what needs to be done: most of the stakeholders in the cyber security market agree on the actions required, such as:
- raising security awareness by engaging operational teams in this major project;
- undertaking risk analyses to establish priorities;
- mapping ICS environments to know what to protect;
- implementing solutions adapted to the factory specifities and its context. The most common measures remain segmentation of IT/OT, control access to systems and terminals, implementation of patches and software updates and protection of endpoints and servers
- monitoring of security events in the OT environment, to detect known attacks and anomalies in behaviours to catch internal threats and APTs
Though solutions exist and the methodologies are well known, we still have three challenges to overcome.
Challenge # 1: specifities of the sites to be secured
When rolling-out security solutions, having to adapt them to each operational site’s context is a challenge in itself. On the enterprise side, because it must share data with the security services provider, and on the service provider side who will have to adapt solutions for each site, taking into account country-specific regulations and other factors.
For example, carrying out maintenance in a Seveso-classified industrial plant is not a simple process. The provider must observe a number of obligations: specific certifications must be held by consultants, helmets must be worn, difficult access to sites which may require procedures to be reviewed, watching awareness films at the entrance of each site… A project on a logistics site will not generate the same constraints to providers.
Each industrial site has distinctive characteristics and specific service providers and suppliers to take into account. Implementing security solutions requires different procedures, architectures, and stakeholders to be involved at each site.
The local organizational as well as the site’s history must also be taken into account.
All of these points highlight the difficulty of using one single method, solution or provider to address industrial security.
Challenge # 2: Volume
There are tens of thousands of production sites worldwide. From dairy family businesses in Europe to the refineries of major oil companies in the African continent, security issues will be a common concern.
This is a real challenge for all cybersecurity service providers: deploying security services requires specific skills and solutions suitable to different locations across the globe. For cost-effectiveness, we must define a common denominator across sites and “industrialize” solutions and services.
Challenge # 3: Managing Cybersecurity Over Time
A CIO or CISO may define the security strategy, plans and solutions at a given point in time, but if they are not integrated within the operational methods led by OT stakeholders such as AMDEC or HAZOP, the plans may be doomed to circumvention and marginalization in the long-term.
Thus, this work can only be achieved effectively by strongly involving business managers, who may need to adapt the business processes and site security procedures to include cybersecurity. For example, the awareness film played before entry to a SEVESO factory will need to add contents on industrial cyber security hygene, for example testing a USB key for malware before introducing it into a PC or equipment.
We might anticipate that the contracts with the OT maintenance providers will need to take into account cyber accountability. For example if the industrial environment is infected, the maintenance provider whose USB was the infection vector can be held responsible.
These are all challenges that clients and service providers will have to jointly address. Collaboration is essential in a world where resources and expertise are scarcer than needs, and to ensure a risk-based approach for an effective roll-out.
OT = Operationnal Technology
FMECA = Failure mode, effects and criticality analysis
Hazard and operability study
About the blogger
Aymerick Dumas is a product manager at Orange Cyberdefense. He helps customers address industrial and Internet of Things (IoT) security across all risk management lifecycle stages: anticipate, identify, protect, detect and react.