Organizational barriers are the first obstacle to the security of industrial sites. Defining ownership and collaboration between stakeholders is essential to address this.
Share the post:
Manufacturing organisations are becoming increasingly aware of industrial IT security, especially at board level.
The board’s first challenge is to manage the organizational barriers between IT and OT security.
CISO, Factory Manager, Security manager, IT Director, Digital Transformation Director … All these stakeholders can, at different times and depending on their level of responsibility, drive industrial security.
Reorganization, governance and changes to budget allocation are necessary to manage Industrial Security efficiently and with the right level of commitment from a managerial and operational angles.
How can organisations accelerate change and elevate their Industrial Security? A answer maybe defining a leader for the subject in the organisation, with the seniority, mandate, Board sponsorship and budget to bridge the IT and manufacturing business units.
Who is the right candidate for the job?
Different executives may be suitable for the position:
- The Industrial digital transformation manager is a good candidate. This is an increasingly common role, responsible for transforming the company’s production assets, launching digitization and Industry 4.0 projects. Industrial security can therefore legitimately fall within the framework of business transformation projects. Moreover, the budget allocated to the security of these new environments will probably be included in the transformation budget.
- The operational manager is also legitimate to lead the cyber security of factories. This person has the contacts with a number of vendors such as integrators, understands the production environment. security in the context of business continuity and can easily transfer this experience to cyber security. Cybersecurity becomes an integral part of the manufacturing plants’ budget.
- Finally, the IT Director who holds the security of information systems is also on the list of candidates. This person is interested in securing the IT systems from threats coming from OT systems (Operation Technology), and may also already be responsible for mitigating attacks originating from internet access to the manufacturing plant.
The IT Director or CIO, is also an established stakeholder at the heart of the organization’s security concerns
Based on our experience with manufacturing customers from Small and Medium businesses to large multinationals, this role is increasingly being taken over by the IT Director. We see are a few drivers for this:
- The methods for cyber securing industrial systems are similar or the same as for IT. Solutions and vendors may be different, but commonly used approaches including risk analysis, security plan, security audits, etc are the same;
- Equipment to secure industrial plants are not always the same (PCs and laptops vs PLCs). Nevertheless, they are IP equipment accessible through a network. The issues of network segmentation, flow management, amongst others are core IT activities and can be transposed to the OT environment;
- Vulnerabilities, which can be exploited via uncontrolled connections in the OT environment or via infection from USB keys used in the industrial process pose a latent risk. This will increase with the end of the Air Gap. as the industrial environment and IoTs are increasingly connected. In the case of an attack coming from this interconnection or from any computer flaws, the IT Director is accountable;
- The IT Director holds the budget for IT security and can legitimately oversee an increase to manage Industrial Computing Systems.
However, he or she will not be able to meet this challenge alone! Securing industrial computing will require strong collaboration with manufacturing field teams, operational staff, plant managers and security vendors such as integrators, industrial systems players, professional services providers and managed security service providers.
Understanding the industrial process, monitoring industrial security events, deploying security measures… All these activities require close collaboration with the manufacturing business units.
This collaboration is the missing link of any security solutions specifically developed for industrial environments.
The importance of collaboration
OT security solutions such as endpoint protection and incident detection solutions are being developed based on from IT best practices. Hence, they are often difficult to grasp by operational teams. And vice-versa.
For instance, asset detection & mapping solutions in industrial environments will be designed to be comprehensible for automation engineers. He or she will be able to access industrial process and assets diagrams. Ideally, this interface could be used to define tasks that will be configured and monitored by the IT teams.
To facilitate this collaboration, Orange Cyberdefense utilizes a proven methodology based on interviews, group workshops on production processes and security awareness training utilising demos to simulate an industrial cyber attack. This approach, in addition to risk analysis and vulnerability detection methodologies allows for better dialogue and ultimately a joint security project between industrial automation specialists, factory managers, centralized operations and the IT teams. This is the foundation for the effective cybersecurity in industrial environments.
About the blogger
Aymerick Dumas is a product manager at Orange Cyberdefense. He helps customers address industrial and Internet of Things (IoT) security across all risk management lifecycle stages: anticipate, identify, protect, detect and react.