Awareness of the need for dependable cybersecurity protections at manufacturing companies of all sizes has, by now, reached most everyone in industry. Separating the leaders and the laggards are distinctions such as the level of cybersecurity protections in place, the strength of related corporate policies and procedures, and the amount of interaction between IT and OT (operations technology) departments.
But, for many companies, the questions they often ask themselves are: Am I secure enough? Should I be doing more? Is it possible to have too much cybersecurity?
To help answer these questions, Automation World connected with Brandon Bohle of Interstates (an industrial system integration company) for a recent episode of the “Automation World Gets Your Questions Answered” podcast series. For this episode, to answer a reader question about how to determine how much cybersecurity protection they really need, we sought Bohle’s insights to learn more about what manufacturing companies are largely doing right today around cybersecurity and what areas they should be paying more attention to.
As we began our discussion, Bohle noted that a lot has changed on the industrial cybersecurity front since the emergence of COVID-19. “Once COVID-19 hit and organizations decided that they were going to start sending their employees to work from home, they've actually had to move forward and start implementing remote access policies. A lot of organizations had decided or been in the talks of doing something like this, but this forced their hand to do it.”
He said manufacturing companies have been coming to grips with how to securely access and support their production machinery remotely—for themselves and the other companies they work with, such as OEMs and system integrators.
Currently, the most common way of doing this is through the use of VPNs (virtual private networks) to cross the firewall that separates the control system environment from the corporate environment. Another method Bohle often sees is the use of a jump server placed in the DMZ (a “demilitarized zone,” i.e., a subnetwork containing an organization's outward-facing services) that outside parties area allowed to log into and do all of their work in rather than in the protected areas of the network.
The basics and beyond
Explaining what he considers the basic cybersecurity protections any industrial company should have in place today, Bohle said, “At a minimum, the first thing that you're going to want to do is create some sort of policy to help define what needs to be happening with cybersecurity. This policy creates your direction for how the whole organization needs to flow as it pertains to cybersecurity.”
Getting into the technical control aspects, Bohle says to be sure to address the basics, like putting in a firewall to separate your manufacturing network from your business network and installing antivirus protections. He also stresses conducting regular patches (updates) for your systems and doing backups. “Doing those really basic cybersecurity practices is really the most important thing that you need to do today,” he said.
But once a company has these basic measures in place, what are the next steps they should take to continually ensure their cyber defenses remains strong?
Bohle admits answering this question can be tough to answer with specifics, because every organization is going to be different. “But what you can do is look at what your response times are for detecting an incident, responding to an incident, and recovering from an incident. Then, look at what those timeframes are,” he said. “If you're not happy with any of those times, work on reducing them.”
You don't want to get into the weeds too early, because you can spend a lot of time and effort on areas of a risk assessment that, once you get down into it, you realize they may not matter as much in certain areas. So do a really high-level assessment first to understand what really is most important to your organization and then drill down from there into the vulnerabilities.”
One way to reduce detection times is to implement an intrusion detection system or anti-malware software, Bohle advised. And if you need to work on your response times, he suggests developing an incident response plan. If you find this difficult to do on your own, numerous companies provide this kind of service. As for reducing your recovery time, Bohle advised reviewing your backup procedures and focusing on targeted improvements to these processes.
A good approach to cybersecurity often overlaps with good industrial safety practices. One area where this is particularly true is risk assessments. When doing this, Bohle cautions to start at a “very high level. You don't want to get into the weeds too early, because you can spend a lot of time and effort on areas of a risk assessment that, once you get down into it, you realize they may not matter as much in certain areas. So do a really high-level assessment first to understand what really is most important to your organization and then drill down from there into the vulnerabilities.”
Bohle advises against breaking down the risk assessment into small pieces. “We find that approach doesn't always work as well because, once you get done with a certain area, people tend to lack the drive to go ahead and finish all the other pieces. So make sure that you’re looking at the project as a whole and not as separate, small pieces.”
An important aspect of industrial cybersecurity that is often overlooked is the “people” factor. Cybersecurity is not just technology. It’s requires the support and follow-through of people at every level of your organization.
“If you get attacked by ransomware, and you have good backups, in many cases you can just restore systems using the backups and fix the problem to prevent reinfection.”
When you’re starting to develop the risk assessment process described above, that’s when you need to be getting buy-in from management, Bohle said. This is important because “management's going to be the one footing the bill for all of the time and resources that are going to be used during the risk assessment; so getting management buy-in is important. And it’s also going to help when you push the buy-in down the line. If you get good management buy-in, your employees are going to start buying into it as well.”
Then, as you start identifying specific areas of risk that need to be addressed, get buy-in from the individuals who work in those areas. This way you're not “surprising somebody out on a line or the owner of a system when you tell them that you’re going to be making changes to make the process more secure,” he said. “Getting their buy-in at this early stage is going to help drive acceptance of the risk assessment.”
As you start implementing changes at the control level, Bohle said you’ll want to do organization-wide cybersecurity training. “Train all of your employees about what you're adding and why you’re adding it. Also make sure that know what they have to do specifically—even down to the smallest details. For example, they’ll need to know that they’ll have to change their email password or they might not be able to access their email on the workstations out on the line.”
Given his experience as a system integrator working with a number of different companies, we asked Bohle about the most common cybersecurity bad practices he happens to see. He admitted that he still sees a lot of cybersecurity missteps being made.
The one he sees most often is a lack of good backup processes. “If you get attacked by ransomware, and you have good backups, in many cases you can just restore systems using the backups and fix the problem to prevent reinfection,” Bohle said.
Another issue Bohle sees often is a lack of good change management processes. “If you have good change management, you can understand what changes are being made and you can stop these changes before they're made if you have the right approval process,” he said. “It’s really all about having a good level of accountability for what's happening within the organization.”