Assessing Your Cybersecurity Readiness
Awareness of the need for dependable cybersecurity protections at manufacturing companies of all sizes has, by now, reached most everyone in industry. Separating the leaders and the laggards are distinctions such as the level of cybersecurity protections in place, the strength of related corporate policies and procedures, and the amount of interaction between IT and OT (operations technology) departments.
But, for many companies, the questions they often ask themselves are: Am I secure enough? Should I be doing more? Is it possible to have too much cybersecurity?
To help answer these questions, Automation World connected with Brandon Bohle of Interstates (an industrial system integration company) for a recent episode of the âAutomation World Gets Your Questions Answeredâ podcast series. For this episode, to answer a reader question about how to determine how much cybersecurity protection they really need, we sought Bohleâs insights to learn more about what manufacturing companies are largely doing right today around cybersecurity and what areas they should be paying more attention to.
He said manufacturing companies have been coming to grips with how to securely access and support their production machinery remotelyâfor themselves and the other companies they work with, such as OEMs and system integrators.
Currently, the most common way of doing this is through the use of VPNs (virtual private networks) to cross the firewall that separates the control system environment from the corporate environment. Another method Bohle often sees is the use of a jump server placed in the DMZ (a âdemilitarized zone,â i.e., a subnetwork containing an organization's outward-facing services) that outside parties area allowed to log into and do all of their work in rather than in the protected areas of the network.
The basics and beyond
Explaining what he considers the basic cybersecurity protections any industrial company should have in place today, Bohle said, âAt a minimum, the first thing that you're going to want to do is create some sort of policy to help define what needs to be happening with cybersecurity. This policy creates your direction for how the whole organization needs to flow as it pertains to cybersecurity.â
Getting into the technical control aspects, Bohle says to be sure to address the basics, like putting in a firewall to separate your manufacturing network from your business network and installing antivirus protections. He also stresses conducting regular patches (updates) for your systems and doing backups. âDoing those really basic cybersecurity practices is really the most important thing that you need to do today,â he said.
But once a company has these basic measures in place, what are the next steps they should take to continually ensure their cyber defenses remains strong?
Bohle admits answering this question can be tough to answer with specifics, because every organization is going to be different. âBut what you can do is look at what your response times are for detecting an incident, responding to an incident, and recovering from an incident. Then, look at what those timeframes are,â he said. âIf you're not happy with any of those times, work on reducing them.â
You don't want to get into the weeds too early, because you can spend a lot of time and effort on areas of a risk assessment that, once you get down into it, you realize they may not matter as much in certain areas. So do a really high-level assessment first to understand what really is most important to your organization and then drill down from there into the vulnerabilities.â
One way to reduce detection times is to implement an intrusion detection system or anti-malware software, Bohle advised. And if you need to work on your response times, he suggests developing an incident response plan. If you find this difficult to do on your own, numerous companies provide this kind of service. As for reducing your recovery time, Bohle advised reviewing your backup procedures and focusing on targeted improvements to these processes.Â
Risk assessment
A good approach to cybersecurity often overlaps with good industrial safety practices. One area where this is particularly true is risk assessments. When doing this, Bohle cautions to start at a âvery high level. You don't want to get into the weeds too early, because you can spend a lot of time and effort on areas of a risk assessment that, once you get down into it, you realize they may not matter as much in certain areas. So do a really high-level assessment first to understand what really is most important to your organization and then drill down from there into the vulnerabilities.â
Bohle advises against breaking down the risk assessment into small pieces. âWe find that approach doesn't always work as well because, once you get done with a certain area, people tend to lack the drive to go ahead and finish all the other pieces. So make sure that youâre looking at the project as a whole and not as separate, small pieces.âÂ
Buy-in
An important aspect of industrial cybersecurity that is often overlooked is the âpeopleâ factor. Cybersecurity is not just technology. Itâs requires the support and follow-through of people at every level of your organization.
âIf you get attacked by ransomware, and you have good backups, in many cases you can just restore systems using the backups and fix the problem to prevent reinfection.â
When youâre starting to develop the risk assessment process described above, thatâs when you need to be getting buy-in from management, Bohle said. This is important because âmanagement's going to be the one footing the bill for all of the time and resources that are going to be used during the risk assessment; so getting management buy-in is important. And itâs also going to help when you push the buy-in down the line. If you get good management buy-in, your employees are going to start buying into it as well.â
Then, as you start identifying specific areas of risk that need to be addressed, get buy-in from the individuals who work in those areas. This way you're not âsurprising somebody out on a line or the owner of a system when you tell them that youâre going to be making changes to make the process more secure,â he said. âGetting their buy-in at this early stage is going to help drive acceptance of the risk assessment.â
As you start implementing changes at the control level, Bohle said youâll want to do organization-wide cybersecurity training. âTrain all of your employees about what you're adding and why youâre adding it. Also make sure that know what they have to do specificallyâeven down to the smallest details. For example, theyâll need to know that theyâll have to change their email password or they might not be able to access their email on the workstations out on the line.â
Common mistakes
Given his experience as a system integrator working with a number of different companies, we asked Bohle about the most common cybersecurity bad practices he happens to see. Â He admitted that he still sees a lot of cybersecurity missteps being made.
The one he sees most often is a lack of good backup processes. âIf you get attacked by ransomware, and you have good backups, in many cases you can just restore systems using the backups and fix the problem to prevent reinfection,â Bohle said.
Another issue Bohle sees often is a lack of good change management processes. âIf you have good change management, you can understand what changes are being made and you can stop these changes before they're made if you have the right approval process,â he said. âItâs really all about having a good level of accountability for what's happening within the organization.â
