Addressing the Plant Floor Security Challenge

As the lines have blurred between operations technology (OT) and its enterprise sibling, information technology (IT), new vulnerabilities to industrial operations have arisen. One of the biggest immutable risks is associated with people. To be more precise, this risk involves the mindset of leaders, engineers, plant operators and technicians, and shopfloor workers.  

As a whole, cybersecurity is high on leaders’ agenda. In Accenture’s recent cyber-resilient CEO research, 98% of industrial CEOs said they understood the importance of cybersecurity and acknowledged it as a key business enabler.   

But some of our findings give me pause: 55% of CEOs are concerned about their organization's ability to avert or minimize damage to the business from a cyberattack. In other words, less than half believe they are in a safe spot. Meanwhile, only 28% admit they have deep knowledge of the evolving cyber threat landscape. And 42% don't view cybersecurity as a strategic matter that requires ongoing attention. 

This is why there is much more work to be done.  

Adapting the focus

While employees in office jobs often have secure behavior drilled into them by the firm's IT department, we see much less rigor where shopfloor workers are concerned. For example, sticky notes with passwords on monitors are much more prevalent in factory environments. At times, even outside service and maintenance personnel may have free reign to go anywhere and do almost anything. 

We also know of industrial operations that continue to rely on digital and cyber-physical equipment that reached the end of its nominal lifecycle many years ago. These systems continue to operate even though creative engineers and maintenance technicians face a lack of replacements. 

So when an organization's spare parts inventory can no longer provide the replacement needed, what do the organization's engineers do? They go to secondhand markets or, in some cases, more risky grey markets. Regardless of where components are sourced, unauthorized and unverified suppliers may be masking a malicious third party selling limited-supply replacements and directly infiltrating our most critical infrastructures.  

5 moves to ensure better security 

Following are five no regrets moves that can move the needle in the right direction for your cybersecurity protection:   

1. Create a seamless IT and OT working environment. We see many companies with bifurcated teams, duplicative spending and rivaling thinking—security, confidentiality and integrity here, 24/7 availability and performance metrics there. Bridges cannot be built until IT begins to prioritize the safety and operational context of OT systems and OT prioritizes cybersecurity that includes the interfacing and exchanges with IT systems upon which it relies.  
2. The entire C-suite and the board of directors need to incorporate cybersecurity as a key ingredient in industrial operations in the same way IT security is already considered core to enterprise risk management. Roughly half of the industrial CEOs we surveyed shared their belief that the cost of implementing cybersecurity is much higher than the cost of a cyberattack.    
3. Identify security practices and processes that can cause more harm than good, such as single-sign-on (SSO) in OT environments. SSO permits an employee to use one set of login credentials to access multiple applications. Where SSO covers not just enterprise systems but also OT, it’s usually part of the company’s IT. This means incidents or attacks on the enterprise systems can easily spread to the systems that run and control production lines, warehouses and other operational areas. A better practice is network segmentation, where the corporate network is segregated from the network producing the goods and, therefore, the revenue.    
4. Though legacy systems pose cybersecurity risks, a complete overhaul isn’t a silver bullet. While today's newest OT systems are better at ensuring resilience and protecting operations, they are also often more complex and require a new set of skills to design, install, operate and maintain them. Today's systems, with all of their security bells and whistles, may be more vulnerable than older systems they replace if engineers don’t make them work securely from the start.  
5. Cyberattacks can and likely will occur even when all preventive measures are taken. Conducting tabletop exercises ahead of time ensures companies aren’t caught flatfooted in an incident. Companies require solid incident response plans and playbooks with clearly defined decision rights that reach from corporate down to the factories. Otherwise, they could end up hurting themselves more than the attack—by either shutting down significant parts of their operations out of an abundance of caution or failing to detect or stop the attack from going into OT. Companies also need a communication plan to control the narrative, which otherwise gets written for them.