When the term cybersecurity comes up in conversation, the mind begins to envision hackers, mountains of policy and procedural paperwork, and the dread of an "event” happening to you. As a result, it's easy to get bogged down in comparisons of the latest software and cutting edge defensive strategies. I think this approach is backwards, particularly when it comes to cybersecurity in a manufacturing context.
First of all, you have to understand that you cannot protect something without a clear understanding of what it is you're trying to protect. All decisions about security must be rooted in a deep knowledge and understanding of the data we want to secure. To figure that out, start by asking these questions:
- What data is most important to our business?
- Who needs access to this data?
- How often does it change?
- How does it move through our facility?
- How long does it exist?
- Does it get copied? Who is the logical person to do the copying?
- What is the greatest loss for us if data is lost, stolen, corrupted, falsified or shared with our greatest competitor?
These are scary questions, but answering such questions makes it clear which data are highest priority. The answers also help provide context and proportion. I wouldn't put my mother's chocolate chip cookie recipe in Fort Knox, but I wouldn't put the crown jewels in a filing cabinet in the hallway, either. That's why truly understanding your data and its importance is essential to unerstanding cybersecurity.
Sometimes getting answers to these questions is a problem. Facilities are rarely a one-time build, and longevity at plants turns some individuals into gatekeepers. We are all familiar with being told that only one person could answer a question -- and that person just left for lunch. It can be difficult to get people interested in truly understanding the data and how it flows. Sometimes people get territorial with their knowledge. Those at a site from inception tend to hold their cards close, even to their detriment; focusing so closely on what they're holding can make them blind to possible threats. At smaller shops, the key person usually feels very isolated. Their plate is full of responsibilities and they have no time or inclination to search out new information. Worse, if we are personally possessive with corporate data, we regard other people (even our co-workers) with suspicion any time change is suggested. This handicaps our business. Even those things nearest and dearest to us MUST undergo change.
To get through these kinds of issues, grab a big, blank piece of paper. Start in the middle and begin writing out interactions. Data generators and data consumers—both machines and personnel—should all be listed on the paper with lines drawn between them showing the interactions involving data. People are always surprised at the complex answers that arise from simple questions about their data and how it moves. For example: What happens when this time stamp isn't available? If I lost this column from my spreadsheet, can the business still function? What's the impact of John Q. Public seeing this? These answers allow you to face the issue of cybersecurity from a holistic standpoint rather than looking at shipping, accounting, production and quality assurance as separate departments in need of their own cybersecurity software.
If you understand how data flows, know what is important to your business, and why certain areas need greater protection than others, then the cybersecurity services and products that will best serve your company will flow naturally from that. Until you know what you have, don't do anything. Trying to fix the system before you understand the problem can cause more problems than doing nothing.
Alan Raveling is a senior analyst at Interstates Control Systems Inc. a certified member of the Control System Integrators Association. See Interstates’ profile on the Industrial Automation Exchange by CSIA.