The ability to connect information technology (IT) systems with operational technology (OT) systems, such as Supervisory Control and Data Acquisition (SCADA) systems and Programmable Logic Controllers (PLCs), gives businesses access to information for a comprehensive picture of what is happening across the enterprise’s operations. It also comes with considerable IT and OT security-related risks that can have a far-reaching impact on the organisation.
“When we think about IT security, we tend to think of corporate networks, data and e-mails. However, the high level of connectivity that is available to companies today means that industrial, engineering and building automation systems can also be exposed to cyber security threats. The malicious worm, Stuxnet, for example, was designed to specifically target industrial PLCs, which modified their coding and gave unexpected commands to the control system. The consequence of Stuxnet was that the entire manufacturing operation was brought to a standstill for days until the IT and OT vulnerabilities were remediated.
“When integrated systems aren’t adequately segregated and protected against threats like these, the whole enterprise is exposed, with potentially far-reaching consequences,” says Charl Ueckermann, CEO at AVeS Cyber Security.
“Just think about it, when automated industrial systems and PLCs don’t behave the way that they should, the health and safety of your people is at risk, machinery and processes may become unsafe, production output can be affected, and there could be consequences for the communities you operate in or serve.”
However, says Ueckermann, companies can and should continue to leverage the opportunities to manage and streamline business and operations with integrated systems.
“The key to protecting your organisation’s industrial automation systems is transparency.”
To start, Ueckermann says organisations should have a thorough understanding of their OT environment. This includes having visibility of all physical and computer assets and how they are connected.
Once companies have a comprehensive understanding of the environment and the potential risks, it then becomes necessary to call on technology to assist with controlling access to the environment – which includes both physical and digital assets – as well as put processes in place to protect data.
“Automation and control systems rely on interdependent connectivity and thus require appropriate tools to protect data in the networked systems,” says Ueckermann.
Ongoing monitoring to identify possible gaps in security and detect unauthorised access or execution of programmes is also highly recommended. With the correct tools, organisations can proactively pick up vulnerabilities, unauthorised access to systems and data, as well as malware on automation systems and PLCs.
“Education is an integral part of threat management. Systems engineers should have a greater understanding of security and the potential risks for automation control, SCADA and PLC systems. Collaboration between IT, engineering and operations personnel helps to build a strong team that can respond to threats and incidents quickly and manage risks effectively,” says Ueckermann.
The capacity to recover from an incident on these systems should also be built-in to restore to ‘business as usual’ as soon as possible. Disaster recovery plans should include strategies for managing the systematic failure of technologies as well as entire systems.
He says standards and guidelines for industrial control systems’ security – also called industrial cyber security – help companies to keep the checks and balances in place that ensure that the highest level of security in control systems are maintained across the enterprise.
AVeS Cyber Security works with companies to implement the NIST Framework for Improving Critical Infrastructure Cyber Security. Commonly referred to as the NIST Cybersecurity Framework, it provides organisations with a structure for assessing and improving their ability to prevent, detect and respond to cyber incidents. The framework uses business drivers to guide cyber security activities and considers cyber security as part of an organisation’s overall risk management processes.
“By implementing the framework, your organisation will become more focused and proactive about protecting critical assets, both physical and digital. There is a range of technologies that are available to simplify compliance with the framework to ensure optimal security of data in networks, as well as automation and control systems,” concludes Ueckermann.