Cybersecurity – An inside job
By Bill Lydon, InTech, Chief Editor
The public discussions about cybersecurity related to the latest U.S. presidential election are making cybersecurity a hot topic. Maybe it takes these types of issues and discussions to convey the importance of cybersecurity protection and programs to increase the priority and efforts within companies to take action. If it is not already, cybersecurity should be a top-of-mind issue with automation professionals and people throughout their companies. Information technology systems are not the sole targets of cyberattack. Operational technology systems, including supervisory control and data acquisition systems, programmable logic controllers (PLCs), robotics, factory automation, distributed control systems (DCSs), and other manufacturing systems are also at risk for cybersecurity attacks.
The consequences of cyberattacks on automation systems can be far more serious than financial loss, including physical damage. Certainly, the source of threats can be part of the discussion, but more importantly, cybersecurity is an inside job. The only thing companies can control is developing, fortifying, and continually improving cybersecurity protection and programs inside the organization. This can include contracted outside resources as part of an overall cybersecurity protection development strategy, but at the end of the day, the primary responsibility rests on the shoulders of the manufacturing organization. Cybersecurity includes a range of hardware and software and the development of a cybersecurity-conscious culture inside the company.
There are similarities and important differences between plant safety and cybersecurity. Plant safety needs to be redefined as equipment and manufacturing processes are added and modified. Cybersecurity, however, requires an ongoing effort, since cybersecurity threats change at a much higher rate than production systems and equipment. Some of the same planning process safety principles apply, and both require an ongoing process of continual review, awareness, and updates.
Cybersecurity needs to start at the top and be embraced by everyone. A successful culture is developed by personnel seeing meaningful action to protect systems and information. Without building the culture, it is easy for people to take shortcuts around cybersecurity methods and procedures for expediency to solve production issues. Achieving a cybersecurity culture where everyone understands the value of the program is the goal.
Because cybersecurity threats can directly affect the manufacturing company's operations, the people on staff need to understand the technologies and processes for protection. This is the case even if the majority of cybersecurity protection is going to be outsourced. This really is not any different from doing an automation project using an in-house project manager and outside contracted resources. In either case, personnel need to become knowledgeable. An excellent source for training is ISA, which offers a set of industrial cybersecurity certificate programs and aligned training courses in the market covering the complete life cycle of industrial automation and control system (IACS) assessment, design, implementation, operations, and maintenance. Each certificate program and training course is based on ISA/IEC 62443, the world's only consensus-based series of IACS standards and a key component of the U.S. government's cybersecurity plan.
Organizations that invest in a cybersecurity culture that proactively identifies vulnerabilities and protects the plant's critical infrastructure, operational performance, and profitability are unlikely to be a cybersecurity disaster news headline.