Any process manufacturing company that has not yet launched a cybersecurity program is probably frozen in a frequent difficult position: Where do we start? If your company is trying to break free and make some progress—and maybe you’re the one tasked with doing it—we have some suggestions for critical first steps.
These suggestions are included in our article in the September issue of Control Engineering. The key point is that a program has to begin with a cybersecurity risk assessment to see where you are now, and where there are critical vulnerabilities.
As you start, here are three common missteps teams need to avoid:
- Assuming the team already knows and understands all the risks
- Believing a single magic solution can fix everything, while ignoring a range of actual threats
- Assigning too low a priority to the program combined with underfunding
To turn these “don’ts” around, what are the steps you should take to avoid those very problems? What are the sound strategies?
First, the team needs to identify unknown cybersecurity risks, at least as many as practical.
Cybersecurity is an evolving arms race that may seem overwhelming to an OT team, or even some cyber-experienced information technology (IT) teams. Learning that anti-virus software and a firewall is no longer sufficient protection can be intimidating. A cyber risk assessment removes the need for an OT team to determine every potential cyber vulnerability in the plant. The assessment can help teams identify, document, prioritize and build a roadmap around the highest threat vulnerabilities. This roadmap provides a guide for creating solutions to quickly provide sufficient security.
Second, the team must understand that there are no technological silver bullets able to fix the problems, especially when trying to protect an industrial control system. Any solution must be compatible with the automation systems running the plant and not interfere with production. Approved security measures must be tested and reevaluated regularly to verify effectiveness.
Third, the team or department must have sufficient knowledge and resources to do the job well.
The simplest example of inaction is a small department handling IT and OT on a limited budget. It is easy for such a team to become overwhelmed because there are so many vulnerabilities that need to be addressed and there’s never enough time, resources or overall funding. Even large, well-funded organizations need to start with individual solutions and build toward a comprehensive defense-in-depth strategy. Not every problem needs to be fixed at once. A good cybersecurity risk assessment will create a prioritized roadmap to build the defense layers that will close gaps over time and at a reasonable cost.
Many companies won’t have the ability to build a cybersecurity program internally. Often, there simply aren’t enough people with necessary expertise. These companies frequently find success by engaging with a trusted partner like Emerson. With specialized knowledge of threats and tools compatible with systems such as the DeltaV™ distributed control system, it is possible to perform a comprehensive analysis and implement appropriate solutions.
Visit the Cybersecurity Services and Cybersecurity for DeltaV Systems pages at Emerson.com. You can also connect and interact with other engineers in the Cybersecurity Group at the Emerson Exchange 365 community.