Editorial: Turning cybersecurity awareness into action

Recently, I watched a Netflix documentary called The Social Dilemma. It was largely about the impact of social media on human behaviour, but it raised some interesting questions about artificial intelligence and big data – particularly who has access to that data, and what they can do with it.

One of the topics covered was the role of social networks on election security. The film argues that it’s inaccurate to say Russia “hacked” Facebook to influence results in the 2016 U.S. presidential election, because the Russians used regular advertising channels to post their information and then target it to specific groups. So, while Facebook’s marketing platform may be fairly unregulated, it’s a legitimate method all the same.

This got me thinking about cybersecurity in the manufacturing sector. Through some reading, I have learned that hackers often do something very similar to get control of industrial networks – they use what’s already there.

In the June episode of MA’s podcast, I asked IT expert Andre Vittorio, president of Idealogical Systems, what manufacturers should be aware of when it comes to cyber threats. He likened the factory network to a series of doors.

“Gone are the days when people could kick a door open and try to get into your network by brute force methods […] you could put all kinds of locks on and then you have the key. Well, cybercriminals are trying to trick you into giving them a copy of the key,” he says.

“Because then it doesn’t matter how strong those doors are.” (Listen to the interview here).

In a factory, security concerns bridge both information technology and operational technology (OT) systems. Traditionally, OT has been relatively insulated from cyberattack compared to IT – but as more PLCs and machines get connected to the Internet, vulnerability grows.

It presents a bit of a paradox: the concept of Industry 4.0 hinges on the access to and computation of data to drive operational efficiency, but the very systems that make manufacturers more agile and responsive also put them at increased risk.

How to mitigate that risk? There are several ways, but ultimately a strategic approach is best left to a chief information security officer (CISO) – not necessarily an IT person, but someone with skills in technology, communications, digital forensics and/or law, says Jean-Guy Rens, director of the Canadian Advanced Technology Alliance (CATA) and author of CATA’s recent study Cybersecurity in Canada – Survey of Cybersecurity in the Manufacturing Sector and Critical Infrastructure.

“Cybersecurity is not just a technological discipline,” says Rens. “It also covers governance, communications, employee training and third-party management.”

The concept of Industry 4.0 hinges on the access to and computation of data to drive operational efficiency, but the very systems that make manufacturers more agile and responsive also put them at increased risk.

Rens says an SME, however, is unlikely to be able to hire a CISO – not only due to lack of resources, but also because the environment doesn’t usually offer the stimulation and career growth a cybersecurity manager may seek.

In this case, rather than attempt to bring someone in house, a SME should contract a firm that specializes in cybersecurity and threat detection.

Unsurprisingly, respondents cited finances as the main reason why cybersecurity initiatives tend to be lacking. Sixty-five per cent of the 200 companies surveyed invested less than $100,000 on cybersecurity in 2018, and most of them were SMEs.

Nearly a third of the total companies interviewed said they want to receive a financial incentive from the government for their cybersecurity activities – and those respondents were all SMEs, too.

October is Cybersecurity Awareness Month, so we’re offering plenty of insightful content over the next few weeks to further develop your cybersecurity strategy. First, we’re covering security risks as part of our virtual Industrial Control Systems Roundtable on Oct. 7. (You can register for free here).

And during the week of Oct. 19, we’re bringing you Cybersecurity Week, sponsored by Fortinet, which includes a free webinar, Securing the Manufacturing Value Chain, Oct. 20 at 3 pm ET/12 pm PT.

Cybersecurity doesn’t have to be one of those “we’ll-do-it-later” decisions, like opting to back up your computer only after you see the blue screen of death.

By then, it’s simply too late.