Six must-do action items to minimize your risk of cyber attacks

Dec. 2, 2015 – Are you working securely? Cybersecurity is a hot-button issue these days and while it’s been commonly noted that manufacturing companies must be proactive in protecting themselves, some organizations may not know where to begin. For insight on how businesses can get started, Manufacturing AUTOMATION spoke to John DiMaria, senior product manager of systems certification for BSI Americas, to get his take on what businesses should keep in mind when implementing a cybersecurity plan.

1. Complete the initial risk assessment
“Overall risk assessment becomes the underlying foundation of where businesses need to start,” says DiMaria. According to him, this initial risk assessment is critical as it lets the organization understand the context of all systems and processes so it can “hone in on what really needs to be protected.” The assessment should determine what risks are associated with the organization’s entire operational process as well as the types of security controls that are currently in place. The goal is to determine what additional measures need to be implemented based on the “risk appetite” of the organization, he notes.

2. Develop an operational planning system
All data documented in the risk assessment can become useful information when creating an organization’s overall security strategy, says DiMaria. “A glitch in the automation system could actually blow up a reactor, so it’s just not about detecting processes, it’s about having proper measurement systems in place to know when the bells and whistles need to go off,” he says. He references ISO/IEC 27001 – Information security management as a reference point for companies seeking guidance on where to begin. “It gives you a structure to measure your system against and improve on based on the requirements of that standard.” He recalls an instance from one of his previous jobs: “When we automated our systems and moved from manual to computer-operated systems with Internet and outside access, I hate to say it but for probably the first year, we didn’t even think about security. It wasn’t on our mind. We were focused on how much quicker we can get [products] out the door.” Not all security breaches are complicated hacks, says DiMaria, noting that sometimes an attack can be very simple in nature but because an organization didn’t have the appropriate security measures in place, they still occur.

3. Maintain a unified leadership message
A key element of a cybersecurity strategy — or rather, any business strategy — is to have it that it is regularly reviewed by top management, he notes. “Top management has to lay out a policy to let everyone in the organization understand what they’re doing as a whole, what is critical to its processes, why it needs to be protected, and how the organization is protecting it,” says DiMaria. This message should be implemented from the top down so a culture of security is reinforced to all employees, he adds.

4. Communicate security mandate to all levels of staff
Not only does this message need to be driven from the top down but it needs to be rolled out and explained in detail to staff in all different levels within the company, says DiMaria. “We see that some organizations can have a lack of competency,” he notes. “You put somebody in front of an automated control system and teach them how to work it, the right buttons to push and when to push them, but do they really understand the breadth of what they’re dealing with there?” He says it is one thing to teach employees how to use the tools, but it can be detrimental if the worker isn’t taught the security risks associated with their role and responsibilities.

5. Regular monitoring and documentation
Improvement to an organization must be constant, says DiMaria. As such, regular evaluations and continuous enhancement of processes and systems must be performed to ensure that an organization is keeping up with the latest software and issues in the market, he notes. Internal audits can be a “very useful tool” in measuring how well a particular measure is working within an organization, as the collected data can help illustrate past trends and help predict future progression. “It’s really about finding out issues before they really happen.”

6. Business continuity plan
So what strategy do you have in place for when an attack does happen? According to DiMaria, it’s imperative that all companies implement a contingency plan to deal with security breaches. “We all know that nothing is 100 per cent. On your best efforts, something is bound to happen sooner or later,” he says. Is this contingency plan documented and tested? Do all employees understand what parts they have to play in the event of a disaster? DiMaria says this plan should also outline the specific steps that have to be taken during and after an attack, as well as recovery time objectives, so that the company can be as prepared as possible during a vulnerable time.

This feature was previously published in the October 2015 issue of Manufacturing AUTOMATION.