By Graham Bushkes
It's time for Canadian manufacturing companies to step back and assess their cybersecurity priorities
By Graham Bushkes
If a piece of machinery were to break on the factory floor – how long would it take to fix?
Or if a door to the head office were left open and someone wandered in and began flicking through your plans and customer details – what would your reaction be?
Both of these examples would likely result in fast, decisive action. In fact, a manufacturer would rarely if ever find themselves in that situation, given that physical maintenance, security, and safety systems are a top priority.
Ironically, this same heightened sense of security often doesn’t extend to cybersecurity, even though the potential for serious financial and even physical consequences – especially in OT networks – is the same or higher.
The reality is, despite the fact that 88 per cent of manufacturing operational assets are now connected to a converged IT/OT network – leaving traditionally isolated and highly vulnerable systems exposed to external resources, devices, and networks – cybersecurity remains an under-resourced and isolated area of the manufacturing business.
In fact, one recent study commissioned by the Canadian Advanced Technology Alliance shows that only 57 per cent of surveyed manufacturing companies had appointed a cybersecurity official, and 65 per cent had spent less than $100,000 a year on cybersecurity.
While there are many reasons for this, including the need for organizations to reprioritize cybersecurity, one of the biggest gating factors is the currently limited resourcing landscape. Canada alone will need to fill 8,000 additional cybersecurity positions this year, and a global survey of CISOs earlier this year found that a lack of budget was interfering with planning and rollouts.
Coupled with the global shortage of skilled cybersecurity professionals, overtaxed IT teams are struggling to keep pace with new digital innovation efforts and dealing with sophisticated threats on their increasingly complex networks. As a result, it’s not only likely but inevitable that there will be a serious breach. In fact, a recent study found that 74 per cent of OT organizations experienced a data breach in 2018.
The time has come, therefore, as we enter a new year, for Canadian manufacturing organizations to step back and reset their cybersecurity priorities and structures.
The three steps outlined below will empower organizations to see their entire distributed and expanding networks clearly and transparently, enabling them to fully integrate a holistic security system that addresses the evolving threat landscape, while also continuing to meet their business objectives.
Step 1: Set integrated cybersecurity objectives
For most manufacturing businesses, it’s not just the IT and OT environments that are segmented. The teams that run them are as well. What’s more, they usually operate under entirely different objectives, with IT teams prioritizing the confidentiality of critical data while OT teams look to provide safe and continuous operations above all – meaning that resources are never intended to go offline, even for a much needed software or hardware update.
While on the surface these appear to be conflicting priorities, the fact is that in order to maintain safe and continuous operations, all cybersecurity threats still need to be managed. That means that updates, planned downtime, or even new redundant systems to support maintenance should be integrated into the overall business strategy in order to avoid the potential of unplanned system failures or security events that can ultimately cost millions.
Bringing the IT and OT teams together – or deepening their existing connection points – so they can better understand each other’s’ business requirements and associated security implications, should be step one for any manufacturing business in the new year.
Step 2: Create a clear picture
Another side-effect of the IT/OT divide is that, like with many IT networks, the security of an OT network is too often only considered at the end of a roll-out plan. But given the sensitive nature of OT systems and the potential impact of a serious cyber event, that approach carries serious repercussions.
As a result, it’s reported that 78 per cent of OT organizations only have partial visibility into what devices are connected to their network and where they are connected. With the need for companies to stay on the cutting-edge to maintain their competitive advantage, and the fact that new roll-outs can often happen fairly quickly, a pause to talk cybersecurity is not usually on an OT team’s to-do list.
Further, with anything between 50 and 500 devices on an OT network, many from different vendors, even if they are given a full picture, most teams would be stretched to capacity to tailor security solutions and customize requirements to each device. The end result is that if a corrupted device enters the network or a malware-infected email is opened, the OT and IT teams might not have the means for detecting and responding to that threat.
It also means that some of the most basic cybersecurity threats – like phishing, malware and ransomware, and mobile security breaches – could be some of the most crippling for the manufacturing industry.
For that reason, step two for Canadian manufacturing businesses should be to get their frontline OT personnel to walk their cybersecurity team through the manufacturing floor, figuratively if not in actuality, and identify the organization’s most critical assets.
This will empower the cybersecurity team to see the full picture, and then enable them to design a tailored cybersecurity program that works for the business while also preparing them for the ever-advancing and complex threats being rolled out by cybercriminals.
Step three: Find an integrated solution
System updates and scheduled downtime will continue to be a source of tension and a weak spot in any company’s cybersecurity hygiene if the IT and OT teams continue to operate in silos. However, there will need to be compromise on both sides, adapting and adjusting processes to ensure production and security needs in equal measure.
Overall, that requires both IT and OT teams to use their greatest asset, data and information, to their advantage. This means selecting security solutions that are flexible and that can be scaled, adapted, and managed as part of a converged IT and OT security system that spans the entire network.
To achieve this, you need to look for tools that extend from the data centre to the cloud to the network perimeter, that include protocols and functions specifically designed to provide visibility, control, and automated detection within an OT environment, and that also include built-in support for industry standards.
It’s also essential that any solution minimizes complexity and reduces the operating expense of OT security management to ensure that the benefits of your new integrated plan are recognized and can be incorporated into a comprehensive strategy that extends across the business.
Manufacturers that integrate their cybersecurity strategies into the very core of their business model will be better positioned to handle the ever complex and growing security threats that 2020 will bring.
Individual systems need to be managed and integrated into a single management system, including SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) tools, and comprehensive SOC (Security Operations Center) systems that provide comprehensive visibility, control, and response across all IT and OT environments.
That’s something that all teams should be able to get behind.
Graham Bushkes has been the country manager for Fortinet Canada since 2002. He is a direct and channel sales veteran with more than 32 years of experience in the IT industry.