Companies need to start working together to embed cyber security into their plant and machinery. Neil Elliott Smith – vice-president, industry business, Schneider Electric Pacific, explains why.
Cyber security is everyone’s business. A cyberattack can have far-reaching implications for a specific company and its customers, but it can also have larger ramifications for industry, consumers and the nation as a whole. That’s why, no matter the organisation or the industry, cyber security must be a priority for everyone.
A Microsoft-commissioned report by Frost & Sullivan has revealed the potential cost for cyber security incidences to be an estimated AU$29 billion per year, which is the equivalent of almost two per cent of Australia’s GDP. The study also found that:
• Cyber breaches incur an economic loss of AU$35.9 million for large Australian organisations (over 500 employees).
• More than half of the Australian organisations surveyed (55 per cent) have experienced a cyber security incident.
• More than half of Australian respondents (66 per cent) stated that they have put off digital transformation efforts due to the fear of cyber attacks.
Although it presents a great opportunity, digital transformation also present risks for organisations from the hazards that cyber security presents. Across industry, it is important for every industrial manufacturer, vendor, third-party provider, integrator, standards bodies and government agency to share responsibility to address cyber security.
Drawing on our different resources and learnings we would benefit to put aside competition and work together to develop strict standards and adherence to protect against cyber attacks and help improve the standards of industry while keeping it safe.
Across the segments, governments, operators, designers, engineers and suppliers must recognise and act to address the risks to industrial control and safety systems, especially those legacy systems built prior to the notion of cyber warfare.
Control and safety-systems vendors have the responsibility to ensure their technologies are developed, designed and delivered in compliance with the industry’s most stringent standards. Safety and security certifications are essential to meet rigorous requirements for safety, cyber security, risk reduction and continuous operation.
Product security starts with understanding the design of a product and then follows a secure development lifecycle methodology. Vendors need to factor in security in their development facilities and throughout the supply chain for the development of their products, which extends to the implementation of systems at customer sites.
End users and vendors need to collaborate to ensure the technology provided to the operation is as cyber-secure as possible and that cyber security features embedded into OT solutions are activated and monitored. End users and providers need to work together to ensure technology is implemented correctly and that cyber security is part of an ongoing lifecycle and emphasised to employees. This could be adopting the ethos of ‘cyber security by design,’ including cyber hardening of platforms on the part of designers and engineers and throughout the entire supply chain, along with rapid adoption and education on best practices and procedures on the part of plant operators and owners.
Cyber security awareness by organisational leaders is often low and they remain unaware of the tactical measures needed to protect their businesses from cyber threats. This is surprising, given the continued proliferation of cyber threats including the NotPetya cyber attack that impacted production at the Tasmanian Cadbury chocolate factory or the CrashOverride Malware used to disrupt the Ukraine electricity network in 2017.
In this era of increased connectivity, everyone – not just security professionals, but workers across the entire manufacturing enterprise – needs to understand how to protect themselves and their company. For a cultural change to become truly effective, organisations need to build awareness of everyone to understand the potential threats their actions pose to the security of their systems. When reviewing some of the larger industrial cyber attacks that have occurred, the entry points were identified to be an individual’s action but it also required failure of other protection measures and an absence of monitoring. Organisations should look to introduce a Cyber Security Management System and should consider:
• getting everyone in the company involved;
• being proactive, be prepared;
• being vigilant;
• engaging in a cyber security community;
• sharing knowledge and best practices;
• working closely with your vendors to ensure best practices are followed; and
• Educating yourself and others.
To thrive in today’s digital economy and mitigate the risks of cyber attacks, industry groups must work together and apply cyber security standards for industrial control and safety systems that take the entire threat landscape into account. That is why we need to call for an impartial industry group to help protect everyone from cyber threats.