Cyber Security is one of the fastest evolving concerns for the world when it comes to protecting technology and people.
The threats posed by cyber attackers are becoming significantly more sophisticated with new and inventive ways of implementing and delivering attacks.
In the last two years alone 90% of Industrial plants / industrial assets in their OT (Operational Technology) systems experienced at least one damaging attack.
However cyber security cannot be solved in one hit solution, such as a capex project that delivers you a result once complete, in truth it is never complete, successful organisations will build cyber resilience as an integral part of their strategy and will recognise it is a continuous journey as threats evolve.
The smartest investments will be made once a company understands what assets it has to protect and has understood its vulnerabilities; spending without this knowledge is like shooting in the dark.
The days of our systems being able to function at their full potential in a completely air-gapped environment are over.
Significant advancements in digital technologies and the requirement of being able to maintain our systems are performing efficiently, inevitably means there must be a “connection” of some kind. Whether it is via a dedicated physical connection, or an engineer connecting a device, a link is made, exposing a potential vulnerability.
The time to focus on security and protection is now more essential than ever and new detailed plans need to be established to ensure systems are not only maintained but equally protected.
The energy and utilities sector in recent times has been a highly targeted sector as they have established themselves as critical to national infrastructure and security.
Much like the common saying “A chain is only as strong as its weakest link”, there is a need to assess the ‘digital transformation chain’ and to ensure that cyber security is considered in each link.
This starts with firstly making sure we truly understand our systems.
Without knowing how our system is constructed and interconnected it becomes impossible for us to ensure that suitable levels of protection are implemented throughout the system and at the appropriate levels.
Often when talking to asset engineers about their processes and equipment, old infrequently used equipment is re-discovered, along with comments such as “I’d forgotten about that device”.
These ‘forgotten’ devices are often an increased source of risk and sometimes can be key elements in securing the system.
Of course, while undertaking a system architecture review, major areas of risk may come to light allowing for quick targeted actions to be undertaken prior to a cyber security risk assessment.
Understanding the system under consideration is an essential first step in the cyber journey regardless of the cyber security standard followed.
Another essential part that needs to be considered is identifying and understanding the risks posed to the systems. It is important to consider both internal threats and external threats, as often we don’t take a moment to stop and ask who is targeting a system and why they may be doing it. From recent world events, it is not hard to see that systems on industrial assets are prized targets.
Armed with a good understanding of the systems and the types of risks posed to them, a risk assessment would be the most logical next step.
A cyber security risk assessment allows you to clearly determine the areas of risk along with focused actionable recommendations.
It also allows you to understand in detail exactly where the vulnerable areas are, enabling better prioritisation of budgets.
At ABB, we often suggest considering this four-part strategy when starting your cyber journey; ‘Identify’ your areas of concern so you can understand the risks, ‘Measure’ the identified risks, how can they be reduced or managed, ‘Prioritise’ the areas of biggest risk so that the implemented solutions provide the best protection and value, and finally, ‘Mitigate’ the identify risks by implementing new controls or procedures to better improve the organisation’s security posture.
A strong successful cyber security resilience requires a collaborative approach. Companies are made up of not just systems, but most importantly people and the processes that support them.
Cyber security requires a unified effort with a variety of personnel from, site engineers, system vendors and wider company IT teams bringing in their expertise and unique perspectives.
Recommended for you
