By: Pranav Bhopatkar, Regional leader, Honeywell Industrial Cybersecurity for Critical Infrastructure
Investments in cybersecurity alone do not generate additional profit. When planning such investments, businesses should focus on the following question: what would your company lose if it doesn’t protect its assets properly? That is why the primary task of management is to make an adequate assessment of cybersecurity risks throughout the enterprise and to learn from the wider industry what is being done to protect company infrastructures.
Before the manufacturing sector and the energy industry started using commercial off-the-shelf (COTS) technologies, connecting applications and networks, the cybersecurity of industrial assets was not a subject of concern. Cybersecurity seemed like an issue inherent to the IT world only. Consequently, there was no real demand for technical solutions and experts in the field of industrial cybersecurity. Only in recent years, have major industrial control system (ICS) cyber events forced the management of oil and gas and energy enterprises to think about protection of their industrial assets from cyberattacks.
Challenges in cybersecurity
There are three main challenges that industrial companies must face when planning their cybersecurity investments. First, the potential damage from cybercrime is virtually impossible to precisely quantify, as the boundaries of malicious intent expand with each new cyberattack. It is a paradox, but in the age of digital transformation, we are still learning how to gauge and quantify this parameter.
Secondly, industrial automation & control systems (ICS/IACS) often use equipment and software, support of which was discontinued by the manufacturer. Processing plants at oil and gas and energy enterprises may still operate under operating systems released almost 20 years ago. The engineering assumptions from 20 years ago couldn’t predict, and have crossed over into, today’s era of advanced cyberattacks.
Thirdly, across the world, there is an acute shortage of cybersecurity specialists who understand the specifics of production processes. This is one of the reasons why we [Honeywell Industrial Cybersecurity] launched our first industrial cybersecurity center of excellence (COE) in Dubai. It is dedicated to developing global industrial cybersecurity expertise for customers in the region. We found that it was critical to create a safe, real-world environment to learn in, allowing us to innovate and augment industrial cybersecurity skills.
How to protect industrial assets
According to Honeywell research, 22 per cent of industrial companies surveyed in the region were planning on increasing spending on cybersecurity solutions by 25 per cent to 50 per cent from 2018 to 2023. These investments must be carefully planned.
Traditionally, cybersecurity experts analyze threats and, based on this, propose methods of protection. In our new reality it is more reasonable to move to a risk-oriented approach spanning operational, reputational and financial implications. An effective system of risk assessment and management is the main indicator of a cybersecurity system’s maturity.
The task of ensuring cybersecurity is logically linked to the overall business strategy of the company. Cybersecurity systems of industrial facilities should be laid down at the initial stages of both new construction and modernization. And, on the contrary, when introducing certain solutions at the working facilities, it is worth providing for the possibility of their scaling in case of business expansion.
It is also important to keep track of how stakeholders and wider industry organisations are ensuring cybersecurity, and maintaining a strong level of security. In the field of cybersecurity, it is very appropriate to engage in industry research and intelligence – that is, to analyze information about other players from any available sources.
Ensure strict compliance with basic rules of cybersecurity throughout the enterprise
There is a set of simple techniques that significantly improve the safety of infrastructure. These include network segmentation, timely updates of antivirus and other software, regular backups, and USB-media security checks.
The problem is that when the enterprise does not implement consistent cybersecurity policies, employees may neglect the most basic digital hygiene measures. For example, due to a lack of time they would postpone system backups or ignore checking the health of backup copies. They can use an unknown souvenir USB flash drive or connect a device to the workstation that looks like a smartphone charger, but is actually a discretely hidden hardware attack.
To ensure a cyber strategy delivers what it is supposed to, an enterprise must have a unified cybersecurity policy and constantly monitor its implementation and compliance.
Establish centralised cybersecurity management
It is not an easy task to continuously monitor the level of security, assess cyber risks, and monitor compliance with the local security policies. Especially when it comes to a corporation with geographically distributed enterprises. Today, large companies are increasingly connecting their assets to control and monitoring centers using secure communication channels. Such infrastructure can also be used to centrally manage cybersecurity.
A single cybersecurity management center is not only more effective, but also reduces the company’s expenses and labor costs. The impact on a company’s cybersecurity can be significant, with better operational availability along with improved compliance.
Cybersecurity should have the constant attention of the oil and gas enterprise’s top management: only in this case it will be effective and efficient. At the same time, it needs to be smart! A complex, siloed patchwork of security solutions introduces points of weakness and potential failure across both digital and human operations. The ideal approach is to create a clear, unified, centralized cybersecurity management system that can be actively monitored in real-time to maintain a constant view of compliance.
With the right system in place, run by staff with the right level of expertise in cybersecurity deployment, the oil and gas enterprise gives itself the best possible chance of staying ahead of the ever-evolving threat of cybercrime as it pursues its digital transformation journey.