Cyber Security: Be Prepared

CYBER security is not a new topic, but it is increasingly a central factor in modern risk management in industry. It is not just about managing risk, but also a matter of personal responsibility. Production-related threats, such as production losses, impaired quality or delivery delays, are no longer the only risks.

Management and privacy of data is equally important in any responsible and modern production environment. This has to be supported by well-organised management standards and frameworks that can deal with ever-evolving threats of cyber attack.

Threats to industry

When considering cyber security in the industrial sector, the challenges are traditionally associated with personal IT, office automation, business management and ERP (enterprise resource planning). The largest share of incidents is unintentional, caused by an individual’s lack of knowledge. This obvious flaw can be amended by increasing your workforce’s cyber awareness with a sufficient training programme which covers the basics of email phishing, malicious attachments, and e-fraud.

The benefits of increased digitalisation or automation in the industrial sector are well known. But what is less well known is how an industrial control system (ICS) can become a target for cyber attacks. Lately, cyber attacks are using malwares to disrupt or take control of critical infrastructure like electrical substations. Process industries using SCADA (supervisory control and data acquisition) systems have been reported to be vulnerable, regardless of the industry. It is also not just infrastructure; there are also reports that hackers are attacking safety systems. The growing number of these incidents underlines the fact that industrial control systems are increasingly being targeted for cyber attacks.

Process plants are vulnerable to cyber attacks from known and unknown sources. If successful, they can lead to loss of production, unplanned downtime (production quality waste), and disruption to cash-to-order processes and the supply chain. The impact, however, is not just limited to production processes. Buildings technology, such as climate control systems, remotely-controlled access control systems, and surveillance networks can be surprisingly vulnerable. Damage to these technologies can also disrupt production indirectly or even have a catastrophic impact on the local environment or community. For example, an attack on heating, ventilation, and air conditioning (HVAC) systems in a laboratory could directly impact health. Understanding how digitalisation can impact wellbeing needs to be understood, managed and protected accordingly. The journey starts by assessing critical parts of infrastructure and buildings technology.

When assessing industrial processes, it is vital to: 

• be aware of, and understand, potential cyber incidents;
• assess and identify any risks and how they are handled;
• understand the time and effort required to recover production following a cyber attack; and
• build and increase your resilience.

Too often, there are no clear plans. Backups are not tested and even smaller disturbances can easily cause chaotic recovery situations. This highlights why, in the industrial sector, cyber threats have to be a standard element of general risk management strategy.  

Upcoming changes in cyber security directives

In 1995, the European Union introduced the Data Protection Directive (Directive 95/46/EC) to regulate the processing of personal data to meet privacy and human rights laws. From 25 May, new directives will come into force. The General Data Protection Regulation (GDPR) will supersede previous directives. Its aim is to protect EU citizens from privacy and data breaches, including heavy penalties for violations. Within this new directive there are measures that look to protect industrial operations, including: 

• The authorities must be notified within 72 h of first awareness of a cyber security breach. This applies not only to the production unit, but also its customers, suppliers and other stakeholders.
• Anyone whose data is managed by a data controller (eg registered customer data) can, at any time, free of charge, get a confirmation related to the data use.
• Data controllers must erase personal data once it has lost its original purpose, is no longer relevant, or when a data subject withdraws consent.
• Data protection must be included at the start of designing systems, rather than an addition. It must be of the highest standard and protect the privacy of any data subject.
• Companies must establish and appoint a data protection officer (DPO).

What is apparent with these new measures is the level of increased transparency for data processing, attempted cyber attacks, or breaches. There will be no hiding place if reputation-damaging errors occur. With these new challenges, a traditional IT manager role will no longer suffice, and may require appointments of chief information security officers (CISO).

Trustworthiness

Increased digitalisation in production means there is greater interaction between different systems which are controlled or monitored through computer-based algorithms. Wireless sensor networks, measuring something in a given environment and transmitting that to a central unit (for example an automatic pilot in avionics systems) are typical applications in this area. This is all combined with human interaction. All of these moving parts create the cyber physical system (CPS). The CPS needs to be incorporated into risk management practices.

Trustworthiness is an integral part in the CPS concept, with components of security, privacy, safety, reliability and resilience. Trustworthiness must be a basic requirement of any modern industrial site and a prerequisite to sustainable, advanced manufacturing and the digital business environment.

In the context of the CPS lifecycle, trustworthiness should be considered in all stages (conceptualisation, realisation and assurance). Also, every CPS stakeholder (designer, supplier, end-user) must be empowered to participate and to understand the risk-based approach to trustworthiness.  

When considering risk management within the context of a production plant, combining GDPR and trustworthiness can be conducted in the following ways:   

• The CPS may include physical, analogue, and cyber components: Engineers must determine how to evaluate the impact of their choices in terms of multi-level trade-off metrics.
• Security, operational and reputational risk: require attention from, for example, the plant operators in daily operations to maintain the production process performance and provide a safe place to work through well-planned IT concepts.
• Safety and error rates elimination: this must be governed properly under supervision of a DPO, asking questions like “is there a possibility that data can be used against the processor?”
• Reliability and failure rates: requires careful planning of any backup systems by the IT staff responsible.
• Privacy, unwanted disclosure rates and threats: need to be continuously monitored and potential ones must be eliminated by appointed staff responsible, eg IT management.
• Resilience and recovery rates: require back-up plans to be kept continuously up to date by pre-defined persons for any system (production or support systems, machinery or IT).

Resilience planning is done to mitigate against an attack and help with recovery. Data recovery following a security breach should be planned with a clearly-defined process. Ideally this should be practised as well. In many cases, clear data backup routines can be the difference between a quick recovery and a total catastrophe. The key is how quickly this can be done to mitigate damages (eg production losses).

Turning theories into practice

ISO Standard 27001 is well known and widely employed to manage information security, and defines its related risks. This standard has traditionally been considered more as an IT management standard, but in modern production facilities with increasing digitalisation, it can no longer be relied upon. ISA99/IEC62443 emphasises the industrial control systems on four different layers (general, policies and procedures, system and component). Furthermore, ISA99/IEC62443 represents a more advanced approach to industrial cyber security, specifically addressing the security to control systems perspective.

With a jungle of standards, guidelines and frameworks, selecting the right one for your business and industrial setup is critical. Only once you have selected the most relevant can you establish the foundation of your ICS cyber security. Equally important is the ability to maintain and evolve it. Pöyry has developed a simple approach to do this; a stepwise continuous improvement approach to process industry plants can be phased as follows.

1. Assessment

The first step in determining the current level of protection is a walk-through assessment of facilities, along with interviews with operation technology (OT) and IT managers. An assessment report with recommendations will be delivered and discussed in an evaluation meeting with the plant management.

2. Concept

Next, a concept is developed that is tailored to the realities of the plant organisation and the level of protection already achieved. In most cases the ICS cyber security will be the final piece of the jigsaw and complement the existing plant IT security and physical security concept.

3. Programme

A detailed flowchart for the ICS cyber security processes is then created by an external expert who supports the plant owner, along with the defined roles and responsibilities for the implementation.

The external expert then acts as project manager and reviewer of the procedures. The plant OT and IT personnel are best placed to understand the business processes and the network and automation architecture of any facility, so they will write all necessary operating procedures, together with external specialists.

4. Training

In order to build a resilient ICS cyber security into a plant, all relevant personnel are trained by experts.

In the event of a cyber attack or another type of cyber incident, personnel will have clear instructions on how to minimise the physical and economic damage to the plant and to initiate the recovery according to the resiliency plan, enabling the plant to promptly return to production.

After classifying assets, creating the ICS cyber security concept and programme, and training the plant personnel, an extensive field audit may be considered to establish the level of cyber security of the plant at any point in time.

5. Annual review

It is highly recommended that an ICS cyber security review is done annually. Over time, new cyber security threats will continue to appear and find ways to exploit vulnerabilities of industrial control systems, so cyber security requires frequent reviews and updates of current threats, and a regular gap analysis.

Asset management and cyber security

Processing or production industries are typically very asset intensive businesses. From the owner’s perspective, there is a huge amount of uncertainty and risk that is considered in the future production portfolio and business environment. They have to consider important external factors such as the global economy, demand/supply changes, raw material pricing, employee restrictions, politics etc. Modern asset management includes a number of challenging questions, such as: 

• how to maintain assets to still meet all set operational, sustainability and business targets?
• what is the annual investment demand needed to meet any of the targets?
• should we replace or rebuild?
• how can we mitigate any asset-related risks associated with unclear future market scenarios?

 

Failing to build in cyber security at the investment phase means that your new modern plant will, in fact, be old and inefficient from day one.

There is a huge amount that the owner has to contemplate and manage. But it is vital that cyber security is given equal consideration, and any asset management plan must include CPS. For example, equipment generation upgrades cannot only include hardware refurbishment or modernisation. It has to include cyber security ICS (eg data privacy). Typically, business managers tend to focus on reducing costs and time efficiencies. Meanwhile, procurement practices in processing focus more on direct assets costs, with maintenance and operational expenses being secondary. Too often, cyber security drops down the agenda. However, failing to build in cyber security at the investment phase means that your new modern plant will, in fact, be old and inefficient from day one.

Summary

It is no longer sufficient to just deliver efficiencies or advanced sustainability. Integrating digitalisation in industrial operations is dramatically exposing industrial processes to unknown cyber security risks. Traditional asset management alone cannot ensure your safety. All of these challenges can be managed, but it requires a systematic approach, while continuously improving and updating. Businesses need to choose suitable frameworks, but having plans in place is not enough if those plans are not enabled. That’s the difference.

Acknowledgement: The authors wish to thank Petri Kankkunenthe  for valuable input into this article.