As you may have read in our first blog in this series, Proactive Approach to Cyber-Security Could Avert Disastrous Shutdowns, cyber security should be at the top of the list for every executive team member, business owner, manager and supervisor hoping to safeguard their most precious assets; production, intellectual property and people. Cyber and ransomware attacks are trending now, not in a good way, and can have devastating effects on your business and the communities you live and work in.
Many regulated industries are required to not only conduct risk and resilience assessments but also have in place updated Emergency Response Plans reviewed every five years. Especially if this applies to you, this presents an opportunity for two distinct areas of your organization to pool their knowledge and work together toward solutions for the good of the entire organization, even if at first glance that may seem counterproductive.
“The convergence of IT and OT security can be a challenging task, since routine IT procedures, such as antivirus software updates or even patching, can lead to significant production disruptions, even potentially shutting down entire production lines,” According to the 2019 Deloitte and MAPI Smart Factory Study.
So, we asked our experts in information technology (IT) and operational technology (OT) to combine efforts and give us the best of their knowledge in terms of helping you consider how to protect your organization.
When we think of cyber security, we consider it in really two phases, the Risk Tolerance phase and the Implementation of Countermeasures phase based on your risk tolerance. We’ll plan to explore these cyber security tips in the next two blog posts to round out our series. For now, let’s start with a baseline of things to look at when you first start.
Establish a risk tolerance
Every organization based on its size and scope will have their own risk tolerance. Because, as of yet, there is no 100% guarantee that you will not be hacked or be free of concern about getting hacked, organizations need to strategically plan out what they’re willing to take a risk on. If your company makes pom-poms to sell to athletic teams around the country, you have a large reach, but your risk tolerance might be slightly higher than a company that sources the power grid of a major metropolitan city.
How did I make that assessment? The cost of a shut-down of a pom-pom factory would be devastating for all the athletic teams getting ready for national competitions or welcoming new members to their competitive teams as well as the company making sales itself. In comparison, the shutdown of a power grid for multiple hours, days or weeks where an entire city may experience catastrophic considerations may differ. Based on a loss of power, perhaps heat or air conditioning, refrigeration, a major drag on systems of generators to support hospitals and emergency facilities and potential loss extending beyond the economic impact to the loss of life, one might assume their risk calculations could differ.
Both work within production (pom poms or energy). Both would feel the negative economic impact of a shutdown and neither disruption would be any less devastating to the organizations’ owners but the calculated risk the owners might be willing to take compared to the “what-if” scenarios might cause more or less panic based on the hypothetical attack.
Once the organization has established at a high-level their tolerance for risk, it wise to craft policy and procedure around the identified risks and bring in the experts.
High-level risk assessments with Subject Matter Experts (SMEs)
Many organizations have staff devoted to security, information technology and production engineering, but often it takes an outside eye to determine potential areas of risk and convergence between departments. When it comes to the safety and security of your organization no one should assume internal departments should be the sole resource. Bringing in subject matter experts who can take an outside look at possible security risks from both an IT and OT perspective is well worth the expense.
Identify potential risk factors
The astute eyes of outside organizations can identify a variety of scenarios that could potentially open an organization up to risk. In an initial high-level assessment several factors should be considered.
Agreeing first on the methodology for how risks are identified and priorities are determined, should climb to the top of the list. Identifying risks includes spotting possible threats, vulnerabilities and their respective likelihoods and consequences. Both the process of identifying these risks and ranking their priority needs to include appropriate stakeholders and will require buy-in from the leadership team on down. Clear documentation and rationale for the risk identification should include a ranking of vulnerabilities for any leadership team to consider.
Weigh risk tolerance with possible solutions
The next logical step will be to return to the risk assessment tolerance model your company chose at the beginning of the journey. It’s time to make a plan for how to incrementally or holistically work these plans into upcoming budgets, team meetings and plans for training.
This internal discussion should not be relegated to the bottom of the priority list regardless of your risk tolerance or whether or not you happen to work in a highly regulated field. Too many things could go wrong. Let’s just take one example: a water system.
A calculated cyber-attack could interfere with and alter so many elements of a water treatment plant. For example:
- altering chemical, recipe, or dosing processes for water treatment
- unauthorized changes to programs in PLC’s
- disabling or altering normal service
- prevention of an operator’s ability to adjust system issues
- denied access to SCADA system
- ransomware preventing systems from running altogether
Not one of these attack risks is worth the potential damage and exceptional companies looking to sustain positive relationships with their customers over the long-haul won’t take this risk.
Project timeline for risk mitigation/ maintenance plan
Pulling together a cross-functional internal team (if they are not already in place) at this point to determine the best plan of attack for making these changes is a wise next step. Often, changes required are multi-pronged defensive attacks and cannot take place all at once. In order to avoid production disruption, allow for education and training and financial planning to complete all the tasks, a detailed plan of attack along with specific timelines should be produced and cleared with leadership teams. This will help avoid costly downtime for ongoing daily business.
Clear time and attention to preventing these cyber-attacks now could save the life of your business later and there is no time like to present. Hackers aren’t waiting around for you to get ready. In our next blog we’ll examine what is commonly known as the second phase, the implementation of countermeasures.
Check out our other cyber security related blogs here:
Proactive Approach to Cyber-Security Could Avert Disastrous Shutdowns | Huffman Engineering
Ready to Move: Implement Countermeasures/ Document and Train on Safeguards | Huffman Engineering
Let the IEC/IAS certified Cyber Security experts at Huffman Engineering be your go-to subject matter experts on cyber security. Request a Quote today by reaching out to our certified engineers.
| Dustin Bredvick Mechanical Engineer IEC/IAS Cyber Certified Risk Assessment Specialist Huffman Engineering dbredvick@huffmaneng.com |
Sean Creager
|
Brett Benson IT Engineering Specialist Huffman Engineering bbenson@huffmaneng.com |
Huffman Engineering, Inc. (HEI) is an engineering services firm specializing in control system integration, design, and engineered studies. Our start-to-finish project expertise includes design, development, implementation, support, testing, and operator training serving industrial customers and municipalities, with a focus on pharmaceuticals, life sciences, utilities, and food & beverage. HEI has a 34-year history of delivering system integration projects and building robust, reliable automation systems for highly regulated industries meeting stringent regulatory requirements including the FDA, USDA, and EPA among others. HEI is a CSIA Certified control systems integration company, with a highly skilled team of electrical/mechanical engineers, and experienced technicians who deliver optimal industrial automation solutions. Based in Lincoln, Nebraska, Huffman Engineering has served the Midwest since 1987.
____________________________
Making Ideas Work