Industrial Cybersecurity: Debunking the Myths and Adopting Best Practices
About 20 years ago, OT networks used to be isolated when production lines were air-gapped and unconnected. However, things started to change around ten years ago when industrial automation was being implemented in factories. During this time, factory managers started to interconnect production lines in order to tap into the benefits that factory automation could bring. When an OT system is connected to the Internet or other IT systems, the OT system becomes a point of weakness for malicious attacks or accidental data loss. So why is cybersecurity so often overlooked by OT engineers? The answer can be traced to some common myths.
Common Industrial Cybersecurity Myths
Several common myths about industrial cybersecurity are doing the rounds. For instance, some people may think that because their industrial networks are physically isolated and not connected to the Internet their networks are secure. This statement may have been true ten years ago but not nowadays. For example, industries such as smart manufacturing often require many devices to be interconnected. Even if your industrial control systems (ICS) or industrial networks are not connected to the Internet, the systems may still be vulnerable to unauthorized connections. Some people also believe that hackers do not understand ICS, PLCs, or SCADA systems, so their networks therefore should be secure. In reality, several sophisticated cyberattacks that targeted ICS networks, such as Stuxnet (targeting PLCs) and Industroyer (targeting circuit breakers), have been reported since 2010. Furthermore, malware specifically designed to target industrial control devices have been unleashed, causing substantial damages to industries. This trend clearly indicates that hackers are changing their focus to target industrial sectors, such as oil and gas, energy, and manufacturing, which suggests that attacks on industrial sectors are likely to increase in the future.
The Differences Between Industrial Networks and IT Networks
Industrial networks and IT networks have different business priorities, focus areas, protection targets, and even environmental conditions. In fact, different priorities are often decided by different managers within the same organization. On the IT side, business analysts, CIOs, and IT architects are the primary decision-makers that plan and manage IT networks and cybersecurity. From their point of view, confidentiality is the top priority. On the OT side, plant managers, COOs, and control engineers are the main decision-makers. From their point of view, production or system availability is the top priority. Therefore, in order for IT/OT integration to succeed, it is important to understand the different business priorities and needs of both IT and industrial control systems. The following figure describes these differences in greater detail.
Different priorities for IT and OT networks.
Best Practices for Enhancing Your Industrial Network Cybersecurity
Despite the big differences in priorities and techniques used to protect industrial control systems compared to enterprise IT systems, several industrial associations have developed standards and security guidelines for connecting or converging ICS with IT systems. In particular, the Industrial Internet Consortium (IIC), National Institute of Standards and Technology (NIST), and International Electrotechnical Commission (IEC) focus on three major areas for improving ICS cybersecurity. These three pillars for securing industrial networks are:
Based on these three pillars, we recommend the following best practices as the first step to shoring up your ICS cybersecurity.
Best Practice I: Secure Network Infrastructure
Base Practice II: Hardened Device Security
Best Practice III: Security Management and Education
Conclusion: Industrial Cybersecurity Is Everyone’s Job
Manufacturers also need to understand and balance the different priorities of their IT and OT departments in order to effectively break down organizational silos and implement best practices for strengthening industrial network security, which include deploying defense-in-depth protection, enabling security settings on industrial networks, and managing security policies through education and monitoring. As these guidelines suggest, the responsibility of ensuring cybersecurity for industrial networks falls on more than just one person in your organization. In the end, everyone in your organization has a crucial role to play when it comes to industrial cybersecurity and the successful transformation of legacy OT systems to Industry 4.0 in a future where everything is connected to the Internet.
For more pragmatic solutions and best practices to protect your industrial networks, download the white paper, Industrial Network Cybersecurity: Debunking the Myths and Adopting Best Practices.
|Copyright © 2019 Moxa Inc. All rights reserved.|