For decades, cybersecurity challenges have loomed over industrial facilities. And while security technology has come a long way and businesses are more informed on how to reduce risk, cybersecurity challenges remain a problem. “The challenges change regularly, the main categories stay the same,” said Brian Foster, Lead OT Security Architect at Southern California Edison. Classically trained as an engineer and with more than 10 years of experience and degrees from Oregon Tech, Brian offers a unique perspective on the threats facing industrial facilities today. “Industrial facilities are facing the same challenges—supply chain attacks, ransomware, and phishing,” said Brian. “And the avenues for attack are also common—a third party vendor with a compromised system, insider threats, and the growing age of industrial software.”
With a growing list of cybersecurity risks, the questions about the impact of those risks has also increased. “The repercussions of operational risks are pretty well understood. When equipment goes down, you can’t produce your product,” said Brian. “These types of risks are easy to measure and have a direct impact on the business.” But the impact of cybersecurity risks are harder to measure. There often isn’t a direct category to measure because cybersecurity risks are so vast. With a data breach, an industrial facility might not even be aware of the problem until data is leaked or a system is hacked. “The impact to profitability might come weeks, months, or even years down the road when the business is paying for insurance for impacted customers,” said Brian.
3 Ways Industrial Facilities Can Reduce OT Cybersecurity Risk
To combat these risks, Brian offered three best practices for industrial facilities:
1. Create a Culture of Security
“Many businesses react to cybersecurity risks by purchasing high-priced tools or hiring high-priced consultants or employees,” said Brian. “But none of that matters if you don’t create a culture of security first.”
To build a culture of security, best-in-class industrial facilities prioritize education to every employee. “When we build a culture of security, we’re educating everyone that we live in a time when cybersecurity attacks are very present and we need to be vigilant to protect ourselves and the business,” said Brian.
“We all look at security as the tools we buy to make our systems more secure. We might look at high priced professionals to help us know our specific gaps. We rest on our laurels thinking that if we have the best technology and the best consultant we’re safe,” shared Brian. “But a culture of security is really what we should be investing in from the beginning.”
Brian’s main advice? The old adage is true—if you see something, say something. Just as employees in an industrial facility would be put on high alert if someone walked into the facility, the same should be true for every online environment.
In a culture that doesn’t prioritize security, an operator at an industrial facility might notice a machine is behaving strangely, but believe it’s a glitch and continue on with their day. “They likely won’t even consider that the problem with the machine could be a cybersecurity issue or incident,” said Brian. “On the other hand, when you have a culture of security, that operator would report the incident to the cybersecurity team which would set off a motion to look at the logs for the machine to see what happened.”
Historic attacks on industrial facilities show that there are often indicators before the actual attack. Brian shared, “There’s some point in time where the attackers were exploring the environment to see what they could do. Those indicators can help us identify attacks ahead of time, but we need people to be aware and to report any irregularities so we can catch them.”
To build a culture of security, industrial facilities should:
● Create a cybersecurity plan for your business
● Educate employees on cybersecurity risks
● Provide training on how to mitigate cybersecurity risks
2. Implement Robust Access Control
“Robust access control is likely the number one thing missing for most facilities,” said Brian. “To truly protect your facility, you need really good access control around every piece of software.”
Good access control can prevent the deployment of ransomware, malware that is responsible for more than 600 million attacks and 20% of all cyber crimes every year. “Too much software is left wide open without any authentication built into it,” said Brian. “And when someone gets into that software, they own it.”
In 2021, ransomware was the most common attack tactic for the manufacturing industry and the most common entry poin t for ransomware is often phishing. Industrial facilities should take note, adding phishing awareness to their culture of security training.
“In the last couple of years we've seen a huge uptick in the amount of phishing and the quality of the phishing,” said Brian. “These emails don’t read like they're written by someone who doesn’t speak English anymore. They’re exceptionally well written.” Brian pointed out that the next phase for phishing emails is utilizing AI chat bots. The industry is already seeing the impact of these bots helping cyber attackers craft better emails, skim past cybersecurity reports, and trick unsuspecting employees.
To create more robust access control, industrial facilities should:
● Require 2-factor authentication
● Implement a combination of pin + a token/password system
● Establish multiple systems of authentication
3. Assess Your System Regularly
“Assessing the vulnerability of your system regularly is key to reducing your operational risk as an industrial facility,” said Brian. “By having a proactive approach to identifying your weaknesses, you can mitigate problems for both internal and external risks.”
Brian recommends industrial facilities implement both security assessments and regular assessments of every system. And the cadence? At least on an annual basis, but more frequently if your team has bandwidth. “It’s important that you try to identify the weaknesses in your system—maybe unpatched vulnerabilities you can patch or if you can’t patch them, put in some compensating controls for them,” said Brian.
One approach Brian has seen work for other businesses is to sit down with employees and understand what they see as the risk areas. “Ask your electricians and operations team members what they think a bad day looks like,” said Brian. “Understand what would happen if someone got into your control system. Then, work backwards from that scenario to see how you can prevent that situation.”
Brian believes everyone can measure their risk and assess their systems with few steps:
Define your risk exposure
The definition for risk exposure will be different for every business. “But you can’t make a plan to improve your business without a clearly defined north star,” said Brian. “The first step is having a good definition of what risk means to your business.”
Complete an honest assessment of your current state
In this step, industrial facilities are tasked with the sometimes daunting task of completing a comprehensive assessment of the current state. This assessment starts with a comprehensive asset inventory and identifying, evaluating, and prioritizing the vulnerabilities that exist in your environment. “This is where you want to identify your gaps,” said Brian. “You want to be able to clearly point to where you believe digital maturity is and where you are today.”
Create a roadmap
Next, industrial facilities need to specifically understand how they will move from one phase to the next. Breaking progress into different phases is critical for success in this step. “Many businesses stop at this stage and stall out,” said Brian. “But you need to get clear on specifics—we will do x by x date.” Consider borrowing a process from the software development world, Agile, to help create a project plan that will break down the bigger project of cybersecurity into smaller tasks. “Those bite-sized tasks are easier to accomplish,” said Brian.
Monitor your progress on a regular basis
Finally, industrial facilities should implement a plan to assess progress and reassess as needed. “You need to look at what’s going on with your system,” said Brian. “You need to perform vulnerability assessments, hiring testers for security assessments, and more. It’s about identifying weaknesses and adding in controls for each vulnerability.”
To assess systems regularly, industrial facilities should:
● Implement an annual system assessment (and increase frequency if possible)
● Conduct vulnerability assessments to identify weaknesses
● Patch vulnerabilities to prevent cybersecurity attacks
Ready to learn more about accelerating your journey to a smarter, more secure industrial facility? Check out our eBook here to elevate your operational integrity and security.
Lead OT Security Architect,
Southern California Edison
Brian is a seasoned OT security leader with a background as a controls engineer. He now focuses on protecting critical infrastructure. He has had the privilege of overseeing the safety and security of next-gen control systems, while enhancing security measures for legacy systems, driving both towards the security posture needed in today's world.