A decade ago, cyber-attacks on large-scale operations, such as plants and factories, were rare. However, that has now changed.
One of the most recent attacks was against the world’s largest meat processor, JBS, which was forced to shut down nine beef/poultry plants in the United States, Canada and Australia.
JBS paid $11 million in ransom to limit the potential impacts and ensure no further disruptions occurred to its operations.
Hackers also attempted to poison the water supply in the Oldsmar water treatment plant in Florida. Fortunately, the plant operator was at his desk and noticed his cursor moving out of his control as the attacker attempted to increase the levels of sodium hydroxide to dangerous levels. Imagine the consequences if he wasn’t at his desk.
In 2019 Malaysia’s Hibiscus Petroleum also fell victim to a cyber-attack, affecting parts of its system. Fortunately, the attack was on an isolated portion of the system, requiring a partial shutdown. Even then, the cost and time spent on recovery were significant.
As for A.P. Moller Maersk, the NotPetya attack disrupted their operations for two weeks, blocking access to systems the company relied on to operate shipping terminals. The incident temporarily shut down the Port of Los Angeles’ largest cargo terminal. The company lost $300 million in business disruption and equipment damage.
IT/OT convergence is crucial, but it’s not without risk.
One reason IT/OT attacks happen is because far too many industrial organizations continue to focus cybersecurity efforts on IT-centric – rather than production-centric – endpoints. They also continue to rely on manual, error-prone email- and spreadsheet-based vulnerability management processes, leaving their facilities exposed to unacceptable production safety and reliability risks.
In short, you cannot just fit-and-forget process automation systems. By embedding the appropriate controls in the design rather than after implementation of the software, you can take a more proactive posture to mitigate cybersecurity risks.
The PAS and Hexagon advantage
Our understanding of the need for greater cybersecurity was the main factor in our acquisition of PAS Global.
Hexagon’s Asset Lifecycle Intelligence division suite of solutions helps companies increase their business potential through digital transformation. We specialize in taking unstructured data and turning it into digital assets that help improve safety, increase the efficiency of project delivery insights, and connect workers either in the field or remotely for proper visibility into a project.
PAS works with organizations to ensure the integrity of their OT environments by helping prevent, detect and remediate cyber threats, reduce process safety risks and establish trusted data for decision-making.
In short, this joint proposition brings a much-needed security boost to large-scale and critical infrastructure.
For example, should an emergency occur in a facility, PAS AlarmManagement™ can link automatically-collected alarm occurrence statuses or DCS handling details to a Hexagon’s j5 Shift Handover report in the form of aggregated/analysis content. As a result, the incoming team can quickly receive and utilize a handover that accurately reflects the plant’s operational status.
Whereas in EPC projects, such as new plant construction or remodeling, PAS’ Automation Integrity™ automatically synchronizes the instrumentation design data generated by Hexagon’s Smart Instrumentation to provide Cyber Integrity™ with a complete inventory of OT assets. This makes it easy to build a comprehensive checklist that not only prevents but, more importantly, anticipates cyberattacks.
Including cybersecurity in digital transformation, plans are crucial
Accepting that digital transformation is the way forward is the first step to tackling the changes and opportunities of the New Normal. But it is now evident that including cybersecurity in those plans can be the difference in what makes or breaks a business.
For more information on Cyber Security and Operational Technology, visit Driving Innovation in Operational Technology without Compromising Cybersecurity.