Why rob a bank for a few thousand pounds when you can extort millions through ransomware cyber-attacks on SMEs? The risks are minimal, payment comes in safe cryptocurrencies, and you do not even need to leave home. As a result, manufacturers need to consider a defence-in-depth approach to protect their operational technology (OT).
David Bean of Mitsubishi Electric considers fundamental requirements like system-level design, risk management, intrusion detection and platform vulnerability.
The growth of digitisation benefits from the closer integration of plant IT and OT systems. The goal is to transform productivity by better use of asset availability and maximising plant utilisation. The basis of this is a network of sophisticated plant floor devices – the so-called Industrial Internet of Things (IIoT).
Addressing cyber security
Greater levels of integration increased the need to consider and improve cybersecurity. Figures from the Centre for Economics and Business Research (Cebr) and gov.uk estimate the cost to UK businesses of cyber breaches at more than £18bn.
For manufacturers, cyber-attacks bring the risk of lost production, theft of intellectual property, and a negative impact on brand confidence. Moreover, if they impact safety systems, they may also put workers in danger or cause environmental damage. Make UK reports the threat of cyber-attacks is stopping 35 per cent of manufacturers from investing in digitalisation.
Furthermore, for safety-critical infrastructure, asset owners must also consider the potential cost of non-compliance with the Network and Information Systems (NIS) Directive. The maximum penalty for breaching the NIS Directive is £17m, enough to give multi-national corporations pause to think.
Implementing cyber security standards
On the other hand, the risk of not investing in digital transformation is enormous in times of global competition. For OT, established standards exist with the tools and guidelines needed to secure an installation against cyber-attack. They support all the stakeholders deployed in an industrial automation system, including the asset owners, the system designers/integrators and the individual product vendors.
Chief among these is IEC 62443, which provides a systematic and practical approach to cybersecurity for plant OT systems. It covers all aspects from initial risk assessment through to operations. It defines security roles by specifying the requirements for each security level within the control system.
IEC 62443 reinforces the accepted defence-in-depth strategy for defining OT cybersecurity measures. It also outlines procedures and policies for hindering an attack and recovering from one. It also places an onus on automation equipment suppliers to embed protection within their products. These address system design and lifecycle management, and responses to new vulnerabilities emerge.
Defence in depth
This is an important part of Mitsubishi Electric’s industrial automation offer. The company’s products have long offered security features that support the development of a robust cybersecurity strategy. Its ‘defence in depth’ approach for securing networks and control systems aligns with IEC 62443.
Mitsubishi Electric also has a “Product Security Incident Response Team” (PSIRT) defined in IEC 62443. Its risk audit service helps organisations understand the risks of criticality and consequence of a potential cyber breach. A written report also explains the status of the networked industrial control systems and offers recommendations for meeting the IEC standard.
Evolving cyber threat
Finally, implementing cybersecurity is part of a successful digital transformation strategy. Underpinning Mitsubishi Electric’s SMART manufacturing solutions is an advanced security platform for industrial automation under IEC 62443 and meeting the requirements of the NIS Directive.
National Cyber Security Centre
UK Government considers the risks to organisations so great that it established the National Cyber Security Centre (NCSC). The role of the NCSC is to increase resilience to cyber-attacks and provide practical guidance to businesses. It provides a single point of contact for SMEs and large organisations in both the public and private sectors.
They have ransomware guidance available for download from UK National Cyber Security Centre.