The media are increasingly reporting on cyberattacks against industrial assets. The issue of cyber protection is becoming both existential and urgent. But once the awareness is established, the question arises “how to do it? Here are some good practices to follow for successful IT protection.
An issue still poorly understood by manufacturers
While in France long queues are forming in front of service stations in October 2022, it was a cyberattack carried out in May 2021 against the Colonial Pipeline, linking Texas to New York (States States), which had the same consequences. Like Colonial Pipeline, the majority of manufacturers learn to their cost, often too late, that they are little or badly protected against such criminal offensives.
In fact, industrial computing (OT) is discovering the security problem with the acceleration of connection needs: information readings from remote assets via sensors, data storage in cloud computing, supervision and management of ‘remote production equipment, machine-to-machine communication within the workshop… or interconnection of OT to office computing (IT) (typically ERP) or at the intersection of the two, typically the MES.
Communications between computer networks imply the existence of connection points, which are all entry points, unfortunately still often wide open. They allow malicious people to easily steal information, trap servers, in particular using ransomware, as at Colonial Pipeline, destroy essential data, etc. These are all risks against which it is nevertheless possible to protect yourself.
The variety of cyberdefense solutions, most of which are offered by players unaware of industrial culture or covering only part of the security field, does not facilitate the choice of cybersecurity service provider.
Its identification is all the more difficult as there are recruitment problems. Indeed, the number of job vacancies for IT professionals has increased by 30% in all sectors of activity in the last 12 months in the United States. The talent shortage is all the more glaring for the industrial sector, where profiles of cybersecurity experts and the industrial world are both sought. For example, there are more than 300 different IT protocols in industrial equipment, and mastering dedicated intrusion detection system tools to analyze these protocols is a key skill in demand.
People, technologies and processes: the three key levers
Before making any investment decision, manufacturers would do well to consider at least three essential points:
- Solutions dedicated to industry. Some service providers still regularly offer computer protection solutions from IT, while the problem of OT is quite different. Machines, for example, are almost always associated with digital controls (and/or automatons) of different technologies. Overlaying them with a uniform layer of security will not necessarily guarantee their inviolability. In addition, the degree of safety in the industry must be much higher, because a production stoppage can turn into several million euros of losses per day.
- Training. The subject of skills must be taken in due measure. Indeed, before the technical fault, there is more often the human fault. Experience reveals that employees are insufficiently prepared for good IT hygiene. Hiring cybersecurity professionals does not protect if other employees are not made aware of the right actions. Accidentally clicking on a trapped link will cause the wolf to enter the fold. There is no effective computer security without training of all employees, obviously adapted to each one.
- The deployment. A cyber defense must be based on a programmed action in three key stages: before, during and after the attack.
Before the attack, it is necessary to identify and protect. This includes asset inventory, risk assessment, defensive strategy and governance. Follows the implementation of the means of protection: which architecture to choose to limit, or delay, the consequences of a cyberattack? What remote access security policy? This involves testing the OT via a battery of tests. “Ethical hackers” will also be able to trigger attacks in order to identify flaws in the computer system. In front of them, specific tools and men will try to detect abnormal behavior. There’s nothing better than a real-life situation to test a system – whether it’s a single-site or multi-site system.
Second step: monitoring tools and teams, via an OT SOC for example, must be able to detect an attack at the minute. Dedicated incident response teams will have to isolate the threat as quickly as possible to limit its consequences.
The third step is to restore the hackers’ target data in order to learn from it in order to improve its defense.
The objective is to benefit from a modern and secure OT infrastructure. And, last but not least, to acquire the ability to respond quickly to any attack for a resumption of production as soon as possible. Ultimately, it is the resilience of the production tool that matters.