Transform Cybersecurity Through OT

How manufacturers can bolster resilience through operational technology cybersecurity   

Over the last few years, cyber attacks on manufacturing plants and public infrastructure have grown more severe and had a greater impact on the public. Recent incidents in critical infrastructure organizations highlight the evolving threats these operational environments face.

With the rise of M4.0 and growing dependency on data, manufacturers must transform their thinking about cybersecurity for operational technology (OT). While quick fixes or ad hoc policies might beckon, the long-term strategy should be to build a resilient organization to battle current and future threats.

Typical Cybersecurity Challenges

While difficulties securing manufacturing facility environments stem from several factors, loose governance is one of the prime culprits. Many times, roles and responsibilities for cybersecurity in a plant are not well defined. The automation engineer has many operational responsibilities, but sometimes cybersecurity is an afterthought and assigned as a hobby task. To make matters worse, relationships between other people or groups within the facility or enterprise arenโ€™t formalized, leading to a vulnerability if an emergency should arise.

Limited expertise also poses a challenge. The idea of OT cybersecurity has only been around for about 15 years, and not many people have experience across M4.0, automation, and cybersecurity, resulting in a dearth of qualified OT cybersecurity resources. It takes a special combination of skill sets โ€” from industrial control equipment and software to proprietary network protocols โ€” and a fundamental understanding of the threats facing the OT space.

At the same time, threats continue to evolve. Since Stuxnet in 2010, threats to OT have increased exponentially, both in targeted attacks against infrastructure and collateral damage from ransomware. This escalation underscores the need for a resilient, strategic, and holistic approach to OT cybersecurity rather than an ad hoc, quick-fix approach.

Organizations also often lack risk visibility. Many manufacturing facilities have a surfeit of data on production, raw material usage, energy consumption, and quality of product. One area of great need is an understanding of the risk associated with this data.

 
Ken Keiser is a Manager in the Consultant Services at EY and a practice lead for Operational Technology (OT) Cybersecurity.