Industrial Cybersecurity: A comprehensive approach to a digital transformation environment
The accelerated digitalization of automation and control systems, use of disruptive technologies, and increasing connectivity with other systems are all factors that have exposed industrial organizations to cybersecurity risks they may not be prepared for. A primary aim of the digital transformation process is to make industry more competitive, by using the data we have available at manufacturing plants. For example, introducing IoT systems is a way of taking maximum advantage of that information, with the ultimate objective of achieving more economical and efficient production. This can in turn give our product a higher level of market penetration. However, it can also make industrial environments more exposed to new threats that can have a critical impact on availability, integrity, and confidentiality.
In view of this situation, it is recommended that we should incorporate specific operational technologies (OT) into our environments for protection, based on network segmentation, analysis and management of security-related events, etc. There is also a need to establish policies, procedures, and technical instructions that can help fortify industrial environments and infrastructure elements. All of this must also take place within a governance structure that can ensure implementation of a cybersecurity management system that can, in turn, incorporate the particular characteristics of each specific plant.
“In relation to industrial cybersecurity, the following messages all need to be taken into account : security is security, regardless of the context – it doesn’t matter whether we are talking about corporate IT systems or operational technology (OT) systems; cybersecurity is not just a technological issue, it also includes people, processes, and knowledge; and finally, we need to develop a cybersecurity policy based on the premise that sooner or later, we are going to experience incidents.” Javier Hidalgo, Solutions Architect and Industrial Cybersecurity Expert at GMV, during his presentation at the La Voz de la Industria 2022 event, which was organized by the Industrial Cybersecurity Center (CCI) and entitled “Managing and responding to industrial cybersecurity incidents”.
At GMV, we are committed to a comprehensive approach to addressing the cybersecurity risks that can affect industrial infrastructure, supported by internationally recognized best practices and standards (for example: IEC 62443, ISA99, NIST 800-82 53, ISO 27001, NERC Critical Infrastructure Protection, etc.). This approach includes identifying existing threats, protecting assets, detecting attempted attacks, and, if an attack does occur, recovering the previous situation as soon as possible, all orchestrated using the most rigorous management systems. This approach to cybersecurity management is the result of extensive experience in the field of Information Technology, where for decades there has been a need to confront cyber threats of this type, with study of their evolution and continual work focused on mitigation and prevention. However, having this type of experience is not enough. We must also have the ability to transfer that experience to the industrial environment, which is a form of business activity with its own particular characteristics and needs. The capacity to understand those unique aspects and needs, and the differences they may present in comparison with our own previous experience, is fundamental for the success of an industrial cybersecurity project.
Case studies of successful industrial cybersecurity projects
GMV has carried out a series of projects for an organization in the cement production industry, focused on separating, segmenting, and streamlining communications between its IT and OT data networks at its production plants in the EMEA region. Projects of this type, in addition to requiring implementation and configuration of firewall systems at the plants, involve a process of analyzing the industrial assets and the communications between them and the rest of the assets – not just those at the plant itself, but also the company’s other assets and even those of third parties, such as specific public administrations. There is also a need to establish policies on control of the information flows, to allow final definition of a network architecture that incorporates best practices to prevent unnecessary or inappropriate access, while also ensuring availability and proper operation of the industrial production systems.
Another example is one that GMV has worked on in the automotive sector, where the challenge was to install a system of sensors on a vehicle assembly line, in order to optimize the internal logistics process for the vehicle parts being used. During this project, GMV considered security by design to be an essential aspect of the proposed architecture. This led to selection of IoT systems with functionalities that, from the very beginning, would include protection for the communications, with use of device-level credentials to mitigate the risk of malicious devices appearing, or any other devices that could cause operational problems. A systems architecture design based on microservices was also applied. The purpose of this was not only to enhance granularity when developing the software elements, but also to allow maximum control over the communications. This included the internal communications for the product developed as well as the communications with third-party elements, such as the client’s ERP system that was essential for final supply of the parts.
When cybersecurity becomes an inseparable part of the project life cycle, any initiative focused on developing industrial digitalization processes can be successful.