Operational Technology is the powerhouse behind all modern manufacturing, any company that is making ‘stuff’ is likely to be using some form of process automation. In these modern times, the human is maintaining the machines that are making our products.
When we think of a modern factory, big or small, there will likely be a back-office function operating in the IT world, email, internet, word, excel, databases etc. The office is likely to be a wash with computers, servers, IT support, sales staff, HR, marketing, logistics just to mention a few roles, all supporting business operations.
If we take a look at the shopfloor, there will be a small number of automation engineers working hard to keep the machines running 24/7/365 to services the above.
Digital transformation has changed the modern factory and will continue to change smaller business to make them more efficient. The more we rely on automation, the more we rely on those who manage and maintain that infrastructure.
We often find with discussions with our customers that they don’t have the money to invest in security, and what they do have is focused on creating manufacturing efficiencies. The focus is more for less.
I totally get that, however, there has to be a point where efficiency meets security and that often doesn’t get the same airtime or reception.
Framing the issue
I was on a call a few weeks back with a customer who was looking to unify authentication to their control workstation and HMI’s. They were aware that most of their passwords on the shopfloor were fixed, simple in nature and they would like to tie this into their Active Directory (AD). A good step forward, however as the conversation expanded their passwords within AD were long and complex which was going to cause operators some challenges when trying to input these on HMI’s and touch screen devices.
It seems the desire for change was being tarnished by the security requirements, how would this work seamlessly or was this a step too far which could cause issues and downtime in production?
It seems that security is not always a true driver.
When the same proposal was framed by us into, how can we simplify and streamline authentication for your operators, all ears were once again open.
It’s like the story of the priest who asked the farther, if he could smoke while he prayed and was told no. He was confused as many of his brethren were outside smoking and praying. He asked one of them, “how did you get the father to allow you to smoke while praying?” One said, “I asked the farther if I could pray while I smoked”.
Minding the gap
Cyber security is much like insurance, you only see the true value when you need it. When our operations were isolated threats were usually via removable media, now in this connected world, they can come from adversaries thousands of miles away.
Many organisations have limited maintenance budgets, never mind deep pockets for cyber security solutions. Businesses need help in knowing where to invest their time and resources to get the most reward.
While there are often an IT department and security team in the enterprise, there is rarely someone who is dedicated to cyber security on the plant floor, as the business size decreases so does do these dedicated teams.
This means that more is residing on the few who keep the machines running.
If a business doesn’t have a dedicated team, or even a person who is dedicated to IT, how can we expect they will be addressing the security needs for OT?
While there is a cost for cyber security hardware/software, there are some good open-source projects and free software that can be used to provide a basic level of protection, however this requires a level of skill and experience to select the right one and more importantly how to correctly deploy them.
Likewise, there are many features and functions within the applications on our plant that we can use which are likely to be simply turned off.
Starting point
Assuming you are starting from nothing, and you have been blessed that nothing has gone south as yet, but you need to do something… what should I do?
Honestly, there is lots to do to be cyber secure, but let’s be pragmatic and realistic here, what can you do that is simple and easily and will make a change to your overall cyber maturity?
- Asset Inventory – Understand your estate and what is most important
- Manual inventory is better than nothing
- Automation is preferred but let’s not run before we can walk - Backups – This is full recovery of all assets, including PLC code
- Store copies of PLC code offline, use a USB device if necessary
- Use imaging software to take a full copy of the running devices and keep these offline
- Keep copies of your edge assets configuration offline
- Use tools like OneDrive to replicate critical data (OT data stored In the IT world)
3. Default Settings – Windows defender, both AV and firewall are a great starting point to provide some basic level of protection
First steps
We have identified a few point solutions above which are low effort and very low cost. What is really required is a full audit of the network and assets against a define framework like IEC 62443 or a base level assessment against the NCSC Cyber Assessment Framework (CAF). This will provide you with a gap analysis of where you are and also what good looks like. Sounds simple right?
Well possibly not, if you don’t have the skills and confidence to tackle the cyber challenge, or the budget either then an assessment which is going to sit in the cupboard unactioned isn’t going to help you either.
It doesn’t mean that it's not a good idea to have one carried out though.
So... what should I do?
The first step in tacking issues like this is to reach out and get some assistance with a trusted partner. While as a business they will want to sell you solutions and services, there is a lot of free information you can get to help frame your situation and provide a pathway into safer times.
Up skilling your workforce is a great enabler to allow local staff to be the ones delivering a more secure infrastructure. Training will only go so far here, if you know nothing a week’s security course is not going to make you a cyber security professional, however it will open your eyes into the journey ahead.
If I should only do one thing. What would that be?
I would suggest you give SolutionsPT a call and let us talk openly to you about what you can do for yourself and where you may need some help.
From a solutions stack perspective, I would always suggest your first point of action is to embed Business Continuity and Disaster Recovery (BCDR). By backing up all your critical assets to a device that can also act as a hosting platform, you have the ability to continue to run if something bad happens, like a device fails.
How much would a days’ worth of downtime actually cost you?
If you lost all of your devices, would your business be able to survive?
Pragmatism
The cyber security landscape is forever expanding, new cyber threats will be identified today, tomorrow and the day after. If you can’t afford to keep on top of the changing landscape and you want to do something, then just do this one thing, focus on recovery. It won’t make you anymore cyber secure, but what it will do is allow you to product another day should the worst happen.
