Take Steps to Ensure Cybersecurity
Jane Alexander | December 20, 2017
According to Philippe Carle of Schneider Electric (schneider-electric.com), cyber attacks cost companies worldwide an estimated $300 to $400 billion annually. It’s a figure that’s projected to increase sharply given the fact it often takes days to restore operations after an unexpected shutdown. In large process operations, that type of business interruption can cost millions of dollars per hour.
Carle offered some advice for heading off these situations in a recent blog post titled “3 Steps for Countering Oil & Gas Cybersecurity-Related Business Continuity Threats.” As he pointed out, the more connected nature of oil and gas operations, driven largely by the Industrial Internet of Things (IIoT) and related digitalization, introduces a significant element of cyber risk. Summed up here, his recommended approach for deploying cybersecure solutions in that sector could be applicable to other highly “connected” process operations.
Step 1: INVOLVES building firewalls to keep outsiders from entering the corporate network and gaining access to control systems. This will work in environments where entry points are somewhat limited. However, in an IIoT world, cybersecurity will need to be built into every control-system hardware and software component, protecting every node that has computing capability.
Step 2: REQUIRES a gradual approach to strengthening cybersecurity infrastructure. Responsible control-system manufacturers are now designing this type of security into every module design. Some apply a Secure Development Life Cycle (SDL) approach to their product development. Within the context of SDL, secure architecture reviews are performed, threat modeling of the conceptual security design takes place, secure coding rules are followed, specialized tools are utilized to analyze code, and security testing of the product is performed. These actions help make products more resilient against cyber attacks. In this way, as new products replace old, entire systems evolve to become more cyber secure.
Step 3: INCLUDES the education of employees. A cybersecurity-aware culture must be developed to help employees understand or appreciate the key risks and allow operations to run in a secure manner. (This includes understanding basic password or changeover management). Cybersecurity audits should be conducted, and best practices consistently enforced. In this type of cybersecurity-aware process culture, priorities of the IT and industrial-control departments need to be aligned. Employees and vendors coming onsite must be aware of, i.e., comply with, security policies or risk being denied access to sensitive equipment and operations software. EP
Based in Paris, Philippe Carle is the director of Oil & Gas and Utilities market segments within the IT division of Schneider Electric (schneider-electric.com). Find more posts from Carle and others on the Schneider Electric team at blog.schneider-electric.com.