Defense Starts With Employees

By Gary Williams, Senior Director, Cybersecurity Services Offer Leader, Schneider Electric

We are living in the Industrial Digital Age. Manufacturers and critical-infrastructure companies across the world are joining in the digital evolution. Cloud computing, big-data analytics, artificial intelligence (AI), and other emerging technologies are powering the Internet of Things (IoT) and its cousin, the Industrial Internet of Things (IIoT), to usher in a new era of innovation. Emerging technologies are enabling industrial companies to grow and transform in ways we couldn’t have imagined in the past.

Along the way, these open platforms and interconnected systems have also opened new doors for cybercriminals, leading to a rise in the frequency and severity of cyberattacks on systems that control the world’s most critical and volatile manufacturing processes. Almost every cyber incursion has the potential to disrupt industrial operations. The damage can lead to loss of revenue, intellectual property, privacy, and reputation. Some attacks can have catastrophic consequences. The most severe can affect a country’s economy, trigger environmental calamities, and even cost human lives.

This makes cybersecurity everyone’s business. No matter the organization or the industry, cybersecurity must be a priority for everyone. Fortunately, you can take some practical steps to secure and protect people, production, and profits. It starts by changing your organization’s culture and internal behaviors.

Start with People

A strong, defense-in-depth cybersecurity strategy includes a four-part cycle: Prevent, Protect, Detect, Respond. While it is important to bring in the right technology and processes for each part, your strongest asset is already in your plant: Your people are your first, and best, line of cyber defense.

Organizations typically have teams—sometimes entire departments—devoted to ensuring system security. But, in
today’s world of constant cyberthreats, the onus isn’t on just those who have cybersecurity in their titles. Because the gap between IT and OT continues to close, everyone across the organization plays a crucial role in mitigating cyberthreats.

Leaders have a responsibility to make sure their people are trained on cybersecurity risks and the techniques to mitigate them. Awareness is not enough. Personnel need to instinctively know what to do when a situation occurs, similar to the way they are trained during fire drills. It’s important to arm the workforce with tools and knowledge. For example, everyone should understand the danger of email phishing attacks, watering holes, and other social-engineering techniques that cybercriminals commonly use to prey upon an unsuspecting workforce to gain network access.

Investing in educating your people on risks, threats, and general cybersecurity knowledge, as well as adoption of cybersecurity best practices, policies, and procedures, will go a long way toward protecting your operation from attacks. The value of an educated workforce is immense when a site experiences a cyberattack, since employees are in the best position to prevent propagation of any virus or malware. With the average annual loss per company worldwide reaching $9.5 million in 2016, and the average annual loss per company in the U.S. at $17 million, it’s time to empower your whole organization to prevent, protect, detect, and respond to cyberthreats.

A defense-in-depth cybersecurity strategy involves this four-part cycle.

Open Manuals, Create Zones

Once personnel are cyber-educated, implement security procedures across your operations. Be aware of and adhere to industry standards and best practices. Follow all vendor documentation for system setup and configuration. Learn about ISA99/IEC 62443, the rigorous standard for industrial-automation technology. It works to safeguard operations across multiple layers. Educate yourself and your teams to take ownership for your own security.

Forging a strong, cyber-defense culture means understanding your vulnerabilities. Start by performing a risk-and-threat assessment and gap analysis. Establish a zone-and-conduit methodology to segment and isolate devices or systems according to security levels. Every network connection to your plant’s control- and safety-systems must be identified and secured. Network segmentation is vital in the event of a cyber-incursion. When zones are established, the forensic investigator may only need to isolate a single zone rather than shut down the whole plant. This means you might be able to continue production. Correctly configured conduits between zones also prevent the propagation of viruses and malware.

Without the appropriate level of built-in cybersecurity, control systems won’t sufficiently protect your plant in today’s treacherous world. You need to be judicious in selecting the solutions that can best withstand attacks. For example, industrial-safety systems should be compliant with the IEC 62443 standard and certified by TÜVRheinland, Cologne, Germany (tuv.com), for use in safety applications up to Safety Integrity Level 3. They should also be ISASecure EDSA Level-1 certified. ISASecure, Research Triangle Park, NC (isasecure.org), is the industry’s leading cybersecurity certification for control systems, safety systems, and system components.

It’s A Journey

As with all risks, cybersecurity risk cannot be eliminated. Instead, it must be constantly managed.Threats on industrial-control systems (ICS) in this IIoT era are increasing, and they extend across industries, geographies, and broader society. The risk for catastrophe is too great to ignore. New threats, attack techniques, and technologies are constantly advancing. That means your people and your security protocols must always be evolving. Securing your digital enterprise is a constant cycle. To continually defend your business, strategic planning, training, adherence to standards, testing, and reviewing and refining of procedures must be ongoing.

Every manufacturer, ICS vendor, third-party provider, regulatory agency, and standards body shares responsibility to address cybersecurity. Organizations should explore ways to collaborate to better define, apply, and adhere to industry best practices and standards. If we work together, we can combat our mutual enemy: cybersecurity threats. EP

If You’re Not Secure, You’re Not Safe

In the Industrial Digital Age, robust cybersecurity protection is a must. At Schneider Electric, we apply a rigorous mindset, policies, and methodologies in the development of our products and implementation of our solutions.

Through our EcoStruxure Plant IIoT platform, we offer multiple safety systems and solutions for process- and hybrid-manufacturing customers. These systems—some of the most dependable in the industry—deliver safety for life.

The measurable operational-profitability improvements they enable can cover the cost of investment in less than than six months, while continually protecting people, production, and profits.

When considering ICS solutions, prioritize those that have been certified for cybersecurity and safety. The EcoStruxure Triconex safety-instrumented system has logged more than a billion safe-operating hours to safely drive measurable operation profitability improvements. The Tricon CX continues the Triconex heritage of embedding the industry’s strongest cybersecurity features within its flagship process safety system.

Tricon CX is the industry’s first dual safety-and-security-certified process-safety instrumented system. It meets stringent requirements for risk reduction and continuous operation in oil and gas, refining, petrochemicals, power, and other high-hazard industries. Tricon CX is compliant with the IEC 62443 standard, certified by TÜV for use in safety applications up to Safety Integrity Level 3, and ISASecure EDSA Level-1 certified.

A compact safety controller, the Tricon CX reduces the original Tricon form factor by 50%, making it ideal for extreme environments where footprint is at a premium. Along with its smaller footprint, its ease of use means less design effort, fewer drawings to produce, and less wiring, which helps increase time to value by 25%, reduces installation costs by 30%, and boosts productivity by as much as 5%.

Schneider Electric also offers the Modicon M580 Safety Controller, which is certified for use in SIL 1, 2, and 3 applications. It combines the performance, cybersecurity, and networking capabilities of the award-winning, Ethernet-enabled Modicon M580 PAC with the functionality of a safety PLC.

The M580 Safety Controller helps you gain greater transparency to your operating data to improve uptime, yield, and energy costs, compared with legacy safety systems.

Schneider Electric industrial cybersecurity services offer a full range of assessment, planning, policy management, and defense methodologies to counter threats. The vendor-agnostic services provided by our skilled professionals protect your entire critical infrastructure by helping assess risk, implement cyber-specific solutions, and maintain your onsite defenses over time.