A 4-part plan to help prepare for an eventual cyber breach

In a recent LNS Research study on the Industrial Internet of Things (IIoT) and Digital Transformation, the top two challenges facing the adoption of IIoT technology are finding the budget to invest (32% of respondents) and building the business case (30% of respondents).

Much of this has to do with where the industry is on the IIoT adoption curve. Although a full third of the marketplace has currently adopted or is in the planning stages of adopting IIoT, most of this investment is at the pilot stage or focused on the newest products. As the adoption of IIoT moves broadly, to include all legacy equipment and products produced, issues around scalability and security will move to the forefront.

Today, industrial companies are woefully behind when it comes to the adoption of cyber-security best practices on the shop floor. In fact, the only best practice a majority of companies has taken is isolating the plant from other business systems via a firewall. When we asked 269 mostly North American and European companies what industrial cyber security measures they had implemented, they reported adoption rates above 20 percent for these moves: Firewall between plant and business systems; access control to all plant computers; user authentication to HMI (human machine interface) devices, and all plant computers secured via corporate network access control.

Even scarier is the lack of planned future adoption. When we asked what planned adoption was one year out, virtually nothing changed: There was no substantive change in adoption rates. This result is incongruent with the overall IIoT adoption trend. Firms are going full-fledged toward IIoT adoption and incorporating sensor, to gateway, to Cloud architectures; but they are not making the cyber-security investments to ensure success.

Something will eventually give.

To help ensure cyber security on the plant floor can support IIoT deployments:

• Get plant personnel to more effectively collaborate with IT counterparts. “IT-OT convergence” is overused. Even so, most industrial companies still have automation, control engineers, electricians, maintenance, or local system integrators managing cyber-security. These are the roles known as OT, but most of these folks don’t even know IT calls them OT. Cybersecurity is a great starting point for collaboration; it is a place where IT and OT can be truly aligned when it comes to culture, goals and skill sets. Of course, this collaboration can’t be just bottoms up; it will have to be supported by executives and a new corporate structure that brings these groups together.
• Do the blocking and tackling. Once the teams and culture are in place, the obvious first step is minimizing the likelihood of a breach. This starts with at least a firewall segmenting the industrial plant but should go further. Companies should also create a full demilitarized zone and then implement hardening of devices, physical security, and build robust policy to eliminate the use of USB sticks and unauthorized users on the shop floor.
• Assume you will eventually face a breach. It is best to assume this, despite your best efforts. Focus on minimizing the damage. This includes a risk-based, defense-in-depth strategy that segments devices and zones within the plant to limit access when there is a breach. This also includes user authentication, deep packet inspection, and more in order to quickly identify and respond to breaches.
• Take a platform approach to adopting IIoT technologies across connectivity, cloud, big data analytics, and application development. When making vendor selections, ensure the ecosystem of IT and OT providers take cybersecurity seriously, with security capabilities already built into the technology stack from the bottom up. These would include advanced functionality like those mentioned above along with antivirus, anomaly detection, application and whitelisting. As you research and investigate these vendors, you will likely find they can provide more robust cyber-security than your own company can independently.