Manufacturing in the digital space changes rapidly, and where Industry 4.0 has increased connectivity at the network and device level, this has also increased cybersecurity risks. In the past, information technology (IT) and operational technology (OT) were more separate worlds. IT stayed on the business side and OT stayed on the production side, but with the advent of the Internet of Things (IoT), now one depends more and more on the other.
The two need to work together to get security right. When you start to consider the hundreds of programmable logic controllers (PLCs) on a site, with additional thousands of sensors monitoring everything from temperature and product quality to machine health, it’s a vast digital landscape with many interconnected assets to protect and operate.
“It's actually a lot of code. You have a lot of configuration, a lot of connectivity, a lot of data getting pulled out of the site, and if we're talking about OT cyber, that becomes a much bigger attack vector,” says Adam Gluck, CEO of Copia Automation.
On industrial sites, the extraordinary variability from site to site will mean a wide variability in cybersecurity practices. In many cases, Gluck says, past best practices are not always up to the challenge of modern cyberattacks.
“There's a big learning curve from historic best practices that seem safe to people, and are maybe reasonably effective, but actually are breaking down in our modern state of constant cyber warfare and ransomware attacks,” Gluck says.
He points to two dated practices that are still widely used but are often security risks. “The big stuff that needs to be looked into right now is people’s belief that air gapping is a great practice, and the idea that physical storage as a standard is a good practice,” Gluck says.
Air gapping is a security practice that involves physically separating a computer or network from less secure networks or Wi-Fi. In many cases, it’s not feasible to isolate IT or OT networks that work together for efficient production.
For data storage, Gluck says, it’s better to go to the cloud, like an AWS or Azure data center, where their security teams keep data secure.
First and foremost, Gluck says, industrial cybersecurity should be focused at the networking layer and bringing more visibility and traceability into what’s happening on those networks. Many of the new technologies for cybersecurity are solutions for farther up the software stack, such as looking at what’s happening at the programming code level and visibility into changes in that environment. But many are still not ready for that in-depth of a process yet.
“I still think there's a lot of space for people to be digging into those classic solutions on industrial cybersecurity, understand what's happening on your networking layer and changes there,” Gluck says. Once they have visibility and security at the network level, they can start to move up the stack.
Industrial environments use a lot more programming code than they used to, Gluck says, and it can present cybersecurity vulnerabilities, especially if IT doesn’t understand the asset risks and operators don’t understand the security risks. One of the easy practices he recommends is a standard process for tracking code changes in an industrial environment. Beyond that, many practices can ensure good coding practice at the application level, but traceability is the first step, he adds.
There's not a process to enforce good coding practices at a lot of industrial sites, Gluck say, as “80% of companies we talk to are using copy, paste, rename.”
Not only is the digital landscape changing, but roles and responsibilities are changing too in the convergence of IT and OT. “I don't think it's all been shuffled out yet, where [chief information officer] CIO responsibilities and OT responsibilities, where one starts and the other ends. I think every organization is figuring that out right now,” Gluck says.
The new or changing roles and responsibilities driven by increased cybersecurity can be supported and probably won’t succeed without a new cybersecurity culture. Gluck says IT-driven security projects will likely fail at the plant floor without investment and buy-in from operations, and in order for IT and OT to converge, IT needs an OT to champion security at the plant level.
“Every time I've heard of digital manufacturing projects, and top-down projects failing, it's always at the plant level because people aren’t convinced that it’s useful,” Gluck says. “How do you re-educate? How do you show the impact at the plant level?” Fostering a partnership also means getting CIOs and chief information security officers (CISOs) to the plant floor talking about the operational reality and the issues, he adds.
“A lot of these initiatives are not working, because people are not actually understanding the tangible problems at the plant level, and how their solutions intersect with that,” Gluck says. “The difference between success or failure in digital manufacturing in the next five years is the willingness of people to go to the plant, really understand what's happening and understand other problems intersect with that.”
Gluck is also promoting a cybersecurity culture that supports blameless postmortems, if a cybersecurity issue occurs. “I think what I often see in the industrial space is fear of a blame game that happens at the point of an outage,” he says. Better processes will help workers take more personal accountability for cybersecurity, but they can’t work in fear of losing their jobs for a mistake. It is instead an instance for learning and improving.
“I think what's developed in the software space is a really healthy set of cultural practices for managing code and managing changes in environments that are, frankly, in a lot of places missing,” Gluck says. Industry can develop and implement the right processes for their systems but not without input and understanding from both sides.
Lastly, Gluck outlines the cowboy vs. the firefighter engineer, where cowboys make quick changes in the programming environment, they shoot from the hip, and firefighters run around after the fact putting out fires. Neither is a good long-term best practice. “Instead, they actually unlock engineers as a strategic resource, so they can make more meaningful changes in these environments,” Gluck says. “I think taking IT best practices and applying them into OT, applying them in industrial practices, can actually unlock organizations to do more meaningful work and make it better quality engineers.”
