Posted By Matthew Doan, May 26, 2015 at 12:11 PM, in Category: Cybersecurity
Stuxnet, one of the world’s most infamous cyber incidents, demonstrated how a cyber attack could cause physical damage to an industrial environment, in this case, nuclear centrifuges. More recently, a 2014 cyber attack on a German steel mill, in which a blast furnace caused heavy damage, further demonstrated the manufacturing environment’s inherently vulnerable construct.
For most organizations, the primary security objective is to protect the confidentiality of information from prying eyes. For industrial organizations, however, there are different priorities, especially ensuring uptime and the integrity of the manufacturing environment.
Given this wider lens, bringing cybersecurity to the manufacturing environment is more of a transformative task than an incremental change. Part of the challenge is that Information Technology (IT) and Operational Technology (OT), despite their continued points of crossover, are more different than alike. It is difficult to apply IT security skills and techniques to an OT environment. Some basic elements translate, but production environments, unlike corporate IT networks, can’t be easily patched and “rebooted,” security tools are limited, and active monitoring is often dangerous to the point of disruption.
To attack the problem and succeed in this new cyber environment, companies need to exercise two of the most important muscles in their organizations—collaboration and change management—and capture the opportunity within the cyber challenge.
- Formulate a Diverse Team. The best chance of success for industrial cybersecurity is the multidisciplinary group of people and perspectives involved in developing the approach. Traditional security experts need to pair their skills with process engineers, OT technicians, plant managers, and other factory personnel to further understand the problem space and, together, develop realistic security solutions. This team must also include critical supporting functions, such as change management experts, talent acquisition experts, and—possibly—external entities who can provide an independent voice.
- Create Manageable Goals, then Execute. No matter how big or small your company, starting this process can seem daunting. Each factory may have its own unique constraints, budgets, management oversight, and other sensitivities; however, this is also the perfect opportunity to scope new security initiatives tightly. Focus on one discrete environment, prioritized by risk, then learn its unique challenges. Use a cross-functional expert team to create innovative solutions on both the technical and people engagement fronts. This engagement creates the opportunity for forward-thinking problem solvers in an organization to step up. As progress occurs, use these early successes to drive broader change across the organization.
- Cultivate a New Mindset. Technical solutions are just one measure of success. The more lasting success is the ability to cultivate a new mindset around the digital factory. Employees at all levels should be able to comfortably talk about the impressive new capabilities that were enabled via a well-implemented change management program: “Data moved faster between systems. Engineers accessed needed information from the field. The factory didn’t just produce; it informed.” To cultivate this new mindset, start with the known allies in your organization. Allow them to give a voice to the opportunity, and then let the power of change management work. Spread knowledge, spread opinion, spread excitement.
Cybersecurity in manufacturing shouldn't only be about threats, vulnerabilities, and risk. It should focus on opportunities, advancement, enablement, and competitive differentiation in the market.
Change can be difficult, but it’s essential for manufacturing companies to protect their businesses in the new connected environment. By engaging across the business and developing collaborative relationships between functional teams, leaders can elevate industrial security to a broader platform for connected success.
For more insights, see the latest article in the June issue of the Manufacturing Leadership Journal, Collaborative Security: Why Industrial Security Takes a Team.
Written by Matthew Doan
Twitter | LinkedIn Management Consultant with Booz Allen Hamilton. I partner with executives across the high-tech manufacturing space to help them manage risk and capture emerging business opportunities using strategy, cyber security, and analytics solutions.