A packaging giant in the US was hit by ransomware attack which impacted both its information technology (IT) and operational technology (OT) systems, causing multi-million-dollar losses in production and logistics. This type of news can be seen more and more often. Management and privacy of the data are no longer the only risks related to Information Technology (IT). Production related threats, such as production losses, impaired quality or delivery delays are equally important in a production environment.
author: Kai Vikman, COO Process Industries, AFRY, Filip Enander, Section Manager, Cyber security, Martin Hagelthorn, Section Manager, Industrial Digitalisation
Industry Insight by:
Cyber security is not a new topic, but it has been growing as a central factor in risk management in the industrial sector. Especially process plants (food, chemicals, forest products, tissue etc.) are vulnerable to cyber-attacks from known and unknown sources. Successful cyber-attacks can lead to loss of production, unplanned downtime and disturbances to cash-to-order processes and the supply chain. The impact is not just limited to production processes, however.
Building technology, such as remotely controlled access control systems and surveillance networks can be surprisingly vulnerable. Understanding how cyber security affects production and overall productivity needs to be understood, managed and protected accordingly.
Combine Operational Technology and Information Technology management
True industrial digitalisation is only enabled by understanding how to combine Operational Technology (OT) and Information Technology (IT) to create high quality, secure and resilient production. But without a well-thought-out strategy regarding Cyber Security, the risk that cyber-attacks will occur sooner or later increases.In recent years, we have seen several examples of what cyber-attacks can lead to. One of the most infamous is NotPetya, a targeted cyber-attack on Ukrainian business interests, which led quickly to the worldwide suspension of a number of large companies’ operations. The amount of ransomware attacks has been increasing dramatically over in the last five years and is expected to continue to rise at the same rate. Rapid digitalisation and technological development are transforming the industrial processes, and the widespread trend for pervasive connectivity has driven a convergence between OT and IT systems.
This has dramatically changed the cyber security requirements, resulting in the need for reliable architecture that takes care of the overall security from design. Another big future challenge is the potential hazards and risk when IT-security meets safety of machinery.
When different systems are connected, we can no longer rely on the security of each individual system.
The business must have a clear process for risk management regarding cyber-threats
Understanding both OT and IT environments
Without a well-thought-out strategy regarding cyber security within OT and IT, the risk that cyber-attacks will occur sooner or later increases. But above all, a lack of strategy can lead to challenges in detecting infringement and delimiting damage and its consequences, as well as returning to stable production. Good knowledge of one’s own facility and the information it manages is key. This means that the right tools, methods and routines are implemented in the right places and that they are used in a way that allows the detection of intrusion attempts, delimiting and counteracting intrusion and recovering after being subjected to an intrusion.
Aspects required to improve cyber security
In other words, for production to remain resilient and highly qualitative, you need a strategy and process that involves both technical measures in the IT/OT systems combined with organisational measures. Normally this strategic work is started with a risk and vulnerability analysis (OT+IT) and a system architecture analysis. In these analyses, interacting networks of physical and computational components need to be investigated. This means taking functionality, trustworthiness, timing and data dimensions into account.
- Functionality means all concerns about functions including actuation, communication, controllability, functionality, measurability, monitorability, performance, physical, sensing and uncertainty. The choice of technology used must be scalable and integrable to all directions and levels of ISA 95.
- Trustworthiness means data privacy, reliability, resilience and safety. It is also related to security, meaning the ability to ensure that all processes, mechanisms, both physical and cyber, and services are afforded internal or external protection from unintended and non-authorized access, change, damage, destruction, or use. As there are several different parties involved in the data utilization and creation with different responsibilities and priority, it must be ensured that the authorization is carefully designed.
- Timing means logical time, synchronization, time awareness as well as interval and latency. Accurate timing service for all systems will enable the checking of validity of data and events. Coordination of processes, timestamping of events, latency measurement, and real-time control are enabled and enhanced by a strong sense of timing. This is extremely important for remote control functions and autonomous operations to ensure safety reporting tasks.
- Data combines data and information models, relationships between data and data type, data volumes in storage and transmission as well as velocity. Proper data structure makes it possible to use the information for ad hoc needs and fast decision making, independent of the enquiry locations and size.
Cyber security is not a new topic, but it has been growing as a central factor
Cyber security is more than just technical measures
The business must have a clear process for risk management regarding cyber-threats. Moreover, continuously review their overall security. For example, having updated continuity plans and disaster recovery plans are examples of this. In order to have a sufficient overall security level at a plant, the measures need to be addressed for the whole business: management, staff, plans, policies as well as technical implementations. Through the implementation of tools, routines and methods, combined with continuity plans and disaster recovery plans for specific plants, the agency can secure that infrastructural plants and assets are accessible and work as intended. This also minimises the risk of cyber-attacks influencing the system or plant’s stability, as well as the risk of accidents or loss of life.
In summary, it is key to combine standardised methods with best practice in order to adapt the solutions for the specific business. However, this can’t be done without understanding the specific needs of the business, good process technology and deep IT-OT knowledge.