Efficient Plant July/August 2021 - 10

feature | cybersecurity
updates, and back-ups, along with physical-security
measures, such as managed
switches, segregated networks, secure
LANs, and fi rewalls.
Indeed, fi rewalls are a regular
element of much of industry
and government legislation
concerning malware defense,
but they're also one of the
box ticks. Simply having a
fi rewall and ticking the box
to say you have one isn't
enough. Firewalls must be
programmed, confi gured, and
maintained to ensure their
effi cacy as part of a larger
security system. Th ere cannot
be any weak links.
STANDARDS ARE
STARTING POINTS
In general, regulatory standards do not oſt en go
into the detail needed to prescribe hardened systems,
because they try to suit the needs of too many
organizations, are designed by committee, and/
or infl uenced by lobbying. Regulatory standards
should never be seen as a single solution to solving security issues.
Th ey are, however, a good foundation upon which you can base your
planning and implementation. To a certain degree, the U.S. National
Institute of Standards and Technology (NIST), Gaithersburg, MD
(nist.gov), cybersecurity framework is excellent as a guidance document,
as opposed to being a mandatory standard/requirement. As a
publication based on recommendations, it could go into more detail,
compared to IEC 62443, which contains elements of box ticking.
Cybersecurity is a journey, not a destination. With professional
support and a thorough analysis of your risks you achieve a better
understanding of where the destination may be. Th ere is no prescribed
path to take, as every journey will be diff erent, but it's safe to
say that a threat assessment is a great fi rst step. You need to consider
how mature your security solution is, what risks you face, your current
risk posture, and what you must do to adhere to regulations or
legislation. It's better to be a pessimist at the outset. Start at a 100%
risk threat and use the potential outcomes to defi ne critical objects,
equipment, and/or attack vectors.
Th is assessment-which will be a core element, no matter what
your risk level-will help set your position, form a foundation, and
10 | EFFICIENTPLANTMAG.COM
While workers are the weak
link in any cybersecurity system,
it's rather rare that they
act maliciously.
ensure you make initial investments in the right
areas. Once this is done, additional security
requirements and planning can be factored
in, such as establishing inventories,
creating application whitelists,
undertaking system hardening, and
defi ning strategies and policies to
describe the program.
Training employees and contractors,
and anyone else with
access to IT/OT systems, is
another essential part of the
equation and is a great way to
mitigate risk. It's a fact of life that
people oſt en form the weak link in
any security solution. Note that it's
rather rare that workers act maliciously.
In most cases they're simply trying to fi nd
easier ways of doing their jobs.
Th e latter stage (there is never really a fi nal
stage), as your cybersecurity program matures,
is maintaining your systems. Patch it, upgrade it,
replace it. Undertake all the evolutionary housekeeping
exercises prescribed by soſt ware and
hardware suppliers and you can be more assured
that your security is being maintained.
Exploiting and deploying modern cybersecurity practices should
be seen as an opportunity, as it counters threats, reduces operational
risk and, as a result, reduces the likely impact of an attack and the
resulting negative impact on the bottom line.
Recent events are a sobering reminder of what's at stake and the
implications of being on the receiving end of a ransomware
attack. Hackers don't sit still. Neither should you or your suppliers.
Standards and legislation certainly help at the foundation stage.
To be more secure, you must build on this foundation, sometimes
signifi cantly. To minimize risk, start with regulation and then assess,
implement, and maintain. If you treat security simply as a box-ticking
exercise and then look at the statistical likelihood of being attacked,
it really will not matter how many of the boxes are ticked. EP
Benjamin Dickinson is Global Product Manager for Cybersecurity at
ABB's Energy Industries in the UK. U.S. headquarters are in Atlanta (new.
abb.com/process-automation/energy-industries). Dickinson leads delivery
of cybersecurity services to help clients secure industrial systems. He previously
worked at the UK's National Cyber Security Centre, part of GCHQ, a
world leader in the fi eld of cybersecurity.
JUL/AUG 2021
http://www.nist.gov http://new.abb.com/process-automation/energy-industries http://www.EFFICIENTPLANTMAG.COM
Efficient Plant July/August 2021

Table of Contents for the Digital Edition of Efficient Plant July/August 2021
