Digital transformation has brought greater insights, more efficient production and higher machine uptime to manufacturing facilities. But with great advancements come great perils. Cybersecurity—once a concern harbored by the keepers of the enterprise network—has become a necessity with factory-floor data being shared on-premise and into the cloud. It was one of the topics discussed at the 2023 Control System Integrators Association (CSIA) Executive Conference in New Orleans.
Information technology (IT) and operational technology (OT) are coming together and working together, explained Ken Hackett, director of business development, General Control Systems, a system integrator in Albany, New York, with multiple offices around the United States. “System integrators are avid supporters and trusted advisors to both sides,” he said. “There’s some type of cybersecurity in every project we quote.”
General Control Systems sees itself as trusted advisor on the OT side and is bringing that insight to the IT side, explained Hackett. “The OT side doesn’t want their equipment locked down 100%, but IT wants it done in a safe manner,” he said. “It’s really educating on both sides. On the OT side, the programmable logic controller (PLC) is the easiest place to start making security changes. Human-machine interfaces (HMIs) are another place that you can upgrade. Those are the two easiest ways. In IT, your servers are the easiest.”
Hackett also cited the Purdue model for industrial-control-system security as important because of structure. “They can make sure they lock down what needs to be locked down from the IT side,” he explained, referencing pharmaceutical manufacturing, which, for example, is heavily regulated. “It needs to be integrated because IT and OT are part of it. It pushes out more opportunities,” Hackett said.
“Nobody knows OT systems better than system integrators,” explained Keith Mandachit, engineering manager, Huffman Engineering, a system integrator in Lincoln, Nebraska. “The number-one priority is keeping them running. We had a new client, around July 4, 2017, that needed our help because their systems were down. We showed up, and it’s the eeriest feeling when you’re walking into a manufacturing facility, and it was dead silent. Every machine had a ransomware screen on it. We spent a week there, helping them to get their critical systems back online. Employees were coming in and dropping their laptops in a pile on the conference table. They were a global pharma company, so every site got hit.”
The attacks brought awareness to the cybersecurity industry and stressed the importance of analyzing the risk, explained Mandachit. “Application software on the OT side sometimes lags behind what’s available and being used on the IT side,” he said.
“There are increased efficiencies but also increased actors looking to disrupt the process,” said Cody Bann, director of engineering at Win-911, which offers an alarm-notification platform. “The benefits outweigh the risks. Cybercrime has evolved. Two-thirds of organizations are victims of ransomware, and half of them paid the ransom.”
Malicious actors see industry as soft, said Bann. “Cybersecurity is a concern for all organizations,” he reasoned. “In industry, the Internet of Things (IoT) connects the digital and physical world.”
Managing cyber risks includes training personnel on cybersecurity awareness; embracing multi-factor authentication and strong passwords; stopping credential-sharing; incorporating remote notification; and creating or reviewing backup/recovery plans, advised Bann.
“The weakest link in every attack is people,” cautioned Marc Nicosia, director of business development at Automated Control Concepts, an integrator headquartered in Florida with offices along the eastern seaboard. “It can only be reduced through information and education. We’re all aware of it, but not everybody is as aware.”
Nicosia said the sleeping giant has been awakened. “Industry is starting to take notice,” he explained. “Who knows cybersecurity? Primarily the IT organization. People are starting to spend money and do something about it. No company wants to advertise that they’ve been hit because it affects their stock price.”
For backup and recovery, OT needs to take lessons already learned by IT, suggested Nicosia. “If it’s on the same network, you’ve already failed,” he warned. “We need to help create comprehensive backup and recovery plans. They’ve been doing this for years in IT. Do we want to back it up to the cloud or off-site? You’ve got to have a plan. It’s not if but when you’ll get hit. We’ll all get hit. You can spend millions of dollars on all the right protections, but you’ll still get hit. Have a backup and recovery plan. We as integrators can create programs for our customers. They say they’re doing it, but they’re not.”
An IT department may not understand what a sensor or I/O is, but they’ll understand the structure of the Purdue model, said Nicosia. “There’s a shortage of talent in the United States for OT expertise and cybersecurity expertise,” he explained. “We have an opportunity to bridge that gap. Nobody on the OT side is going to be the chief security officer.”