Two months ago, when the COVID-19 pandemic began to devastate the United States, Stuart King was just starting to settle into a new practice at digital technology company Wipro. As an industrial cybersecurity specialist, King has a proven track record in manufacturing security, helping organizations secure their production facilities.
Now, as the pandemic continues to put citizens at risk, that mission is more important than ever. Today, manufacturers are being relied upon to produce lifesaving personal protective equipment, and improving security measures at these facilities is key to ensuring production lines keep running.
“It’s brought a lot of issues to the fore,” King tells Industrial Cyber. “Many organizations have had to retool their production lines and ramp up production. So [operational technology] security has become a very envogue subject. COVID-19 has been a bit of a wake up call in a lot of instances because now we’ve got these production lines that we need to have running with more efficiency and reliability than ever before, and they’re finding out that some of their efficiency and reliability issues are often due to fundamental things that could be resolved with good security controls around them.”
COVID-19 has highlighted the importance of keeping manufacturing facilities running smoothly, but King says attitudes around manufacturing security had been shifting long before the pandemic. He says it’s part of an overall increase in awareness around the importance of OT security in industrial environments.
“The big thing that has changed is awareness,” King says. “I know that in some industries it’s not a new thing. In the world of critical infrastructure, cybersecurity has been at the forefront of people’s minds for quite some time. But certainly in industrial manufacturing–and any organization that’s operating a warehouse, or reliant on building management systems, or places like hospitals that are starting to use more internet connected devices–we’re seeing a great increase in awareness.”
Recent cyber attacks on manufacturers have helped to raise awareness about the importance of securing manufacturing facilities. According to a 2020 report by Deloitte and the Manufacturers Alliance for Productivity and Innovation, the manufacturing industry is consistently featured among the most frequently targeted industries.
Forty percent of those surveyed by Deloitte and MAPI indicated that their operations were affected by a cyber incident in the past 12 months and cyber incidents overall have increased greatly. According to the report, between 2017 and 2018, ransomware attacks increased more than three fold.
However, despite this increase in attacks, the manufacturing sector continues to lag behind in cybersecurity measures. Unlike other critical infrastructure sectors, the manufacturing sector in many countries isn’t bound by cybersecurity regulations or mandates.
“Awareness still needs to grow,” King says. “We’re all reading in the media alot about industrial systems being hacked and attacked, and subject to malware and phishing, and all the incidents that are very much coming to the fore now in those sorts of environments. But there’s still a learning and education process that organizations need to go through and allocating the right funding and resources to address it is important as well, because it’s not a cheap job to fix.”
A cyber incident can have a devastating impact on manufacturing companies. According to the Deloitte MAPI report, an IoT-focused cyber incident costs manufacturers $330,000 on average. Additionally, 86 percent of attacks result in operational disruption.
“The impact that production downtime has is often overlooked,” says King. “What’s often forgotten is when a production line stops working, the people who work there are not able to do their jobs and they might lose out on pay. That impacts supply chain as well. It has all of these knock on effects and these are things that are never really considered.”
Manufacturers are increasingly aware of these risks. In the Deloitte/MAPI survey, nearly 90 percent identified operational disruption as a major risk in OT environments. More than 70 percent identified safety as a risk, and another 70 percent identified collateral damage as a risk.
“In an industrial environment, if something does break, whether because of a security incident or not, that can result in someone being injured or killed,” King says. “So when we talk about our solutions we’re really thinking about the impact on the people who work in these places, how we keep those people working, how we keep their income safe and secure, and the company running, and the production lines running, and all of the other processes around it. It’s all about keeping production running, keeping organizations working so that people can continue to be efficient and effective.”
In the industrial cybersecurity sector, many companies are focusing on IT/OT convergence. IT and OT systems have traditionally worked independently of each other and there’s often a disconnect between how best to secure these disparate systems. But while IT/OT convergence is the latest buzzword, King says reconciling the two isn’t so simple.
“When you start patching systems, the next thing that happens is production stops or slows down. While the IT person will understand how the system works, what they don’t understand is the fact that it’s connected to equipment that’s actually doing something physical. They’re trying to update a system that’s connected to something when they don’t understand what impact it will have when they make these changes,” King says. “We don’t need convergence between OT and IT, we need coordination and cooperation so that IT teams are aware of what’s on the OT side and aware of what controls to put in place to put the right degree of security around these systems.”
King is hoping to play a major role in helping companies make this transition. While Wipro hasn’t traditionally been known for it’s OT and IoT security services, he says the company’s new practice has brought together some of the best and brightest in OT/IoT security.
“We’ve had a lot of success so far with clients ranging from manufacturers of medical devices to utility companies,” King says. “We want to be able to help companies resolve their OT and IoT challenges.”
As part of that work, in March, Wipro announced a new partnership with cybersecurity management company Skybox Security to improve network visibility in IT and OT. The new partnership will help organizations better protect their hybrid IT/OT networks and ensure the security of their core infrastructure
Additionally, Stuart and his colleague Kristin Demoranville, who is a managing consultant with Wipro, have put together a training course for the International Information System Security Certification Consortium that serves as an introduction to industrial control system cybersecurity. For more information visit (ISC)².