Industrial cybersecurity: Eight years behind enterprise security
The enterprise sector is ten years ahead the industrial sector in terms of being fraught with vulnerabilities and having had that time to develop measures, architectures and foundations to deal with them.
Honeywell’s cybersecurity leader in APAC, Ngai Chee Ban painted a bleak picture, “In the industrial environment, cybersecurity has to contend with asset owners who are holding on to legacy systems. The challenge is to come up with solutions and measures to help them cope and at same time migrate to new systems, while at same time come up with more cyber countermeasures and defense capabilities.
“Until then, you have to live with old ways of trying to manage cyber protection.”
Despite the one-sidedness of the battle being waged against cyber threats, there are still some steps that can be taken to launch a more organised defense.
Ngai proposes that the first thing to do is to be aware of risks and vulnerabilities that exist in the network and environment. “Without this awareness, you are just pouring money into something irrelevant. So an audit and assessment is probably the first thing to go into.”
This awareness can also help customers prioritise budgets and resources to address immediate threats first.
The next step is remediation, which requires a longer timeline for better planning to put backup and disaster recovery solutions and processes in place.
After that, it is a matter of continued monitoring so as to continue being aware of the state of your network and systems. For example, Honeywell has an industrial cybersecurity solution that proactively monitors, measures and manages cybersecurity risks to industrial control systems. https://www.youtube.com/watch?v=az6pKbJHxNY
Ngai also cautioned against downtime happening in the industrial sector.
Unlike in enterprise sectors where there could be productivity and financial loss, in industrial sectors that have to do with petrol chemicals for example, downtime could mean uncontrolled chemical reaction, human safety risks and non-compliance which could ultimately lead to penalties being invoked.
Important no matter what
Ngai concluded, “Industrial asset owners have to depart from view that every budget spend is for productivity gain and have to look at cyber protection as something of paramount importance.
“We are in a huge hurry to reach out to senior leadership and create awareness that there is a huge risk factor they need to pay attention to, so they can make the comparative risk management assessments to address the situation.”
“A tech provider like Honeywell has a whole suite to help customers but at end of the day, onus is upon asset owners to determine what risk level is acceptable to themselves.”
He also reminded that operational technologies command a whole different type of treatment from IT when it comes to cyber protection and cyber assurance.