Cybersecurity a Must for Manufacturing Industries

You can watch the video of this panel here.

Industry 4.0 has brought many benefits to manufacturing companies through increased efficiency and reduced downtime thanks to continuous operations with minimal human error. However, the digitization of processes and the interconnection of manufacturing equipment to the cloud and digital networks have also brought new security challenges that companies are sometimes not ready to face, agreed panelists at Mexico Cybersecurity Summit 2021 on Wednesday, June 16. “The digitization of production processes has led to a 280 percent increase in cyberattacks, following an expansion of the attack surface in the industrial arena,” said Juan Carlos Ortiz, CIO/CTO of Grupo Apollo, Vice President of CIO's Mexicanos and moderator of the panel: “Cybersecurity in the Age of Industry 4.0.”

The gradual adoption of automation solutions has blurred the lines between information (IT) and operational technologies (OT), which means that companies must keep both in mind when ensuring the continuous operation of their facilities, according to Miguel Alfonso López Conde, Mexico Regional Director at Rockwell Automation. “This is not an issue of hardware but of defining vulnerabilities and establishing plans of action, as well as partnerships that can help us define strategies to face cyberattacks,” he said.

Understanding the Company's Reality

Visibility is key in ensuring an optimal cybersecurity strategy and that can only come from “IT hygiene,” said Miguel Llerena, Vice President – LATAM at Tanium. “Companies need to make a proper assessment of the number of devices they have in a plant, what kind they are and establish proper use standards, as well as policies to protect themselves in case of a cyberattack. You cannot protect what you do not know you have.” One of the problems Llerena identifies is that companies tend to work on these assessments once a year, when this should be a quarterly or daily activity at best. “The challenge in cybersecurity is to know the architecture, interconnections and operability of an entire facility to define proper controls and exploit data logs. We have a massive source of information with millions of events per second, which can help us detect possible threats,” said Erick Robles, Partner, Risk Advisory – Cyber Risk Services at Deloitte.

Companies, however, require adequate tools to make these assessments. Otherwise, proper metrics cannot be established, said Hugo Amezcua, Corporate CIO & Digital Operations –Americas at GE. Big Data, Big Security Data and the cloud are key, for example, to consolidate data logs in a single repository with a reliable and resilient architecture, highlights Robles. “The cloud offers the necessary elasticity for the collection and storage of security events’ data in real time and with enough scalability potential,” he adds.

The visibility that come from these analyses allows companies to establish policies against cyberattacks. These strategies are also defined by the type of operation and product the company is manufacturing. According to Robles, companies can face two types of risk when dealing with a cyberattack: an impact to productivity, which may come with its own legal issues and penalties from clients; and problems in terms of quality when criminals have managed to infiltrate into a company’s system. “There are industries that work with the strictest quality standards and where a single deviation in the process can cost lives,” said López. “We need to know what we need to do before, during and after an attack, while appointing people responsible for overseeing security practices and determining the level of risk we are willing to endure without compromising our operations.” For this reason, Robles said cybersecurity should always have a place in a company’s board room, especially as presidents and directors are the ones that can define what a company should prioritize in case of an attack.

Protect What Is Must Valuable to the Company

Panelists agree that cyberattacks are now part of the reality of every company and that breaches are bound to happen, which is why companies must properly define their priorities to ensure continuous operation, even under attack. “There is never going to be enough budget to protect everything. However, not all processes have the same priority. Risk and vulnerability analyses are key to not be subject to costly consequences,” said Amezcua. Llerena urged companies to not wait for a ransomware case to react, as the investment in a cybersecurity solution is immediately recovered whenever the company faces and avoids a successful attack. “We cannot achieve 100 percent security other than by turning off all equipment. However, cybersecurity companies can help clients to be near that perfectly secure environment,” he said.

Third party suppliers were also identified as a point of risk for companies and a priority when defining cybersecurity policies. “Third parties are crucial in any productive chain, so we need to define how we can extend our cyber policies to them, how to regulate access and what kind of joint measures we can implement to secure our environment,” said Robles. “Failing to comply with policies might put us all in danger.”

Awareness Is a Must

A holistic strategy is needed to provide constant training for a company’s own employees and for those of a third party, according to López. Part of this holistic approach lays in understanding that awareness is needed among companies to embrace cybersecurity as an investment. López identified industries like pharma where companies already work with high standards and strict regulations. However, Ortiz highlighted that this is mainly a cultural problem that goes beyond cybersecurity departments in companies. “If this gap is not closed, we cannot move forward,” he said.

There are many companies that still do not see cybersecurity as a priority in terms of investment and there is still much disconnect between cybersecurity strategies and overall business goals, according to Robles. “In this environment, education is vital to properly advance cybersecurity,” said López. Companies must learn about security standards like ISO27001, IEC 62443 y NIST Special Publication 800-82, along with other more specific frameworks unique to every industry, said Amezcua. For Llerena, however, companies need not go that far to start enhancing their cybersecurity approach. “Certifying tools already owned by the company is vital for better protection. Many companies buy equipment and solutions but fail to properly integrate them to their processes, which results in a useless investment,” he said.