Home > Tech > Expert Contributor

Cybersecurity: a Holistic and Continuous Process

By Alejandro Preinfalk - Siemens AG
President, CEO and Senior Vice President, Digital Industries Siemens Mexico, Central America and the Caribbean

STORY INLINE POST

By Alejandro Preinfalk | CEO & President - Tue, 10/18/2022 - 11:00

share it

The growing digitization of companies and the consequent interconnection between many of them, even from different sectors, generate enormous economic potential. However, at the same time, they give rise to new hazards that require a rapid and rigorous response, such as cyberattacks, which have increased exponentially in recent years.

Particularly in the industrial sector, it could be considered a double risk because in this field information technologies (IT) are combined with operations technologies (OT). According to Trend Micro's The State of Industrial Cybersecurity 2022 report, cyberattacks received by companies in the manufacturing, electric utilities, and oil and gas industries in the last year caused an average of US$2.8 million in damage. Eighty-nine percent of the firms surveyed (in Germany, the USs, and Japan) had their supply chain affected and 56 percent suffered interruption in their operations for at least four days.

Current cybersecurity threats for owners of industrial networks are increasingly advanced and impactful, especially in critical infrastructure, such as electricity, water, or transportation systems. Additional demands on connection security come from the collection and processing of data from OT devices.

Due to the increasing convergence between IT and OT, if one system is compromised, everything on the corporate network is put at risk. That is why more and more security requirements and standards are emerging and are applied in different regions or vertical sectors. The continuous increase in the number of cyberattacks in recent years has spurred legislators in several countries to approve regulations to prevent them, including the creation of government institutions dedicated to monitoring them.

For example, in Germany, the IT Security Act requires owners of critical infrastructure to take measures to maintain it. Other countries also have agencies that oversee the cybersecurity of national industries, such as the Agence nationale de la sécurité des systèmes d'information (ANSSI) in France, the National Center for Critical Infrastructure Security (NCSC) in Great Britain and the Department of Homeland Security (DHS) in the US.

In Mexico, we have the National Intelligence System, the Cyberspace Operations Center, the Cyber Defense and Cybersecurity Control Center, the National Cybersecurity Strategy, and the National Digital Strategy 2021-2024. The latter promotes the implementation of the Approved Protocol for the Management of Cyber ​​Incidents between Institutions.

However, at a global level, much remains to be done in terms of business and industrial cybersecurity, starting with the evangelization of those responsible for it and of users. Companies don't always have a full understanding of what impact a malicious incident or attack can have on an organization, including the regulatory or legal ramifications of noncompliance and less obvious impacts like fines, loss of contracts, or brand damage.

In fact, many attacks are designed to be stealthy and silent, so it is quite possible for network incidents to occur undetected while a company's daily operations continue. On the other hand, existing security solutions are not standardized and industrial control systems vary between different networks, even within the same industry, so it is necessary to create customized systems for each company.

The key is to take a holistic approach to this type of security, one that protects people and the organization, its processes, and its products and services (we call it the three Ps), and where the needs of IT and OT are considered throughout the planning stages as part of ongoing management, threat assessment and remediation. Let's start by learning that cybersecurity is a continuous process: effective protection against attacks is not achieved with the application of measures for a single occasion.

A second premise is that the responsibility for industrial cybersecurity always rests with the plant owner (hazards due to outsourcing must then also be assessed). On behalf of Siemens, we recommend following these steps to create a strategy in this regard: do a risk assessment of automated processes and implement technology-based measures to minimize the dangers. Such a strategy should be continually monitored and reviewed to determine if it needs to be updated to address new or changing hazards.

Because the hazards for processes differ widely in their nature, can occur from the outside or inside, and can result from attackers with different levels of sophistication, a multilayered protection concept must be created if the process is to be protected as effectively as possible. Additionally, we recommend segmenting the corporate network to protect it by areas (production, offices, etc.), as this is the only way to block unknown communication.

It is also recommended to design a security plan for the physical safety of the plant. In addition to protection against theft, measures must be taken to counteract environmental influences and prevent incidents, such as break-ins, floods, fires, contamination by noxious gases, or high-voltage electric shocks.

Thus, as those responsible for cybersecurity in companies in the industrial sector increase their awareness of the high costs — not only economic — that the absence of a comprehensive protection strategy can generate, we will advance in the construction of secure digital environments that help protect its resources and those of its users.

Sources:

https://drive.google.com/drive/folders/1BZt5jf1Atv1OZoXjKz264Em5sxdKZjJ5 

https://ingenuity.siemens.com/2022/01/how-industrial-control-systems-benefit-from-integrated-cybersecurity-solutions/  

https://ingenuity.siemens.com/2022/01/strong-cybersecurity-is-key-to-reducing-uncertainty-and-risk/ 

https://ingenuity.siemens.com/2020/06/lasting-cyber-security-for-industrial-assets/ 

https://resources.trendmicro.com/IoT-survey-report.html 

https://www.policylab.tech/post/ciberseguridad-en-m%C3%A9xico-1?lang=esv 

Photo by:   Alejandro Preinfalk

You May Like

Most popular

Newsletter