INSIGHT ARTICLE / 14 Feb 2018
Are you on top of what Cyber Security in process industry means?
Cyber security is not a new topic, but it is increasingly a central factor in modern risk management in the industrial sector. Nevertheless, it is not just about management of risk but also a matter of personal responsibility. Production related threats, such as production losses, impaired quality or delivery delays, are no longer the only risks. Management and privacy of data is equally important in any responsible and modern production environment.
The integration of digitalization in industrial operations is dramatically exposing industrial processes to unknown cyber security risks. The benefits of increased digitalization or automation in the industrial sector are well known. What is less well known is how Industrial Control Systems (ICS) can be become a target for cyber-attacks. Recent cyber-attacks have been using malwares to disrupt or take control of critical infrastructure like electrical substations. It is also not just infrastructure; there are also reports that hackers are also attacking safety systems.
The industrial sector, especially process plants (food, chemicals, forest products etc.) are vulnerable to cyber-attacks from known and unknown sources. Successful cyber-attacks can lead to loss of production, unplanned downtime (production quality waste), disturbances to cash-to-order processes and the supply chain. The impact is not just limited to production processes. Building technology, such as climate control systems, remotely controlled access control systems and surveillance networks can be surprisingly vulnerable. Understanding how digitalization can impact peoples’ well-being needs to be understood, managed and protected accordingly.
(quick links to contents below)
- The journey starts
- Turning theories into practice
- What happens if you do not consider cyber security in asset management
Too often, there are no clear plans. Back-ups are not tested and even smaller disturbances can easily cause chaotic recovery situations. This highlights why cyber threats have to be a standard element of general risk management strategy in the industrial sector.
Changes in cyber security directives come into force in May 2018 – “what’s in it for me?”
The “Data Protection Directive” (Directive 95/46/EC) introduced already in 1995, will come into force from May 25th, 2018. The “General Data Protection Regulation” (GDPR) will supersede previous directives. Within this new directive there are measures that look to protect industrial operations .
- The authorities must be notified within 72hrs of first becoming aware of a cyber-security breach. This applies not only to the production unit, but also its customers, suppliers and other stakeholders.
- Anyone, whose data is managed by a data controller (e.g. registered customer data), can, at any time, free of charge, get a confirmation related to the data use.
- Data controllers have to erase personal data once it has lost its original purpose, is no longer relevant or a data subject withdraws consent.
- Data protection must be included at the start of designing systems, rather than an addition. It must be of the highest standard and protect the privacy of any data subject
- Establishment and appointment of a Data Protection Officer (DPO)
In cases of attempted cyber-attacks or breaches there is going to be no hiding place if errors occur which can be detrimental to a company’s reputation. Therefore just having a traditional IT manager role will no longer suffice. These new challenges mean it is necessary to appoint a Chief Information Security Officer (CISO).
Turning theories into practice – establishing your ICS cyber security foundation.
With a jungle of standards, guidelines and frameworks; selecting the right one for your business and industrial set-up is critical. Only once you have selected the most relevant ones can you establish the foundation of your ICS cyber security. Equally important is the ability to maintain and evolve your cyber security. Pöyry has developed a simple approach to do this as illustrated in the flow chart below.
Processing or production industries are typically very asset intensive businesses. Owners have to consider important external factors such as the global economy, demand/supply changes, raw material pricing, employee restrictions, politics etc. Modern asset management includes a number of challenging questions to start with and cyber security is a new dimension that must be included.
For example, equipment generation upgrades cannot only include hardware refurbishment or modernization. It has to include cyber security ICS (e.g. data privacy). Too often cyber-security drops down the agenda. However, failing to build in cybersecurity at the investment phase means that your new modern plant will in fact be old and inefficient from day one.