UK, October 20, 2017.- We are living in one of the greatest disruptive transformations of human history: the digitalisation of personal and professional life. The internet of things, big data, smart data, artificial intelligence and analytics all require an efficient and competitive level of cybersecurity.
With the construction and manufacturing industries being strategically important parts of Western economic development, the construction publication, UK Construction Online, and Schneider Electric assimilates the great importance of cybersecurity and have published the following analysis:
In years gone by, legacy ICS (Industrial Control Systems) were developed with proprietary technology and were isolated from the outside world, so physical perimeter security was deemed adequate and cyber security was not relevant. However, today the rise of digital manufacturing means many control systems use open or standardised technologies to both reduce costs and improve performance, employing direct communications between control and business systems. Companies must now be proactive to secure their systems online as well as offline.
This exposes vulnerabilities previously thought to affect only office and business computers, so cyber attacks now come from both inside and outside of the industrial control system network. The problem here is that a successful cyber attack on the ICS domain can have a fundamentally more severe impact than a similar incident in the IT domain. It has been reported from CEBR (Centre for Economics and Business Research) that cyber attacks cost British industry £34bn a year, so it’s clear that cyber protection needs to be a boardroom-level discussion that is given as much consideration as safety or high availability.
The proliferation of cyber threats have prompted asset owners in industrial environments to search for security solutions that can protect their assets and prevent potentially significant monetary loss and brand erosion. While some industries, such as financial services, have made progress in minimising the risk of cyber attacks, the barriers to improving cybersecurity still remain high. More open and collaborative networks have made systems more vulnerable to attack. Furthermore, end user awareness and appreciation of the level of risk is inadequate across most industries outside critical infrastructure environments.
Uncertainty in the regulatory landscape also remains a significant restraint. With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system availability is vulnerable to malware targeted at commercial systems. Inadequate expertise in industrial IT networks is a sector-wide challenge. Against this backdrop, organisations need to partner with a solutions provider who understands the unique characteristics and challenges of the industrial environment and is committed to security.
Assess the risks for UK construction companies
A Defence-in-Depth approach is recommended. This starts with risk assessment – the process of analysing and documenting the environment and related systems to identify, and prioritise potential threats. The assessment examines the possible threats from internal sources, such as disgruntled employees and contractors and external sources such as hackers and vandals. It also examines the potential threats to continuity of operation and assesses the value and vulnerability of assets such as proprietary recipes and other intellectual properties, processes, and financial data. Organisations can use the outcome of this assessment to prioritise cybersecurity resource investments.
Develop a security plan
Existing security products and technologies can only go part way to securing an automation solution. They must be deployed in conjunction with a security plan. A well designed security plan coupled with diligent maintenance and oversight are essential to securing modern automation systems and networks. As the cyber security landscape evolves, users should continuously reassess their security policies and revisit the defence-in-depth approach to mitigate against any future attacks. Cyber attacks on critical manufacturers in the US alone have increased by 20 per cent, so it’s imperative that security plans are up to date in the UK and across the world.
Upskilling the workforce
There are increasingly fewer skilled operators in today’s plants, as the older, expert workforce move into retirement. So the Fourth Industrial Revolution presents a golden opportunity for construction and manufacturing to bridge the gap and bolster the workforce, putting real-time status and diagnostic information at their disposal. At the same time, however, this workforce needs to be raised with the cyber security know-how to cope with modern threats. In this regard, training is crucial to any defence-in-depth campaign and the development of a security conscious culture. There are two phases to such a programme: raising general awareness of policy and procedure, and job-specific classes. Both should be ongoing with update sessions given regularly, only then will employees and organisations see the benefit.
Global industry is well on the road to a game-changing Fourth Industrial Revolution. It is not some hyped up notion years away from reality. It’s already here and has its origins in technologies and functionalities developed by visionary automation suppliers more than 15 years ago.
Improvements in efficiency and profitability, increased innovation, and better management of safnety, performance and environmental impact are just some of the benefits of an Internet of Things-enabled industrial environment. However, without an effective cyber security programme at its heart, ICS professionals will not be able to take advantage of the new technologies at their disposal for fear of the next breach.