Industrial cybersecurity is a troubling issue. Hardly a day goes by without the news of an attack.
But what can a site director do about this? Of course, corporate has cybersecurity as a high-priority item on its agenda. They will likely send you consultants, infrastructure changes, and various directives about what you should do.
This article is not about giving you directions on how to avoid cybersecurity threats.
Instead, I’m going to tell you how you can gauge your organizational capability regarding cybersecurity.
At a high level, cybersecurity is the discipline of shielding your digital environment from bad actors.
There are two key cybersecurity categories: people and systems. People can be broken down in two subcategories : the ones who have an active role in your digital environment (think IT director, IT contractor, ...), and the ones who are "just" end-users.
Unfortunately (fortunately?) the lines between the two categories are more and more blurred. Which category is your 4.0 responsible for? Which category is your system engineer in, who just contracted a new machine that’s connected to the Internet?
You can expect most of your white-collar workers to belong to the first category in the next 10 years.
So with everyone on staff tinkering with digital, you need to measure the readiness of your people to react to a cybersecurity threat.
To effectively measure readiness to respond to a threat, two key components are education and processes.
Education is not only specific cybersecurity education, but also broad education on systems.
Here is a checklist:
- Is there more than one person in your factory who can name every system?
- Do the key users have strong opinions on the technology that was chosen for any given use case in the factory?
- Can the key users of each system name the technology with which it was coded? Are there people monitoring the in and out flow of information from your factory to the internet?
- Can the IT "experts" explain the architecture choices that were made during their tenure?
- Is there an escalation process in case of explosion of usage and/or security breach?
- What is the architecture choice regarding this?
Rest assured, the results of this checklist were equally bad in every factory we visited. Our estimation is that over 70% of all factories cannot answer these questions positively.
That is why the threat is high.
Fundamentally, there are no "secure" or "insecure" systems. While there are potential flaws in some well-known systems, it has been proven that more than 90% of all cybersecurity attacks stem from some human not doing his job, and that attacks stick due to the lack of training and processes of adequate resources.
Taking back power over your systems can only happen if your team understands them and nurtures them. The current level of digital comprehension among factory executives is that of a child: no control, hence no understandability, hence no capability to monitor and grasp the risks associated.
Let's change this.
Interested to know more about OSS Ventures? Contact us.