By Jason Maynard
At the CME (Canadian Manufacturers & Exporters) “Dare to Compete” event in Winnipeg, Canada, likeminded people come together to share their experiences and ideas for the greater good of manufacturing.
The event is community focused and the goal is to connect with peers, drive innovation, and compete in today’s global market. The day began with discussions around company priorities and a need to focus on employees (with retention and obtaining new talent in mind).
It goes beyond obtaining a paycheck. It is the company putting people as the priority, with employees needing to feel their niche in the workforce and understand their company’s purpose among all the white noise.
While the conversation surrounding company and employee focus was a much-needed refresher, what I found most interesting was the lack of discussion around cyber and, more specifically, cybersecurity.
Cybersecurity should certainly be a top priority with any company and this includes the operational environment. Consider the analogy of what makes a car go fast. You might say it is the engine, the driver, or the fuel, but, actually, none of this would be possible without the brakes. Why? Well, without brakes you would only go fast once and the car and driver would not survive and it would be game over.
Cybersecurity is the brakes for your business, which allows you to be agile, go to market faster and, in today’s world, act as a differentiator. Security is advantageous.
Security as an Advantge
During one panel around securing the operational environment, I observed that, although the group was eager to learn, there should have had better representation from both IT and OT teams. This reveals to me that our industry has a long way to go when it comes to securing the operational environment and cybersecurity should be considered a competitive advantage.
Now, we need to ask the question: How do we mature the operational environment when it comes to security? Whatever your role, you should ask or challenge both the operational and informational technology teams on what your security posture looks like for both environments. Note: most of the cybersecurity risks to the operational environment come from an IT based system perspective, so having IT based knowledge provides an advantage. In the end, it is all about these teams coming together:
• Operational teams (OT) can educate informational teams about how the operations environment works, and the risks associated with it.
• Informational teams (IT) can educate operational teams around managing devices, keeping them updated, having visibility, and control to name a few.
Next, it’s time to consider the following when securing the operational environment, broken into phases:
• Phase 1
o Control points in place – this would include boundaries with L3/L4 control. Primarily, control between the business (IT) and operational environment and extend this where appropriate.
o Segmentation – this includes managed switches and VLANS separating for example Safety Instrumented Systems from Control environment.
• Phase 2
o Advanced inspection – this may include IDS/IPS, Advanced Malware Protection, Application control. Consideration needs to be made around whether one alerts vs. taking action such as a block – this is where Operational teams provide much needed insight.
• Phase 3
o Visibility – know the environment leveraging flow – this is to your advantage. The operational environment is static in comparison to the business network (IT). Identify the devices operating within the environment.
o Policy Driven Response – the ability to empower OT teams to drive intent and having policy driven controls to allow the intent minimizing cybersecurity risk and operational impact.
There are many other items to consider, such as supply chain, remote access, cloud, and multifactor authentication to name a few. But let us ensure that, regardless of technologies leveraged, that we are all asking the questions and moving the ball forward and leading the industry by uniting the operational and informational.
Security is a tough business, and it has a long way to go, but done properly, it can be the ultimate competitive advantage.
Jason Maynard is a senior consulting systems engineer – cybersecurity at Cisco.