Re-thinking Cybersecurity to Face the Unpredictable
By Ashish Gaikwad
Cyber attackers are becoming increasingly sophisticated and have already started impacting industrial operations that fuel today’s economies, whether manufacturers, automakers or public service utilities. Attackers look to extract ransom money, disrupt important services, or steal proprietary data that helps stage larger-scale attacks.
In 2017, when the ransomware cryptoworm WannaCry swept through organizations around the world, industries battled to protect their networks and restore critical infrastructure and services that were offline for days. The attack spread through 150 countries, hitting an estimated 45,000 organizations. As the World Economic Forum most recently reported, cyberattacks represent one of the top five risks facing the entire world, behind only weather-related risks like natural disasters and climate change.
India is no different than other countries. With the increasing emphasis on digitalization of Indian businesses and the small and medium enterprises (SMEs), it has become inevitable to understand and deploy advanced cybersecurity measures. Despite an increase in cybersecurity breaches, the country has seen a relatively slow adoption of cybersecurity solutions. According to the EY Global Information Security Survey (EY GISS) 2018-19, only 19% of Indian companies have a sufficient budget to provide the needed levels of cybersecurity.
While corporate IT environments focus on protecting confidential data, when it comes to industrial systems, every minute of downtime or hazardous operating condition counts. Keeping operations safely up and running is the ultimate priority. This emphasis on production uptime is one of several key realities that distinguishes industrial cybersecurity from other domains and is driving uptake of specialized services and solutions.
Process control industries are still at the early stages of industrial cybersecurity relative to how quickly risks have evolved. Cybersecurity is recognized as a necessary investment to drive further benefits and especially competitive advantage. Industrial companies across India have millions of dollars of assets already in use and continue to unlock massive new digital benefits through safe use of these assets. Fortunately, experts have already developed industrial cybersecurity maturity models, and mapped out how to develop and run programs to manage cybersecurity risk in particular.
A New Cybersecurity Imperative Amidst New Conditions
The new imperative for industries facing digitization is to re-think cybersecurity in light of vastly changed conditions, some of which include new uses of industrial data. The amount and variation of data flowing through industrial networks has come under renewed scrutiny in our digital age. Every type of data can serve as a building block into major insights, either for the hacker looking to break in, or for the enterprise seeking to drive more operational improvements. Industrial companies are collecting security information and event data and analyzing it in ways never before considered. As a result of the imminent threat and potential for business gain, there is increasing urgency for mining data from industrial networks, starting with safely accessing it from remote production sites and centralizing it for analysis. Solutions that safely automate, simplify and expedite security reporting in industrial settings are top budget priorities for Indian enterprises embracing digital transformation.
Much of the market remains focused on personal data privacy initiatives, including India’s draft Data Protection bill, which is modelled on the General Data Protection Regulation (GDPR) introduced by the European Union. For industrial data, however, attackers care more about correlating machine data or device information, to determine how to reverse engineer or destroy industrial operations. Indian companies will need to comply with industrial cybersecurity initiatives, many of which are adapted from US frameworks such as NIST Cybersecurity Framework or global ISA standards. These include recommendations to segment industrial networks, and other best practices that control how and where data moves. Apply standards can also increase overall resilience by addressing people, process and technology security improvements.
New corporate governance requirements are also nudging Boards and business leaders to assess cyber risks, take proactive actions, and drive cybersecurity awareness, as well as discipline, in their respective organizations. Legal actions against corporations for cybersecurity negligence have ousted CEOs and drained profits in countries such as Norway and the US, which is having a ripple effect across other countries to now prioritize cybersecurity.
Skills Gap – A Growing Deficit
As the demand for skilled personnel capable of meeting the challenges posed by these risks continues to rise, the supply simply cannot keep pace. The cybersecurity talent shortage is global and affects India’s organizations as well. A study published by LNS Research in late 2017 revealed that forty-five percent of industrial leaders surveyed agreed to the fact that their organization lacks a reliable enterprise leader for cybersecurity. Forty percent had a chief of cybersecurity while 15% planned to get a cybersecurity in-charge within the next year. When it came to the companies’ manufacturing plant, only 35% of the organizations had an established role for cybersecurity. Ongoing innovations in automation, cloud services, and artificial intelligence will eventually help increase talent productivity, but there is an immediate need for investing in enhancing existing staff capabilities and outsourcing specialized roles to cybersecurity experts. This presents a significant opportunity for India, and multi-nationals with locations in India, to fill the gaps through scaling existing cybersecurity consulting teams (e.g. Honeywell) or reskilling technology services teams. A successful implementation will also require national cooperation from government, along with industry, in incentivizing organizations to hire more cybersecurity professionals.
While cybersecurity is a broad subject, industrial control system (ICS) cybersecurity is a specialized branch. The skill gaps and awareness is even more concerning in this space. Oil and gas installations, oil refineries, petrochemical complexes, power plants and distribution grids, pharmaceutical plants, and many other chemical industries are vulnerable to attacks due to lack of awareness of the evolving threats in this space. This needs urgent attention by the CXOs of the organizations, who can engage with the ICS cybersecurity experts to mitigate the constantly changing risks. A good starting point is a security risk assessment performed by industrial cybersecurity experts, who can also map the company’s situation against maturity models and other tools to drive improvements.
In general, there is no doubt that industry can forge ahead despite cyber threats, provided they invest in expertise and solutions to gain better visibility and control over risks, specific to their organization. The unique nature of industrial control systems and the serious consequences for negligence further underscore Indian companies’ need to tap into industrial cybersecurity skills and resources, whether local or global.