Cybersecurity in industrial operations, also known as Industrial Control Systems (ICS) cybersecurity or Operational Technology (OT) cybersecurity, is a specialized field focused on protecting industrial environments from cyber threats. These environments include manufacturing plants, power grids, water treatment facilities, and other critical infrastructure. Unlike traditional IT cybersecurity, which deals with data protection, ICS cybersecurity involves securing the systems and networks that control physical processes and machinery. This includes Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC), which are integral to the automation and control of industrial operations.
Industrial operations face unique cybersecurity challenges due to legacy systems, which often lack modern security features and are difficult to update without disrupting operations. The increasing interconnectivity between IT and OT systems further complicates the security landscape as it broadens the potential attack surface. Common threats include malware, ransomware, phishing attacks, and insider threats, all of which can lead to significant disruptions in industrial processes and even pose safety risks.
Leaders in today's digital world know protecting industrial operations from cyber threats is crucial. However, balancing cybersecurity spending with other priorities is challenging. A major issue is that many leaders lack knowledge about industrial control systems (ICS) and operational technology (OT) cybersecurity. They often don't understand the modern tools and methods needed to protect these systems. Historically, IT leaders saw OT systems as less vulnerable because they were usually isolated and had few external connections, making them less likely targets. They also thought attackers wouldn't bother with OT systems since they don't store valuable personal data.
But things have changed, Industrial operations are now more digital and connected, which increases risks. Attackers have realized that disrupting these operations can be very costly for companies, leading many to pay ransom to restore operations quickly. To support OT cybersecurity efforts, leaders need to understand these new risks and the financial impacts of disruptions. By learning more about ICS/OT systems and modern cybersecurity, they can make better decisions about cybersecurity investments.
In addition to that, in this article will be referenced from the Rockwell Automation Workbook in regards on how to Build the Right Business Case for Your Industrial Cybersecurity Program.
Building a strong case for industrial cybersecurity helps leaders understand the importance of investing in these protections. This involves identifying vulnerabilities, assessing attack likelihood, and showing that preventing attacks is cheaper than dealing with the aftermath. A convincing cybersecurity case helps leaders prioritize and justify investments to stakeholders, including the board of directors.
Statistics show the urgency: 83% of critical infrastructure organizations have had at least one OT security breach in the past 36 months, and manufacturing cyberattacks cause an average of five days of system outages. These numbers highlight the need for proactive cybersecurity measures. By clearly communicating the risks, leaders can better protect their critical infrastructure, ensuring operational integrity and the continued delivery of essential services. Below are the steps to build a Business Case for Industrial Cybersecurity:
While many leaders may see cybercrime as primarily an IT issue, it poses an increasingly significant threat to OT environments. Cybercrime can lead to unauthorized access, downtime, and the potential for large-scale disruption. Ransomware attacks against industrial systems increased by 87 percent in 2022. Additionally, 29 percent of industrial organizations reported experiencing a ransomware attack in the last two years. These attacks often aim to extort money, steal intellectual property, or disrupt operations. The trend towards large-scale, nation-state-driven disruptions is partly driven by digital transformation, especially the broader and deeper connectivity between IT and OT environments.
As industrial systems become more complex, interconnected, and interdependent, protecting the OT environment with a simple air gap is no longer feasible. Increased connectivity with IT systems, the cloud, third-party vendors, and 5G networks introduces new risks to OT networks. This increased complexity demands comprehensive cybersecurity strategies that address the unique challenges of the OT environment. Furthermore, 89 percent of industrial organizations have had their supply chains disrupted due to cyberattacks, highlighting the extensive impact of these threats on interconnected systems.
Industrial organizations face heavy regulations from various sources, such as country, region, and industry. Non-compliance can result in substantial fines. For example, one year after Colonial Pipeline was hit by a well-publicized ransomware attack, the U.S. Department of Transportation recommended a fine of nearly $1 million. This is on top of the already high costs Colonial Pipeline incurred due to days of downtime and recovery efforts.
Security researchers and vendors continue to disclose new Industrial Control System (ICS) vulnerabilities at an increasing rate each year. The number of U.S.-based threat actors dedicated to attacking industrial organizations has grown by 35 percent over the past year, driving an 87 percent increase in breaches over the same period. These vulnerabilities are challenging for defenders to handle because of their volume and the complexity involved in remediating them. While vulnerabilities in IT environments can often be patched relatively quickly, there are significant challenges in OT environments, including warranties that mandate long acceptance testing procedures and limited maintenance windows.
Next, we will outline the proposed solution to solve the problem. A good cybersecurity business case should show different solutions that were considered and explain why the chosen solution is the best. The description should include the new technology or service, how it will work, and how it will fit with existing systems and processes. This helps leadership understand and trust that the new solution will be smoothly integrated.
Based on the Rockwell Automation Workbook, Rockwell Automation has developed a scenario whereby to give an example of how to propose a solution based on the scenario. The scenario starts with the Global Manufacturing Inc (GMI) team proposing a project to mitigate the risk of ransomware attacks in manufacturing plants by enhancing network segmentation and filtering within the OT environment. Given the current GMI OT setup, network controls are the most effective means to minimize risk. Unlike the GMI IT infrastructure, OT networks cannot support endpoint security controls due to the diversity of embedded systems and unsupported operating systems.
The proposed solution involves deploying industrial network firewalls to strictly manage ingress and egress traffic to the Plant Demilitarized Zone (DMZ) (Purdue Level 3.5), Plant Operations Local Area Network (LAN) (Purdue Level 3), and Plant Control LAN (Purdue Level 2). By implementing stringent ingress and egress controls at these levels, unauthorized network traffic will be prevented from crossing layer boundaries, thereby protecting vulnerable systems. This solution also enhances GMI’s compliance with industrial cybersecurity best practices as outlined in IEC 62443.
The selected vendor will install the firewalls during regularly scheduled maintenance windows to minimize downtime. After the deployment, the GMI security engineering team will manage the solution after receiving appropriate training, and all alerts will be integrated into the existing GMI security operation center (SOC) workflows.
In addition, for complex projects across multiple sites or implementing a full National Institute of Standards and Technology (NIST) Cybersecurity Framework over several years, the solution might start with a Phase 1 project. This could involve risk and vulnerability assessments and setting up threat detection and incident response processes while planning the next phases.
One of the primary benefits of cybersecurity investments in OT environments is the reduction of downtime associated with cybersecurity incidents. Downtime costs in industrial settings can be significant, encompassing lost production, delayed deliveries, spoilage, and idled workers. Below are the examples of industries and their ways to reduce industrial cybersecurity downtime risks:
Implementing daily, hourly, or real-time asset inventories can significantly reduce these risks. Real-time monitoring allows for the prompt identification and mitigation of potential vulnerabilities. Automated asset inventory systems ensure that all networked devices are accounted for and protected, enabling quicker responses to anomalies or breaches. By maintaining an up-to-date understanding of their network environments, industrial organizations can better defend against cyber threats and minimize downtime.
To mitigate these risks, it is essential to implement DMZs, network segmentation, and zero-trust access controls. Network segmentation divides the network into smaller, isolated sections, making it harder for attackers to access critical systems. Zero-trust access controls require continuous verification of user identities and device integrity, enhancing security. By creating multiple layers of defence, water and wastewater organizations can protect their critical infrastructure from cyber threats and reduce downtime.
Continuous monitoring ensures that threats are identified and addressed promptly, regardless of the time. These services use advanced analytics and machine learning to detect anomalies and respond to potential threats in real time, reducing the likelihood of prolonged downtime. Food and beverage companies can protect their operations, ensure consumer safety, and preserve their reputations by maintaining constant vigilance.
Proactive measures involve defining roles and responsibilities, establishing communication protocols, and conducting regular drills to ensure readiness. Having a well-prepared incident response team allows for immediate action in the event of a breach, minimizing the impact on operations. The oil and gas industry can respond quickly to cyber incidents, protect critical infrastructure, and reduce downtime by being prepared.
Implementing a tested and rehearsed recovery plan ensures that the organization can quickly recover and resume operations after a cyberattack. Regular testing and updating of the recovery plan ensure its effectiveness and relevance, enabling the organization to handle any cyber incident confidently and efficiently. By preparing for potential cyber threats, the life sciences industry can protect its valuable assets, maintain consumer trust, and reduce downtime.
Incident response and recovery costs for cybersecurity incidents in industrial environments can be substantial. The initial step in incident response is investigating and analysing the incident to determine its cause, scope, and impact. This often involves hiring external cybersecurity experts, conducting forensic analyses, and reviewing logs and data to identify the attack source.
Post-investigation, the remediation of affected systems and restoration of normal operations is crucial. This includes patching vulnerabilities, restoring backups, and conducting system testing and validation to ensure all systems function correctly. In ransomware or data theft cases, threat actors may demand ransom payments to restore access to encrypted data or prevent the public disclosure of sensitive information. Although experts advise against paying ransom, some organizations opt to do so as it may be the fastest and most cost-effective way to restore operations.
Governmental or industry organizations may impose fines on entities that fail to meet security standards or policies. Depending on the severity of the violation, these fines can range from thousands to millions of dollars and can arise from data breaches, poor security practices, and compliance failures.
In recent years, regulatory fines for cybersecurity violations have increased as governments and regulatory bodies hold organizations accountable for data breaches and other security incidents. This trend is expected to continue as cybersecurity threats evolve and grow more sophisticated. For instance, Colonial Pipeline faced a $986,000 civil penalty from the U.S. Department of Transportation after the 2021 ransomware incident.
As cyberattacks become more common, customers increasingly know the risks of engaging with third parties. A robust cybersecurity program can distinguish an organization from its competitors, particularly for customers in highly regulated industries such as healthcare, government, and energy.
In the industrial sector, cybersecurity incidents can extend beyond digital system outages to impact the physical world. These impacts may include damage to physical infrastructure, environmental damage from chemical spills or contamination, and threats to human safety.
Enhanced cyber defenses can make organizations less risky for insurers, potentially leading to lower premiums or improved terms and conditions.
Once the benefits of a cybersecurity investment are clearly understood, it's crucial to turn attention to the associated costs. Leaders need to comprehend not only the up-front costs of a proposed project but also the ongoing operational costs that will be incurred over time. A comprehensive cybersecurity business case should outline costs in several key categories:
Any project introducing new security controls or services will have costs associated with purchasing the necessary technology or service. These costs are typically straightforward to obtain from technology vendors and may include:
Before an organization can realize the value of its investment, the proposed solution must be properly installed and configured. The business case should account for:
Most cybersecurity solutions are not “set-and-forget.” They require ongoing maintenance to ensure efficient operation and updates to keep pace with the evolving threat landscape. Considerations include:
Costs are associated with using the new security solution in a production environment. Many security solutions generate alerts that need to be reviewed by staff in a Security Operations Centre (SOC). Costs include:
To help leaders make informed decisions, it’s important to understand the potential financial impact of cyber incidents and the costs avoided through cybersecurity investments:
ROI is a key metric for evaluating the value derived from cybersecurity investments. It gives decision-makers a clear indication of the potential returns compared to the costs incurred. To accurately assess ROI, it's important to consider both upfront expenses and recurring costs over a suitable time frame, typically spanning at least three years.
The formula for calculating ROI is straightforward: ROI = (Income - expenses) / Total Investment x 100. However, accurately quantifying both costs and benefits can be challenging. Upfront costs may include expenses such as hardware, software licensing, and deployment, while recurring costs encompass items like SaaS subscriptions and maintenance. On the benefits side, factors such as risk reduction and cost avoidance need to be carefully evaluated.
ROI is typically expressed as a percentage, but it's important to note that this number shouldn't be viewed as a direct financial return. Instead, it serves as a measure of how much risk can be reduced for the specified expense. ROI analysis helps businesses understand the value gained from their cybersecurity investments and can inform decision-making processes.
In summary, the increasing digitalization of industrial operations underscores the urgent need for leaders to understand and address cybersecurity risks in industrial control systems (ICS) and operational technology (OT) environments. Ransomware attacks, regulatory pressures, and escalating vulnerabilities highlight the necessity for proactive cybersecurity measures.
To garner support for robust cybersecurity investments, leaders must articulate the financial implications of cyber incidents, propose tailored solutions, and calculate return on investment (ROI). By embracing comprehensive cybersecurity strategies, organizations can safeguard their operations, mitigate regulatory risks, and enhance their resilience against evolving threats.
Ultimately, by cultivating leadership support and fostering a culture of proactive cybersecurity initiatives, organizations can fortify their defences and ensure the uninterrupted delivery of essential services in an increasingly digital world. We can secure the foundation of industrial operations through strategic investments and collective vigilance for future generations.
