Electricity + Control August 2019

CYBER SECURITY

Risk management in manufacturing

T he manufacturing sector’s intense focus on innovation, in parallel with its growing reliance on connected networks and products, makes it highly vulnerable to cyber attacks.Yet, according to Charl Ueckermann, CEO at AVeS Cyber Security, the manufacturing sector remains fragmented in its approach to managing cyber-related risks. Ueckermann participated in the panel discussion on cyber security that took place at the Manufacturing Indaba, held at the Sandton Convention Centre in June. “For manufacturing companies,” he said, “the focus has always been on production innovation, operational efficiencies, minimising downtime and keeping the lights on. When it comes to technology infrastructures in the manufacturing sector, the availability of systems has always taken priority over integrity and confidentiality; cyber risk has been a lesser concern. However, in modern manufacturing, where systems are connected to the internet, integrity and confidentiality are starting to play a bigger role. In other industries, such as financial services, the management of cyber risks is already a key focus and confidentiality and integrity of the technology systems they use are prioritised over availability. “Another factor in manufacturing is that traditionally, information technologies (IT) and operational technologies (OT) have been managed separately, in different departments with their own sets of vocabulary and structures. OT departments generally don’t have as much insight

into cyber risks as IT departments and, by default, this means that OT tends to lag behind IT in this regard,” Ueckermann said. “Yet nowadays, the cyber risks for a manufacturing company – and the need for it to protect its data, intellectual property and trade secrets – are no less than for a bank which needs to ensure the confidentiality of customer information and other sensitive data.” Ueckermann added that a cyber breach on an OT system could present a critical situation for a manufacturing business if the health and safety of workers were put at risk or machinery and processes became unsafe. “The good news is that there is no need to sacrifice confidentiality and integrity over availability. In modern manufacturing, cyber risks can be managed effectively with the correct setup of OT networks that continue streamlining production efficiency and capacity.” He advises manufacturing companies to get a firmer grip on the devices in use on their OT networks. “Have a good picture of the status quo . You need clear visibility of your OT architecture and you need to know what devices are being connected to it so that effective security mechanisms can be incorporated into that fabric. No unauthorised devices should be permitted onto the network.” He particularly cautions against the use of off-the-shelf Raspberry Pis for testing in a live, unprotected network that is not physically isolated from the internet. “It is possible to prevent an attack such as that experienced by NASA (the National Aeronautics and Space Administration in the United States) in June 2019,” he says. “According to Forbes, the American business magazine1, an unauthorised Raspberry Pi that was connected to NASA’s JPL servers was targeted by hackers. They then moved laterally, further into the NASA network.” Ueckermann continues: “You also want to find the best practices around cyber security hardening for your supervisory control and data acquisition (SCADA) systems and engage a specialist OT security provider to implement the correct software to ensure that the manufacturing environment is well protected, without compromising machine uptime. “Ideally, in view of the potential health and safety risks that may arise in the event of a breach,

38 Electricity + Control

AUGUST 2019