Across the energy industries, it’s now commonly recognized that if you have critical infrastructure, you are not only at risk, but will likely experience a cyber incident at some point. So, what can you do to mitigate this risk, and what cyber security myths still exist in the industrial digital journey?
Myth 1 Cyber security is cumbersome
A common perception is that cyber security is too challenging and difficult to implement in a plant or across a fleet. This doesn’t have to be the case. In reality, we just need to acknowledge that the implementation of cyber security practices requires a multi-year strategy. Having a standard baseline and following a reference architecture can provide standardization to help you think through your approach strategically, with standards aligned to your business strategy.
Myth 2 Cyber security is out of grasp
Everyone in the industry is on a digital journey, but not everyone is doing the basics. The tools exist, but often their application is in the IT space, rather than the OT space. When IT and OT are integrated, the benefits of information technology systems used for data-centric computing working alongside operational technology systems used to monitor events, processes and devices can be realized.
Myth 3 Cyber security has a negative impact on operations
Cyber security tools are not just IT tools anymore – they are just as effective in reducing manual maintenance activities to free up resources and time to concentrate on operations. The myth makes us believe the impact will be increased downtime, yet a modern cyber security system should protect industrial vulnerabilities across plants, simplify secure day-to-day operations and support compliance activities, allowing people to focus on revenue-generating operations, not routine security.
Myth 4 Cyber security risks can’t be planned for
It’s ‘not if but when’ when it comes to the real threat of an industrial cyber-attack. While cyber-attacks are impossible to completely prevent against, they can still be controlled and minimized with proper security measures. It’s imperative to have these measures in place before, as well as during and after: whether that’s for a breach of perimeter security or from people or phishing. Implement baseline controls upfront, so that when something happens the organization is ready to deal with it. Then, afterwards, there are ways to minimize the impact and understand which assets and software require immediate focus to minimize the impact. A cyber security life cycle is required to identify what needs to be protected, how this will be implemented, detected, responded to, and how recovery will take place, as well as to ensure ongoing compliance.
It is highly likely that all organizations will eventually experience a security incident. The impact of such events is largely determined by the strength of corporate incident response programs.
Cyber-attacks are real. Across the energy industries, customers are looking for ongoing support and expertise in cyber security. Energy industry professionals know they need to manage risk and threats, but they face several challenges in doing this effectively. Greater knowledge of what is a myth and what is a reality is a something our expertise in this sector can assist with, by increasing awareness and understanding, promoting resilience and optimizing performance.
The reality is that 100% – or absolute security – is not possible. Cyber security is a journey and a process, not a product and an end destination.
Dee Kimata, Global Product Manager – Cyber Security (Energy Industries), ABB