This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Close

Mitigating cybersecurity threats

14 September 2020

Cybersecurity is not a ‘thing’ it must be an ongoing commitment for food and beverage organisations to ensure a safe food supply and reliable operations, argues Michael T. Lester. 

Investment in automation and industrial internet of things (IIoT) technologies is presenting food and beverage producers with a number of significant benefits. These include the ability to identify failing equipment earlier and reduce downtime, improve quality, and maximise production. When IIoT devices are used at the network edge, data can be collected and analysed in real-time, helping to identify necessary interventions to ensure food safety. However, as plants become more digitally connected, their exposure to cyberattacks can increase. 

A recent report by Imperva revealed a spike in targeted attacks on food and beverage industries, across multiple countries amid the COIVD-19 pandemic. As a result, many producers are hesitant to implement solutions that will improve efficiency and productivity. 

Although standards exist relating to the security of automation technology, a particular problem faced by the food and beverage industry is the complexity of equipment and systems that are often implemented piecemeal and this can lead to disjoined systems, legacy equipment and a range of vulnerabilities. 

According to research by the Food Protection and Defence institute (FPDI), which was supported by the United States Department of Homeland Security, industrial control systems (ICSs) used within food and beverage production are increasingly exposed to cyber-attacks. The need to protect food supply only heightens the importance of good cybersecurity practices by manufacturers. One of the largest contributors to that growing cyber risk is the widespread presence of outdated ICSs. Legacy systems bring increased security concerns and the need to maintain high levels of consistency with ingredient ratios, requires reliable and secure operations to stay competitive and deliver returns. 

As a result, personnel associated with the plant control systems need to be familiar with cybersecurity tools such as firewalls, endpoint protection, network switches, security patches, security monitoring and intrusion detection, all normally the realm of the IT department. It also means that collaboration between the company’s IT and process control departments becomes more critical, especially when a company is digitally transforming the plant and/or updating legacy systems. The IIoT and the implementation of new technology often means mobile, wireless, third-party dependencies and cloud-based systems, which although are generally more efficient, do increase the attack surface for those intent on doing harm. 

Organisations face various risks, from unwitting insiders to targeted attacks from criminal organisations, with a major concern that process conditions are compromised and products are inadequately sterilised, resulting in food born illness and recalls. It is therefore important to establish and maintain a cybersecurity culture throughout the entire organisation – from the executive office to the plant floor – wherever an incident may occur. Normalising the language across organisational and geographical boundaries is key to a successful strategy, concept of operations and incident response procedures when needed. It is imperative that companies remain vigilant in identifying vulnerabilities and embedding cyber risk management into everyday business practices. Having the right systems in place to provide protection is crucial. New control systems allow for a more cyber secure operation, but protecting the installed base is where there are significant challenges. 

Defining IIoT cybersecurity
Data typically lives in three operational areas of the plant – safety, control and analytics. From an IIoT perspective, any data living in the safety and control areas should be for monitoring or read only and sometimes data diodes or other security controls are used to ensure this is strictly maintained. The separation of capabilities relative to the operational areas is paramount to maintaining the operational integrity and security in each. In the analytics area, it is critical that architectural and operational security be maintained to prevent access or `harm’ to the safety or control functions.

Since most IIoT solutions exist in both the IT and OT domains, it is important for cybersecurity experts to develop the right plan that can attain the right level of security. There are a myriad of standards and practices that revolve around IIoT. However, knowing which will provide the right approach and level of cybersecurity is not always straightforward. The answer is likely to be a combination of multiple standards such as IEC 62443 and IEC 27000. 

The goals of IT and OT stakeholders must also be reviewed, and requirements established to avoid gaps and risk to operations. It is important for each function to understand each other’s strengths and how to achieve business goals whilst maintaining the highest levels of security. Each expertise brings something different to the table, with IT having a highly standardised process and OT having a more engineered solution. Collaboration is vital in this space. Companies must also establish who is accountable for individual IIoT solutions. A matrix should be developed to determine key accountability areas as well as identify the right resources and skill sets required to operate and maintain solutions. There is a fear that new connections for IIoT will lower the security posture, but if trust zones, conduits and system interactions are secured to the right level, then that need not be the case, although varying degrees of monitoring and management may be necessary.

Rip and replace?
Starting small and expanding efforts can be the best approach. Companies can begin with whatever solutions they have in place and leverage that technology to keep costs down while achieving higher levels of security. This will require some work, as cybersecurity is often complex and requires continuous improvement. To achieve secure interoperability between legacy systems without modern security capabilities and new IIoT solutions often requires an engineered solution. That will require the end user and ICS vendor to work closely to create secure solutions that meets the requirements and objectives. However, technology is only part of the solution, with people also being an integral part of a secure digital transformation. 

New approaches
To safely bridge the OT and IT environments new approaches to security are needed. Secure First Mile connectivity is one such approach, offering architectures that facilitate the secure transfer of plant data to external applications, expert services or mobile users. Getting data securely from the sensors in the OT environment to the analytics or services in the IT environment can be achieved using various architectures and the existing infrastructure of the facility will often dictate the best approach. 

Cloud security
Although not suitable for every application or system, cloud technologies, as part of an overall solution to provide near real-time data related to equipment or specific parts of the operation, are becoming more common. Private, public and hybrid cloud are all ways of hosting or delivering compute power and applications. Selection will be based on cost and security capabilities. Cloud providers like Microsoft offer a tremendously effective way to deliver secure solutions. 

Microsoft invests nearly $1 billion annually in cybersecurity. Some of the benefits of that investment include certified data centres, secure connectivity solutions and edge technologies to manage secure connectivity with end user networks and devices. Other benefits include data governance and protection, geo-fencing the data, data leak prevention, data sharing, providing more reliable back-up and recovery systems leveraging native loud capabilities to protect data.

Conclusion
Having the right systems in place to provide protection from cyber threats is crucial to ensure a safe food supply and reliable operations. Each organisation is unique, requiring a purposeful approach when selecting the technology and qualifications that will best serve its needs. Cybersecurity does not fall to one person or technology to protect against the threat actors of today and tomorrow. It must be accomplished through collaboration and a culture of ownership similar to industrial safety. Cyber security is not a ‘thing’ it is a ‘commitment’ for the organisation. It takes people, processes and technology to accomplish good cybersecurity. There is no magic bullet, shortcut or effortless way to accomplish foundational levels of cybersecurity.

Michael T. Lester is director of cybersecurity strategy, governance and architecture at Emerson.


Contact Details and Archive...

Print this page | E-mail this page