This article is part#2 of a series of articles in which we?share our knowledge and advice on the topic of industrial security.
In our previous article, we discussed the importance of understanding the processes that support our business objectives, as well as the systems and functions that enable those processes to run efficiently. Now, it's time to focus on how we can optimize and streamline those processes to run smoothly.
To achieve this, we often utilize various domain-specific disciplines such as maintenance, lifecycle management, operations, safety, and security, each with its own specific tasks and responsibilities. For example, let's consider the process of vibration detection. Vibrations can have negative effects on equipment and should be minimized to prevent production downtime. In the past, it was standard procedure to replace vibration dampeners after a predetermined period of time. However, this approach was wasteful (replacing dampeners before they were worn out) and resulted in more scheduled downtime than necessary, which can be costly.
To address this issue, we can install a vibration monitoring system. By monitoring vibrations and identifying when they deviate from acceptable ranges, we can perform maintenance on the dampeners before the vibrations have a significant impact on our systems, and we can also minimize waste by replacing the dampeners only when necessary. While this approach is beneficial for process efficiency, it also introduces some potential issues. Collecting vibration data requires connecting sensors to a network for storage and processing, which may expose the system to outside threats.
In the cybersecurity domain, we often discuss these vulnerabilities (how exposed a system is) and the potential harm they can cause. To mitigate these risks, we may implement an IT risk management system that plans for the likelihood of harm occurring. However, when we apply this IT mindset to the operational world, we may end up calculating risk based only on the impact to a network device, without considering the dependencies and the value of the industrial process to our business objectives. As a result, our risk mitigation efforts may be misdirected.
In other domains, such as industrial process safety, we are skilled at performing risk assessments from a process-level perspective, with a focus on preventing harm to the environment and human health and safety. These risk assessments often use specialized methodologies, but they may not consider the cybersecurity perspective. Additionally, traditional risk assessments in modern operational technology may be performed infrequently, and frameworks like IEC 62443 recommend input from process safety for proper cybersecurity risk management. However, in the era of industrial digital transformation, where the goal is to interconnect everything, we may overlook the cybersecurity aspects of process control systems (the source of the data), increasing exposure and resulting in vulnerabilities that were previously considered irrelevant.
To truly address risk management in a holistic and up-to-date way, we may need to reconsider our approach.
To be continued in our next article...
