As October comes to an end, we wrap up “Cybersecurity Awareness Month” as well as “Manufacturing Month”. Over the past 30 days, we hope that the message got out and that manufacturing cyber security awareness is at least a little higher than it was on October 1st.
Cyber Security Awareness
Over the past month, we not only tried to do our part to raise awareness, we tried to analyze what seems to drive greater awareness. Using Google analytics, we looked at the search trends for the past five years or so. If searches are a measure of awareness, there has been a steady directional increase over the past five years.
The above chart shows some level of success in that people are more aware and more interested in cyber security over the past five years. Unfortunately, the most likely reason for a greater level of awareness has little to do with proactive measures by government or industry officials. It likely has much more to do with the proactive measures of our enemies.
The below chart specifically looks at search trends for ransomware over the past five years. Those spikes in interest are the dates of the explosion of Wannacry and NotPetya during spring/summer of 2017. As is often said, humans tend to only respond after the attack happens.
The even more disappointing part of the chart is that the search volume essentially flat lines after that pop. Unlike the overall cyber security trend of awareness, ransomware awareness seems to remain flat until a big event – but by then it could be too late.
At Verve, we specifically focus on Industrial/OT/ICS/Manufacturing/Critical Infrastructure cyber security.
For those search terms, the volume is so low that Google warns users that the data is possibly not representative. The reality is that even with ours and others’ best efforts, the awareness specifically on the security of control systems is well below what it needs to be to secure them appropriately.
Some analysts or critics argue that cyber security vendors spread fear, uncertainty and doubt (“FUD”). However, the reality is that the risks to industrial control systems is significant, and potentially very expensive and lethal.
We have had a seat on the front line of this battle for over 25 years since Verve’s founding. We have seen cyber security awareness “spurts”, first during the increasing focus within the North American power industry through NERC CIP, then the Stuxnet disclosure, and more recently as ransomware has spread from IT into OT, costing billions of dollars in manufacturing outages such as that at Mondelez, Merck, Norsk Hydro and others.
Cyber Security in Manufacturing
Manufacturing cyber security is less well known, but can pose even greater financial, operational, and safety risks than IT security. The impact can be catastrophic – from disruptions to manufacturing lines, to power outages, to water quality impacts, to potential for critical medical supplies to become tainted. These are not to mention the human safety elements that can be caused by malicious changes to manufacturing processes that can place employees or neighbors to manufacturing plants at risk.
However, there are many individuals in large and small companies that understand this threat and are trying to make a difference. They are attempting to explain the risks and the potential solutions to management teams. We hear you.
5 ways to increase OT or ICS cyber security awareness in your organization:
- Provide easy-to-digest reading that explain the possible risks and impact of cyber threats in industrial environments. One suggestions would be Andy Greenberg’s article in Wired on NotPetya’s impact on Maersk and Rob Smith and Rebecca Berry’s article in the Wall Street Journal on the security “back door” into the U.S. power grid, or for a longer read Kim Zetter’s book Countdown to Zero Day about Stuxnet.
- Introduce cyber security into current planning exercises. In almost all industrial or critical infrastructure organizations, there are a range of processes that attempt to quantify and prioritize risks – from business continuity planning to hazops planning. Instead of trying to create a whole separate effort from the start, get people to agree to include cyber as a component of these exercises. It will not necessarily get you a full assessment, but it can raise the awareness enough to begin a deeper dive.
- Bring OT/ICS representatives into the cyber security leadership team. In many organizations, CISOs and security leadership are aware of the risk, but find pushback from the process control or operations leadership. We have seen several clients find success by bringing experienced, well-respected controls system leaders onto the cyber security leadership team, exposing them to the security risks on IT so they can help translate into the OT environment.
- Engage in an assessment. Obviously, this usually requires budget and time. The good news, is that even a very small, inexpensive assessment can carry significant weight. At Verve we do “light assessments” using a partial deployment of Verve on a regular basis. It is a fast, inexpensive way to demonstrate with hard data how the ICS/OT risks compare to the overall cybersecurity risks in the organization. If more budget is available, one can pursue a more comprehensive assessment. But you don’t need to be stymied if budgets are slim initially.
- Explain the potential revenue benefits, not just the costs. In many cases, new regulations are placing greater emphasis on cyber security. Getting out in front of these requirements will enable the organization to potentially save costs and get be ahead of competitors in potential contracts. Perhaps the most obvious area here is in the defense industrial base where the CMMC standards will soon be in effect. Companies who have their processes in place and compliance early stand to reap significant benefits.
Obviously, you can also call us and we would be happy to share with you and your team the reality of the risks present to manufacturing and industrial systems.
As they say, “admitting you have a problem is the first step to recovery”. We hope the above suggestions can be an initial step in that journey.