Industrial control systems are a quintessential part of our productive engines. Their development represented a revolution for industrial processes as organizations gained control over every detail, skyrocketing efficiency.
Shortly after their implementation, cybersecurity issues arose. Malicious parties saw major opportunities in cracking their way into these infrastructures and profit at the expense of causing serious damage to companies, including those responsible for providing vital services.
Despite the latent risk, there continues to exist widespread negligence when it comes to protecting ICSs all across the industry. Even big companies fail to have the right security mechanisms in place to protect their industrial processes from cyberattacks.
But is it so important to do it? How relevant is cybersecurity for ICSs? What are companies doing?
A Necessary Upgrade that Made Facilities Vulnerable
Manufacturing facilities, power plants, and water waste plants used to rely on archaic, unproductive tools to control and optimize their processes. Needless to say, such control and optimization were lamentable in comparison with today’s standards.
These new standards in industrial efficiency came as the result of great innovation, including ICSs. However, the same innovation that brought ICSs also connected them to the Internet, creating opportunities for malicious agents to operate.
This necessary upgrade made facilities vulnerable to external attacks. While the implementation of industrial control systems was swiftly and widely accepted, the proper cybersecurity practices were not. The same controls that were used to optimize key processes in industrial environments were exposed.
The National Institute of Standards and Technology, widely known as NIST, has its take on properly securing ICSs. The System Security Engineering-Capability Maturity Model issued by NIST numbers the core principles in the following way:
Understanding Your Infrastructure as the First Step
As NIST’s first principle suggests, we are first required to identify and understand our infrastructures and their needs. We also need to develop a rich understanding of how to manage cybersecurity risk within the organization, something oftentimes comes as quality training for stakeholders.
Understanding the infrastructure is the essential first step before determining the direction to take. It’s also important to consider that this principle suggests an ongoing exercise. The problem is that, in many industries, observation and analysis only occur at the early stages of implementation and then after an incident already took place.
Negligence and Unawareness
Most cybersecurity problems that affect ICSs are the result of either negligence or unawareness. Executives and board members may choose to postpone proper cybersecurity practices or simply ignore that such risks exist.
An HM Government survey showed that when it comes to IT and cybersecurity in industrial settings, enterprises have serious problems. According to the survey, 68% of FTSE 350 company board members had no training related to cybersecurity and how to treat related incidents within their organizations. This extraordinary lack of awareness and training is one of the main problems when it comes to protecting ICSs.
The Reason Why
Industrial control systems are responsible for efficiency and productivity in essential industries such as power production and distribution, water treatment and management, and manufacturing. ICSs are present in services our society cannot live without.
So, what would happen if these see themselves affected by highly destructive cyberattacks? We are talking about millions of citizens having no power, gas, water, or losing access to essential goods.
Industries, especially those in charge of vital services, must demand and comply with the highest standards in cybersecurity. Not only specialists should be hired and get involved to optimize ICSs’ protection but also to provide awareness training to stakeholders within the organization, including board members who are in charge of making the most transcendent decisions for the company.