While companies and government organizations struggle to protect data from being breached and compromised, there is little discussion in today’s security debates on the need to secure critical infrastructure. The Industrial Internet has tremendous potential, but it also has greatly expanded the threat landscape.
In 2014, Unisys and Ponemon Institute published the findings of a study of 599 respondents across 13 countries in industries including utilities, oil and gas, alternative energy and manufacturing. Of the many findings, two stats really stood out like a sore thumb:
67 percent of companies with critical infrastructure suffered at least one attack in the past 12 months.
And 78 percent of companies expect a successful exploit of their Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) Systems within the next two years.
But get this—a year later, Raytheon and Ponemon Institute published a report citing that 66 percent of respondents saying they are not ready to address security issues inherent within ICS and SCADA Systems.
Frightening statistics, to be sure. But we are not without options.
Securing ICS and SCADA Devices
Historically, ICS and SCADA systems have been isolated or “air-gapped” from the traditional IT network and subsequently protected from most threats. However, as interconnected devices grow rapidly, ICS and SCADA systems are now accessible and becoming high priority targets for hackers. The industry has made some good strides to improve disclosure of these vulnerabilities, but it can’t end with system operators.
Device manufacturers of critical infrastructure must take action to improve the security of their devices. These improvements will reduce liability from cyber attacks, improve customer retention, and protect brand equity for both the device manufacturers and their customers.
Where to Begin
There are many steps device manufacturers can take, but here are a few to consider:
- Start with a thorough security assessment and gap analysis. This can be performed internally with the right skills, or can be performed by third party with expertise in operational technology (OT) security. This will provide a solid baseline from which to build security objectives, goals and implementation strategies.
- Work through your processes, networks and equipment to identify, quantify and prioritize potential vulnerabilities.
- Then test your process, facility and devices to identify vulnerabilities. Whether manufacturing embedded devices, host devices, control applications or network components, consider bringing in experienced industrial security experts to help ensure you are developing highly secure, quality products with low risk of vulnerability exposure to system operators.