Cybersecurity needs focus in a connected world

A colleague of mine was checking his watch intermittently the other day. When I asked why he was watching the time so closely, he responded: “I’m not; I’m just checking my texts.” The fact that I assumed he was checking the time is an example of how technology is now evolving faster than perceptions. That watch may well contain much more information than just the time and SMS, but also emails, fitness stats and more. Masses of data taken from multiple sources, turned into information and communicated — more evidence of just how connected the world has become.

With increased connectivity, however, comes increased risk. Most of us are aware of a need for some level of IT cybersecurity, but now, more than ever, the challenge lies in protecting the OT (operational technology) layer.

In the report ‘Cybersecurity Survey: Major Australian Businesses’ (CERT Australia and the Australian Cyber Security Centre, 2015), it was found that 51% of Australian businesses have experienced incidents in the past 12 months and 5% have had more than 10 incidents. And this is only what was reported. In 2014, CERT Australia responded to 11,073 cybersecurity incidents affecting Australian businesses, 153 of which involved systems of national interest, critical infrastructure and government.

There is a lot of good work being done to help protect these businesses, but most of the dialogue is still about protection of information — a traditional IT approach. In the industrial space, however, there are further considerations. In key critical infrastructure it could be conceived that operational uptime should be prioritised over information security. For example, security checks that delay an email 15 minutes might not be a big deal, but issues with the infrastructure of water or electrical providers can leave entire suburbs without lights and running water.

For this reason, having a consistent standardised approach to cybersecurity and OT is essential. Connected devices in the industrial space have been around for decades and many of these systems may have originally been designed on the incorrect assumption they would never be connected to a wider network. Now the number of connections has exploded and organisations must be committed to going back and redoing risk assessments and safety audits to ensure effective security.

To ensure a resilient and robust system, it should be mandated that any controller of IP-enabled devices on a critical control system meets a certain cybersecure standard for embedded devices. More importantly, it should be expected that the processes and procedures used to develop these devices adhere to robust ongoing maintenance and that cybersecurity is considered throughout the life cycle. The architectures should be designed by appropriately accredited engineers and the systems should be deployed using appropriate cybersecure methodologies. Most importantly, there needs to be ongoing protection through regular awareness and assessments based on current knowledge of the landscape and all of this needs to happen whilst your systems keep running.  

The automation space is evolving at a rapid rate. To ensure a safe and truly cybersecure Australia, we must evolve our industrial automation business practices at an equivalent rate. We need to understand the new normal in order to detect the abnormal and continue to build and operate resilient systems. This will ensure the lights stay on and the taps keep running while you’re comfortably reading those texts on your smart watch.

Bradley Yager has been implementing industrial automation solutions for over 17 years. He is now using this knowledge and experience to steer Schneider Electric’s process automation solutions as Director of Offer Management and Business Development for the Pacific region.