By Stefan Woronka
Tackling cybersecurity in a manufacturing business might sound like it involves rocket science, but it doesn’t.
It starts with the identification of risks in operational technology, continues with gaining an understanding of related assets and the allocation of resources, and finally takes in the appointment of new staff in management and workforce.
1. Add industrial cybersecurity to your risk register
Most companies manage their risks based on an agreed tolerance for specific hazards. One common shortfall is that companies concentrate on office IT rather than taking a holistic view – some even omit operational IT and production systems from their risk register.
This one-dimensional approach is fraught with danger. Such companies should ask their manufacturing managers: “What is the cost of one hour of not producing any products?” The answer will show why wise companies take time to identify manufacturing risks.
2. Keep an asset inventory
Part of managing risk is to have a full view of every operational asset. It starts with getting to know which machines you have and continues with gathering knowledge of their components. The information you list should include make, model, firmware level, the applications that are running and so on. The greater the transparency, the easier it is to manage risk.
Once you equip yourself with that level of detail you will be able to find whether any vulnerabilities exist for a particular piece of kit.
Another risk is ageing equipment, which is more likely to have obsolete components. If these fail, they may be hard to replace. If a hacker targets them they could gain access to your system. Either way, it will affect your production process. Having a complete list of operational assets helps to identify weak links.
3. Allocate resources
The process of managing risks systematically will require resources: specialised staff and a budget. You may already have a unit that covers cybersecurity but you should consider bringing on workers who have a deep understanding of machinery and manufacturing processes.
Bringing the two entities together can have advantages. Bear in mind funding. IT will be used to working within a budget but manufacturing units’ operational spend is usually tightly controlled. Assigning funds specifically to reduce cybersecurity risks helps to bridge this gap.
4. Ways to beat the skills shortage
It can be difficult to find people with the right skills to approach cybersecurity from an operational point of view. This is not unusual as it requires multiple talents.
There are three ways to solve this: a company can select from its own employees who want to move into new roles, it can hire new employees, or it can outsource the work to competent companies that know about cybersecurity in the manufacturing environment.
The solution is likely to be mix and match – but you should always bear in mind the potential of current employees who are willing and able to move into cybersecurity, bringing their organisational knowledge with them.
Stefan Woronka is vertical service manager at Siemens AG
