As manufacturers begin their journey to securing their estate, this article shows the next steps for implementation.
Our last blog explored the background of cyber security in operational technology (OT) and the risks businesses should take into account as they begin their journey to securing their estate. This article will outline in more detail the next steps for implementing this level of security.
Many businesses may be at the starting point of their journey. The ‘plan, do, check, act’ approach allows them to undertake the appropriate checks of identifying the assets, threats and vulnerabilities they may face in their business context, performing the risk assessments and risk treatment plans, followed by the ongoing management of these risks and remediation activities.
A business’ objectives, risks and priorities should help define the importance of each manufacturing site, as well as the value and costs associated with each site. This can then inform the cyber risks and priorities to determine the potential impact caused by an OT cyber attack on the business, and how remediation activities may best be approached.
Your key starting steps are:
Following these steps will set the direction for sustainable and proactive cyber security practices within your business.
PwC’s 2021 CEO Survey identified that respondents perceive the risk posed by vulnerabilities in the supply chain to be low. However, in reality, we have seen an increasing number of cyber attacks originating in the supply chain, both from either the start or at a point further along. This contradiction highlights the importance of understanding the risk your supply chain may pose to you, as well as the risk you may pose to your own customers.
To protect against these attacks, businesses should start by questioning third-party suppliers and contractors on their level of security, and ensure that it reaches your minimum requirements. If third parties’ vendors require direct connectivity to your systems (for example, remote access), then it is your responsibility to ensure the service being provided is secure and remains this way.
Original equipment manufacturers (OEMs) rely heavily on their supply chain, and have therefore been increasingly mandating minimum standards of cyber security of their suppliers. This means that OEMs are starting to make difficult decisions on the degree of security to implement. For example, in the automotive industry, supply chain standards are starting to emerge such as UN WP.29’s cyber security provisions for automotive suppliers, and even industry-backed standards like TISAX.
People and culture are important aspects of a security mindset and long-term journey for businesses. Cyber attackers target companies through any means possible - including human weakness. When considering people, processes and technology, businesses tend to invest in processes and technology, but not enough on people; only 35% of UK manufacturing firms are focusing on staff cyber security training over the next six months. Even so, training and awareness are not enough on their own to address the importance of people as part of an organisation’s cyber security efforts; they alone do not change how people behave. So, it is important to understand what drives and influences behaviour.
Organisations can transform their security culture by incorporating security from the top. This means understanding the organisational culture and integrating a security mindset through common and standard ways of working as well as prioritising security in decision making at executive level. These actions can shine a spotlight on key behaviours and challenges and, with meaningful metrics in place, will monitor and drive positive change.