Cybersecurity within manufacturing is often perceived as complicated, expensive, and challenging with its manifold number of cross dependencies.
In numerous meetings with clients, we often encounter similar questions on how to approach highly heterogeneous manufacturing environments in a cost and resource effective way. How can we design, communicate, and implement a manufacturing cybersecurity program that provides real security benefits while avoiding program fatigue?
We, at BxC, have supported various clients, cross-industry and from medium-sized companies to large Dax 30 and Fortune 500 companies and we were involved in building, communicating, and implementing their manufacturing cybersecurity strategy. In this Point of View, we want to share our lessons learned along these journeys by highlighting what you should keep in mind when designing your manufacturing cybersecurity strategy and implementation program.
Today organizations are accustomed to cybersecurity requirements in their IT environment. Measures, such as the implementation of Anti-virus, Firewalls, IPS, and Security Operation Centers, are no longer questioned and seen as necessary throughout the organization.
On the contrary, the perception of cybersecurity measures in the production environment is often not at this level. Efforts are commonly seen as unnecessary for many various reasons: no incidents happened in the past, too expensive for low margin products, and even dangerous to the overall production flow. This suspicion regarding upcoming process and technology focused changes is often observed in production environments as this change usually involves increased efforts and overheads for plant managers, engineers, and operators.
To ensure acceptance for upcoming transformation and pave the path for future remediation programs, it is vital to start early in the communication at all organizational levels. Proving the need for cybersecurity in production is a long and continuous process. Only by involving all relevant stakeholders early, the required business buy-in can be obtained. This buy-in is the key to a successful launch of your cybersecurity improvement program.
The MVP Approach in OT Strategy
A minimal viable product (MVP) approach has become a widespread standard when developing a new product. This approach, known from the Agile manifesto and many management books, can also prove itself useful when developing the cybersecurity strategy for ICS production environments.
The MVP approach aims to start early, already in the assessment phase, to discuss potential future remediation scenarios with the sites. Based on these discussions, assessments and strategy teams can evaluate which possible option provides the best benefit from a cybersecurity perspective while providing the best site acceptance. In addition, this MVP approach provides its benefits at all levels, from the overall strategy to the individual sub-element. In the architecture design, for example, the adaptation of a well-known theoretical model, like the Purdue Model, can be tested at an early stage based on the MVP approach. These steps allow the architect team to tailor theoretical models to the environment and test the approach together with engineers at the sites, thereby proving the feasibility of the architecture implementation.
To execute this MVP approach, assessment and strategy teams require a good understanding of the overall business structure and ICS cybersecurity to allow them to upfront develop potential high-level scenarios. These scenarios provide the foundation for discussing and evaluating the best fit for the individual site and the future cross-site implementation.
However, this MVP approach requires identifying different roles in your organization, particularly the group of early adopters interested in new and innovative concepts.
Fig. 1: Adoption Curve for ICS Strategy key stakeholders
In a successful ICS security improvement strategy, innovators are essential at the management level, as sponsors of the cyber ideas and as support to ensure the budget availability.
In the leading manufacturing site of your scope, early adopters will be the key to a successful implementation of the designed measures. They enable the program to cross the Chasm, making the difference between program abortion and success. In the strategy design, these early adopters need to be involved, listened to and actively engaged in all MVP testing. If fully convinced of the measures, they can be the voice of the strategy in the manufacturing sites and prepare the early majority for the change. They can be site engineers, known as expert in a field, team leads, known for their innovation, etc.
While the early majority does not need to, and cannot, due to time restrictions, be involved in the strategy design, this target group should be addressed through an early alignment on the upcoming agreed and committed measures. Raising their ICS security awareness through foundational training provides the basis for technical implementation.
Plan in Phases
Coming from an IT background and knowing about all the newly emerging risks, strategic plans often aim to provide sites immediately with a maximum of security. Within this approach, it is often forgotten that IT security also went through a learning process and is still in continuous improvement.
At BxC, we advocate for a phased approach to ICS security. We need to ensure that sites have time to adopt the implemented changes and that engineers and operators are not overwhelmed with increasingly complex solutions. This phased approach also provides a way to consider their permanent workload, as they most like have a limited time to implement security measures.
Besides, security is a learning curve: it is essential to grow capabilities onsite at the facilities and to size teams appropriately to handle all planned and implemented measures while providing them a secure environment to manufacture.
Socialize ICS Security early
ICS cybersecurity is, until today, perceived as a niche topic. This is especially true when talking to upper management, and the C-Suits and the learning curve mentioned in the previous paragraph also apply to their perception of cybersecurity.
Socializing upper management with upcoming cybersecurity challenges and maturity steps is essential. The key in any socialization session is to provide a common understanding that there is no “silver bullet” solution to fix all ICS problems. On the contrary, it should be made clear that in the current ICS world, the focus is still on building a solid foundation for future advanced methodologies and tools. While upper management is not required to fully understand the ins and outs of the cyber strategy presented to them, it needs to be communicated transparently, that the cybersecurity will come in different maturity steps and will require permanent improvement.
Include a Buffer & Manage Change
“Culture eats strategy for breakfast,” a phrase originated by Peter Drucker, can easily be adapted for ICS cybersecurity projects by changing “culture” to “implementation.” Despite any level of details and meticulous planning during the strategy development, problems and delays will eventually emerge during the implementation phase.
Therefore, especially during the initial assessment, plan with sufficient buffer. Plan time to reflect: What went well? What did not? How to smoothen the next steps? How to better manage the change? Including this time for change management is essential. If engineers are not put at the center of the approach with dedicated change management and training, even the best planned technical solution might fail in the implementation and the adoption.
Security, if in IT or ICS environments, is never a one-time effort but a continual learning process, improving and operating the provided tools and process.
Despite this being common knowledge in the cybersecurity world, the future operational costs are often neglected during the strategy development.
Planning these costs with the service lines that will handle the future operation and outlining these costs is a must to ensure a future operational environment that is continually providing added security to the manufacturing sites.
Failing to outline future operational costs inevitably leads to scenarios where cybersecurity is not enabling the business but where nonfunctional measures are creating an additional burden for the manufacturing sites.
Plan Your Reporting in Advance
In a cybersecurity improvement program, the reporting structure is complex. Reporting is required to reflect dependencies between IT vs. OT, sites vs. global, operational reporting vs. management reporting, and many more potential organization-specific constellations. Understanding the key stakeholders and planning a simple and efficient reporting structure is essential. Defining representative and interesting metrics for each level of the organization from board to operations and highlight how the defined metrics interact and fit with each other.
This upfront mapping of relationships and dependencies enables a proactive approach required to handle increasing complexity with a growing scope of sites and measures.
An early aligned reporting structure also provides the key to successful expectation management to the different stakeholders as it enables them to have an early picture of the expected outcomes.
A tailored and holistic ICS cybersecurity strategy forms the starting point for all remediation activities to come. To set this foundation and to build on gathered assessment results, it is vital to establish a manageable, realistic, and consistent strategy communicated early to all required stakeholders.
At BxC, we believe that ICS cybersecurity measures need to provide additional benefits besides security to the business and the manufacturing sites. Approaching ICS cybersecurity in a phased approach allows manufacturing sites to adapt to the required changes while utilizing newly established services.
As cybersecurity professionals, we need to keep in mind that cybersecurity strategies are only as good as the following implementation and the long-term operation. Building realistic strategies while considering added benefits, long term operation, and robust cybersecurity measures is an essential starting point to establish a future and digitalization ready manufacturing environment.