The level of technical automation in large-scale industry is rising fast. Making this sector vulnerable to all forms of digital crime. The same applies to vital infrastructures such as energy distribution, automated bridges, locks, pumping stations and flood defenses. It has become a widely heard statement: ‘Shutdown these crucial facilities unauthorized with their high level of automation, and the whole country is going down’.
To prevent this, the sector must comply with increasingly stricter national and international regulations in the field of cybersecurity. Not only organizational and administrative, also regarding the automation of the primary technical business processes.
Demonstrably competent
To be able to comply with this, they also set increasingly higher demands on their suppliers and service providers in industrial-technical small and medium-sized enterprises (SMEs). This sizeable and important category within the Dutch economy includes machine and equipment builders, automation and installation companies, consultants, system integrators and inspectors. All of these parties must be able to demonstrate their professional competence in industrial-technical cyber security, both among themselves and toward clients. This is the only way digital security can be integrated within the chain of industrial supply and outsourcing to comply to international legislation and standards.
SMEs
One out of five SMEs has been a victim of cyber-crime in the past, says Marcel Jutte, managing director of Hudson Cybertec, the independent cyber security solution provider for the IACS-domain (also known as Operational Technology, OT). So far without major consequences, but that can change quickly. Because of the recovering economy versus rapidly growing shortage of technical skilled personnel, industrial SMEs are increasingly automating their own production processes. With this increased automation, the same security rules and standards must be observed as used by their clients.
The weakest link
Jutte: “Especially in The Netherlands, these SME-organizations produce high-quality automated machines, products and subsystems for large, vital and vulnerable infrastructures and branches of industry nationally and internationally. The SMEs are in danger of becoming the weakest link in the cyber security chain. They usually manage their internal administrative and logistic automation adequately, just like the industrial automation that they use in their own production lines, machines and subsystems which delivered to other branches within the industry. But this does not yet apply to its demonstrable protection against cyber-crime.
Airtight
With the digitalization of society, an airtight international system for cyber security becomes a necessity. The European Directive Network & Information Security (NIS), called the ‘Netwerk en Informatiebeveiliging-Richtlijn’ (the NIB-Richtlijn) in the Netherlands, will become mandatory. This is achieved by national legislation called the ‘Wet beveiliging netwerk- en informatiesystemen’ (Wbni) in the Netherlands by the end of this year.
Branches like hospitals, communication- and energy companies, and the high-risk branches within the heavy industry will have a duty to report, just like the asset owners of vital infrastructures.
In that context, companies and organizations must set requirements for their technical suppliers and service providers in the SME. Several government agencies, end-users in the vital infrastructure, as well as some of the first industrial installation companies/system integrators have already had their specialists certified by the NEN for the knowledge on the IEC 62443 standard.
SME-assessment
Hudson Cybertec is expanding its services to the industrial-technical SME. The Ministry of Economic Affairs and Climate Policy, is also increasingly supporting this link in the security chain. This is done in cooperation with other companies in the sector and entrepreneurial organizations in the Netherlands, involving collaboration with universities, knowledge centers and companies like Hudson Cybertec.
The independent cyber security solution provider Hudson Cybertec has developed a specialized short ‘cyber security assessment’ or ‘cyber security scan’ for entrepreneurs in the industrial-technical SME, which are based on the IEC 62443 standard.
Jutte: “These companies are already in contact with IT’ers, but mainly about administrative automation. But now it is about the automation of cybersecurity in their own production systems, and the machines and technical systems they deliver to their clients. When they employ system integrators, consultants or own employees who have been trained and certificated for this, they have already complied with a large part of the stricter requirements.
Lees het volledige artikel hier
HUDSON CYBERTEC