November 8, 2019 – We read about cyber incidents and data breaches almost daily in the newspaper, and the number of cyber attacks on companies with industrial processes is increasing. Marcel Jutte (Hudson Cybertec) and Jacco van der Kolk (Ministry of Economics affairs) have outlined the problems using practical examples at the Industrial Cyber Security event. They also offered insights on how entrepreneurs can improve their digital resilience. Hudson Cybertec can look back on a very successful event with attentive listeners.
Source: Dimitri Reijerman
Online consumers should always be alert. More media reports on wrongdoings are published, including cybercrime, resulting in increased awareness. Businesses have also become more open about cyber security in recent years, except about themselves, says Van der Kolk, working at the Digital Trust Center of the Ministry of Economic Affairs: A taboo still exists on admitting cyber incidents. Despite legislation, which includes a duty of care for the vital infrastructure, organizations were noticeably reluctant to report cyber incidents.
Jutte adds: “It is still not normal procedure for companies to publish this. Somehow a brand incident is dealt with differently than a cyber incident. Yet precisely through sharing information, the entire industry sector can learn from these incidents. If an OT-device gets infected at company A, the same can happen at company B, you can learn from each other. We do understand that it might cause reputational damage. Unfortunately, The question is not whether you will be hit, but when you will be hit by a cyber incident. It is important to take the correct precautions right now.“
Vulnerability of OT-systems
In addition to the vulnerability of IT-systems, found in almost every company, hardware and software on the OT side is increasingly becoming a risk factor within Industrial Automation. Van der Kolk: “Systems within the OT where autonomous systems for years, separated from the regular IT-systems and definitely not connected to the internet. Some systems have been running for decades and were not designed with security in mind, but mainly with business continuity. Social and economic developments have led to increased connectivity. Increasingly more OT-systems are accessible via the internet. This seems practical for operators to quickly check settings from home. But is this done securely?”
“The question is not whether you will be hit but when you will be hit”
Not only existing, relatively old OT-systems are vulnerable, so are some new components. According to Jutte thought should be given to new systems as well: “Even now, components are put on the market that are not cyber-secure. This will continue due to companies still choosing to use them consciously or unconsciously. They should be more aware of the risks involved with the use of technology.” Jutte adds: “There are ongoing (inter)national initiatives that will oblige suppliers to support updates for a number of years to their products. Several (European) initiatives exist to introduce a seal of approval for cyber security. Certification of components and parts of the installation on cyber security aspects is very important and more organizations will start demanding proof of cyber security.”
Increase the resilience
During the Industrial Cyber Security event, both presented visitors with several options on improving resilience of their OT-systems. Jutte gave direction to what a plan of action might look like: “Globally, you need to think about possible actions before an incident occurs and what actions to take during and after an incident. A general lack of awareness of cyber risks and the possible consequences is common. Knowing what is important in your company is a good to start with awareness. Then ensuring safety through backups, firewalls, good passwords, agreements with the system integrator and the most important thing: ensure that your staff members are aware and create a culture where they feel they can report if something is wrong. This ‘human firewall’ is an important line of defense for your company against cyber incidents and attacks.”
Van der Kolk has some additional tips: “Having a baseline measurement or assessment of cyber security is a good option to start with. The outcome indicates which parts of the installation are vulnerable to digital incidents.”
Role for the government
Van der Kolk also sees a role for the government, through the Digital Trust Center (DTC) for example. “Besides legislation the government has also taken on the task of helping companies with the organization of information sharing and collaboration on this topic. The DTC has experience on this and supports partnerships in the Netherlands in which companies collaborate on resilience. Additionally, both the government and private parties are involved with national and EU legislation on the quality of digital products and services.”
“There is a program running, the digital hard- and software roadmap, in which the customers’ side is informed, but suppliers and producers will also be held accountable for their responsibility. The government also stimulates scientific research into cyber security by various means. This is initiated from the Ministry of Economic Affairs with the intention of creating a safe environment that allows entrepreneurial Netherlands to further develop itself.”