When it comes to cybersecurity, simply watching the outside is not enough

23 Jul 2020

Wayne Bursey. Image: Siemens

Siemens Ireland’s industrial cybersecurity lead talks about industrial digital transformation and the future of IIoT.

As digital transformation accelerates, cybersecurity infrastructures are more critical than ever. And while it’s vital that businesses look at cybersecurity measures from a remote working point of view, examining industrial and manufacturing security is also vital.

Wayne Bursey is the industrial cybersecurity lead with Siemens Ireland, focusing on operational technology (OT) security for customers with industrial control systems and environments. He recently gave a keynote address at the Global IEEE Cyber Science 2020 online conference.

Bursey spoke to Siliconrepublic.com about his own role and what companies need to consider when it comes to industrial digital transformation.

For many of us, security within manufacturing has been a journey with a real acceleration over the last 10 years since the rise of industry-specific malware like Stuxnet,” he said.

“I try to always stress a proactive approach, no matter how small, has great benefits in reaction and potential costs longer term. Awareness, education and training is a large part of day to day to help highlight the need for robust security, but more severe cyberattacks and growing threats have heightened everyone’s awareness to act.”

‘These systems have the primary function of keeping people and machines safe. Just turning them off to patch is not possible’

Bursey said that, like many other businesses and industries, the increased number of employees within the manufacturing environment working from home has led to the need for remote access to industrial control systems.

“Machine manufacturers and industry vendors who typically manage and support machines or hardware now carry out diagnostics from external networks, which [they] may have typically done on-site,” he said.

Added to this the accelerated adoption of new or remote technology, the further push towards cloud technology, scaling out the remote working and infrastructure all can leave potential security gaps. With more remote workers [and] a wider network to manage, security teams are finding it more challenging in responding to breaches,” he said.

Unique security challenges

Bursey spoke about how control systems in an industrial setting differ from other systems in that they are built to last and have “much longer investment cycles” and are typically in place for more than 10 years, often more than 20 years.

However, this means some of these systems were not built with security in mind or for the connected world they now find themselves in. “This leads to unique challenges for the business. When upgrades take place, there are often subsystems or smaller systems that have been upgraded in faster cycles or get left behind as only a few people might access them.”

Add to this the age of the factory itself, the variations of operations systems and various pieces of hardware, and it gets far more complicated. “The vulnerability management of all these devices can be overwhelming before the operational software comes into security focus. And now the internet of things has been thrown on top, adding more sensors and devices to manage,” he said.

“Due to the operational nature of these systems, they simply cannot be shut down to patch the software. These systems have the primary function of keeping people and machines safe. Just turning them off to patch is not possible. The engineers on-site ensure the uptime of the network above all else to deliver the services and product, like water or medical equipment, to the end customer.”

The future of IIoT

The industrial internet of things (IIoT) is an evolution for the industrial environment and Bursey said it comes with both risk and reward. “Businesses that embrace digital transformation benefit from this technology-driven revolution, but this also increases the attack surface for these systems.

“Sensors are one of the key building blocks to success and the foundation must be the industrial network. Many of these new devices require cloud connectivity, greater bandwidth and produce added data in which the insights of industry 4.0 are constructed and accelerate IT and OT convergence.”

Bursey warned that special attention needs to be placed on the industrial network itself through which all the data travels, including edge and cloud technologies.

“The protection of the data is vital, and the security of the complete system. Once the networks are in place, these need to be monitored for attacks, and access anomalous events and behaviour from within and from the outside,” he said. “Simply watching the outside is not enough as many intentional and unintentional events happen from within.”

Bursey also said that, as digitalisation takes place, more data is generated and accessed, needing better pre-processing at the edge. “Security of all of these plays an important part, holistically and individually. Security is only as strong as its weakest link.

“Sharing of data is also needed from machine to machine and within the smart sensors and IoT devices. Therefore, strong authentication between all these devices, people and machines are key as this expands within manufacturing.”

He added that protecting all of this data is the lifeblood of digital transformation. “This should include unauthorised access, any changes to the data and controlling who has access with fine-grained access control. All these new devices, software and technologies should be designed with security as a focus. This all builds towards a robust security strategy of the overall system inside the manufacturing environment.”

Jenny Darmody is the editor of Silicon Republic