Making Cybersecurity Approachable

Cybersecurity Approachable

Providing cybersecurity context, encouragement, protection and detection for users in multiple process industries

There’s no way to go it alone on cybersecurity. Because no one knows everything, even the most informed and competent end user is going to need help from someone more know-how and information about a certain device, software, best practice or other protection their process or facility requires. Mere mortals usually need cybersecurity help just to get started. Fortunately, there are many well-informed and generous sources, who can provide history, education, encouragement and solutions to make cybersecurity projects workable, efficient, thorough, cost-effective and reliable over the long term. 

IT vs. OT to Ethernet and IIoT 

Laurie Cavanaugh, business development director at E Tech Group, reports that cybersecurity’s recent evolution is a natural outgrowth of operations technology (OT) and information technology (IT) learning to work together and speak each other’s languages.

Cavanaugh explains that OT and IT must cooperate on their organization’s overall cybersecurity assessment, which will give a true reading of its OT assets, PLCs and unmanaged devices, as well as its network topology, managed switches, firewall protections and IT-related components.

Un-flatten your network

To beginning addressing some of the IT-based tasks that cybersecurity requires, individual process and site characteristics can show what gaps need to be filled, and point the way to the most suitable and effective remedies.

Detection tools reduce insurance cost

Back at E Tech, Cavanaugh reports it recently worked on cybersecurity with a large metal processing company, and discovered that 80% of its in-cabinet switches were unmanaged, and 40% of its PLCs were non-compliant with cybersecurity requirements. Plus, it was running old DeviceNet protocol and other obsolete systems that were exposed, and it didn’t know if the HMIs on its control network, which typically require access via a VPN, were also exposed to the Internet and vulnerable. “This company began to move on cybersecurity when it realized its insurance provider raised premiums and reduced coverage after a review of two manufacturing sites. Having a cybersecurity plan in place, and acting on the remediation recommendations, helped them have a new conversation with the insurance company,” says Cavanaugh. “Similarly, other users like water/wastewater utilities are talking more with each other about cybersecurity, and working amongst themselves, where they used to be less likely to share best practices.”

Tim Ingalls, cybersecurity expert at E Tech, adds that cybersecurity is also ramping up among the biotechnology firms it serves, but they must also resolve conflicts between costly processes that can’t be interrupted and IT-based demands to periodically shut down networks for patching. “Most biopharmaceutical systems are also validated, so they can’t be altered whenever users desire. They should also be built with network layers, demilitarized zones (DMZ) and barriers around everything to reduce risk,” says Ingalls. “Microsoft famously applies patches on Mondays and Tuesdays, but if a planned patch from IT requires a production system to be revalidated, then OT will likely need to sequester and delay it until it can be applied safely.”.

“Sometimes IT is afraid of OT, so we bridge gaps, runs scans on the OT side, address their trust issues, and encourage them to acknowledge that they didn’t get along in the past. This helps them decide who’s responsible for what from the top floor to operations. This also means determining what’s in IT’s bubble of responsibility and what isn’t, and many organizations are still trying to answer these questions.”

Click here to read the full article which was authored by Jim Montague and originally appearing in Control Magazine, December 2021.