How to Build a Strong Industrial Cyber Security program
Our Vice President and General Manager of Industrial Cyber Security shares 7 ways to build a robust program and safeguard our processes
|Jeff Zindel, Vice President and General Manager,
Honeywell Industrial Cyber Security for Critical
Infrastructure and IIoT
Fact: Cyber-attacks targeted at industrial companies and facilities increased 10-fold from 2010 to 2015. While that is a daunting trend, an even more challenging one for the C-suite is that in 2016, 50 percent of board directors surveyed in the National Association of Corporate Director's 2017 Handbook on Cyber-Risk Oversight indicated that they were not satisfied with information on cyber issue management from company management. While the targeted attacks and potential risk to operations are top-of-mind for industrial executives, a new concern has surfaced: leadership's ability to build and maintain successful industrial cyber security programs.
The digitization and increasingly interconnected nature of industrial automation is doing more than changing our industrial processes. The transition underway presents the industry with tremendous opportunities for increased safety, efficiency and profitability, while at the same time presenting new business requirements and risks to be managed.
One of the most striking examples of change in this industrial era is cyber security. While there are a raft of technologies and best practices, company executives and boards are struggling with more immediate and personal challenges. Are they knowledgeable enough of their company's industrial cyber security risks? Are they measuring the cyber risks that matter the most? Are their investments in people, processes and technology sufficient to show diligence?
Even if a leader can answer these questions, cyber security risk can be dangerous to a leader's career. Industrial executives must focus on building a robust industrial cyber security program that is resilient and defensible. Here are the key areas for program development:
- Establish Baselines: Identifying and addressing vulnerabilities, threats and residual security risks.
- Define Risk Tolerance: Working with your leadership team, define the level of cyber risk that is acceptable to your business. Categorize and quantify how these risks could impact strategic business objectives and in turn define what needs to be protected and to what level.
- Measure Risk: Institute a plan to continuously measure and report on cyber security risks, making sure to understand trends and unexpected anomalies.
Mitigate Risks: Implement remediation steps and extend enterprise risk management policies and processes to cover cyber security risk as well.
- Have an Incident Response Plan and Practice: Organize and formalize the steps to address a cyber security incident. Conduct regular tests of your cross-functional response team, not one that everyone can easily get a gold star on. Find your gaps, make improvements and repeat.
- Build a Team: Engage partners that support the cyber security program, including which parts to outsource and which parts to handle in-house. Cyber recruitment is very challenging, especially when it comes to finding specialists that combine cyber security and industrial automation expertise.
- Secure the Supply Chain: Determine which security requirements to convey to suppliers and service providers. Consider tying requirements back to known industry standards for greater cost efficiencies. Lastly, consider holding workshops for your suppliers to clarify requirements, minimizing costs and non-value added activities.
Despite these challenges, there are a few silver linings. First, broad awareness of cyber security risk provides leaders with a strong mandate to “fix” the problem and access funds for programs. Second, within the industrial space, there are great new technologies that have been developed for the work processes and environmental requirements of industrial customers. Last, everyone else in your network is grappling with similar challenges, and as the issue addresses cyber security, it's likely that they will be open to sharing insights.
While it's a lot of change to digest and address, the promise of improved safety, availability and profitability of a more connected world makes cyber security a requirement. Incidents will occur‚Äîand having a robust plan in place will not only help safeguard your industrial processes, but also secure your career.
By Jeff Zindel
Vice President and General Manager ,
Honeywell Industrial Cyber Security for Critical Infrastructure and IIoT