In 2017, the UK Government proposed the implementation of the Security of Networking and Information Systems (NIS) Directive, with the aim of improving the security of essential services such as water and energy. Should providers fail to protect their systems, a £17 million penalty could be enforced. Here, Nick Boughton, sales manager at industrial systems integrator Boulting Technology, discusses why it is important for utility providers to protect themselves from cyberattacks.
Plant managers within utility companies are now demanding more from their industrial control systems (ICS) to deliver operational improvements through smarter, information-enabled machines. As a result, the domains of IT and OT are converging and becoming increasingly connected as many ICSs are now overlapping with enterprise systems to provide accessible, secure information that is visible across organisations. With these increased benefits, however, comes a rise in additional security risks.
Typically working on closed, proprietary communication protocols, the migration to open protocols can present several issues, including unpatched software and hard-coded passwords. Robust systems, such as PLCs, were built to last before network connectivity was even considered.
When connecting a legacy system to an open protocol, it is essential that it is done safely and securely. Security patches can be vital in reducing potential cyber-attacks, however many manufacturers forgo their roll out as the associated costs can be high. Every missed patch makes it much harder and more expensive to ensure a legacy system is protected.
It is these risks that the Joint Committee on the National Security Strategy discussed in late May 2018. If ICSs are not protected properly within the utility sector, then it is not just breaches of the GDPR we should be worried about, but the supply of water and energy.
There is no one size fits all solution to protecting industrial control systems and it shouldn’t just cover the protection of a single system. IT and OT convergence means a holistic approach to industrial security should be taken, extending from a single enterprise system, to the people, processes and technologies within a plant.
In its 2016/17 report, the cyber threat to UK business, the National Cyber Security Centre (NCSC) suggested cyber security is most effective when integrated with risk management procedures.
To give maximum protection against cyber-attacks, a plant must have a robust security framework that encompasses people, processes and technologies. Our alliance with Netbuilder, a leading provider of software and IT consulting services, allows us develop and implement seamless solutions across IT and OT, which have traditionally been managed separately.
While having the latest firewalls, antivirus and intrusion detection software is important, it is redundant if staff are not trained properly. Working with an experienced supplier, such as Boulting Technology, will aid in developing one such framework.
Without a strong commitment to security, manufacturers will fall victim to the many pitfalls faced by open protocols.