As industries increasingly rely on automation and interconnected systems, the importance of safeguarding critical infrastructure from cyber threats cannot be overstated. A big part of that conversation revolves around cyber insurance and the cost to protect systems.
Recently, the ICS Pulse Podcast talked to Leah Dodson of Nextlink Labs about the cost analysis of cybersecurity versus insurance, emphasizing the unique challenges faced by the manufacturing sector. To listen to the podcast, click here. To read part one, click here.
The following has been edited for clarity.
ICS Pulse: While insurance might seem cheaper than covering health care and other employee-related expenses for multiple employees, a cyber breach can lead to various negative consequences. These include reputational damage and disruptions in production for manufacturers, which can have far-reaching non-financial impacts. Although some of these issues can have financial implications, they often fall outside the scope of cybersecurity insurance coverage. Additionally, insurance providers are becoming more stringent in their coverage, potentially excluding nation-state attacks and introducing various exemptions.
Leah Dodson: I appreciate your mention of manufacturing, as it’s one of the industries where quantifying the costs is more straightforward. Manufacturers understand the financial implications of a day’s downtime. Moreover, they can estimate the time required to remediate a breach or another type of attack. I’ve also noticed an increase in businesses automating their operations and dealing with DDoS attacks this year. This ability to quantify downtime is crucial, not only for manufacturers but also for attackers who see it as a valuable target.
ICSP: Moving forward, let’s discuss the importance of communication in the context of industrial control system (ICS) cybersecurity. Many people don’t grasp cybersecurity on the operational technology (OT) side as well as they do on the information technology (IT) side. You can’t simply transplant IT security measures into a manufacturing environment; it doesn’t work that way. So how can a company effectively communicate the differences between IT and OT cybersecurity and implement a top-down cybersecurity approach?
Dodson: Communication is vital, and Nikki (Gonzales) and I had an engaging conversation about this at HOU.SEC.CON in 2022. We approached it from the perspective of cybersecurity, and someone deeply involved in the manufacturing industry. Our goal was to facilitate conversations where all stakeholders, representing various aspects of the business, could express their concerns. This includes those on the shop floor who can provide insights like, “This tool won’t work; it’s too disruptive for our systems.” Having these voices represented allows for alignment and understanding of specific parameters.
When everyone impacted by cybersecurity measures is involved, it becomes possible to determine realistic cybersecurity controls’ intrusiveness. On the cybersecurity side, the protection measures that need implementation can be discussed, such as network layout changes, endpoint protections or physical layout adjustments. Collaboration between these groups fosters a more holistic approach.
ICSP: When conducting various tests and selecting cybersecurity protocols or providers for the shop floor, what is the most effective approach? How can we ensure everything works seamlessly and continuously update and refresh?
Dodson: You’ve touched on the concept of a digital twin, which is becoming increasingly valuable. Simulating the environment helps understand potential impacts. There’s a growing number of tools designed specifically for ICS environments and cybersecurity. These tools focus on addressing the actual needs of these environments, rather than trying to fit IT techniques into them. They scan more quietly and target the specific protocols used in ICS. Many cybersecurity-focused companies offer such tools, but even automation companies are becoming more aware of cybersecurity needs and developing their solutions. This shift in mindset within the industry is quite promising.
ICSP: Now, let’s switch gears and talk about Automate 2023. I’m curious to know what cybersecurity trends you observed at Automate.
Dodson: I absolutely love attending Automate. While I enjoy cybersecurity conferences, events like Automate provide a unique learning opportunity. It allows me to explore where the industry is heading and discover cutting-edge technological advancements. This year, I noticed several companies offering 5G services for shops, emphasizing remote capabilities. Cloud solutions were also a significant focus, including custom clouds for manufacturing and automation, as well as integration with major cloud providers. Moreover, software played a crucial role, with more emphasis on data aggregation.
These software solutions integrated data from various sources like sensors and historians into a single dashboard, providing a comprehensive view of the shop floor. From a cybersecurity perspective, having such information readily available is beneficial for detecting anomalies that could be indicators of an attack. However, it’s essential to secure this data to prevent it from becoming an attack vector itself. These aspects of Automate were particularly fascinating to me, and I enjoyed discussing them.
ICSP: What’s interesting about attending manufacturing trade shows, as opposed to cybersecurity events, is the visual aspect. At cybersecurity events, you often see booths with people, desks and graphics, but not many physical devices. In contrast, manufacturing shows like Automate offer a visual representation of the impact of cybersecurity measures. It allows us to consider potential threats and vulnerabilities visually, which is a unique perspective.
Dodson: Absolutely, and this visual aspect leads to engaging conversations. The passion of the people at Automate is palpable, and you see innovations like cobots, end-of-arm tooling, autonomous robots and additive manufacturing. When you engage with these passionate individuals and introduce cybersecurity into the conversation, it sparks new ideas and perspectives. They start thinking about how to incorporate cybersecurity into their designs, which, as a cybersecurity professional, is incredibly rewarding. For example, I recall a discussion with a company that developed vision systems for robots navigating warehouse paths. As we brainstormed potential attack scenarios, the developer realized certain vulnerabilities and limitations in their system. It’s a reminder that engineers approach problems from different angles, and it encourages us to think beyond our own cybersecurity lens.
It leads to very interesting conversations. One of the things I love about Automate is how passionate everybody there is about what they do. There’s cobots everywhere. There’s end of arm tooling … they put a lot of thought into how these grippers work. There are autonomous robots, there’s additive manufacturing, there’s all kinds of technologies. And when you take the time to sit and talk with people about what they’re developing and give them that opportunity to be passionate about what they’re doing, and then meld that cybersecurity conversation in there, that starts to get the wheels turning of, “Oh, maybe we could add this to the design,” or, “We didn’t think about it from that angle. That’s interesting.”
Introducing them to cybersecurity, and me personally, getting a better understanding of exactly how things work is amazing. I mentioned vision systems. We had spoken, last year, to a company that did vision systems for robots that would go along paths in a warehouse. The person I was with started thinking through a complicated attack vector like, “Oh, I could do … I’d be able to do this, and that,” and thinking out loud. The developer was standing there and was like, “You’re right. We don’t have protections against that. Or I could take a Sharpie and cross out the line here, and it disrupts the vision system.” A lot of times in cybersecurity, we see through that lens of our side of engineering. But the engineers there see through their lens, and it makes for interesting, like, “Are we over-engineering this attack?”
Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.
