January 18, 2024 Cybersecurity Competence: New Regulations in Industry

New regulations on industrial cybersecurity aim to create a more robust industrial ecosystem that is resilient to future attacks.

By: Luis Narvaez

The US National Cybersecurity Strategy for 2023 focuses on strengthening the country’s industrial and infrastructure cyber defenses, promoting information sharing between the government and private sectors, and enhancing the resilience of critical infrastructure. This includes new regulations and best-practices guidelines to address emerging cyber threats. The strategy also emphasizes international cooperation to combat cybercrime and protect against state-sponsored cyberattacks. Similarly, the EU Cyber Resilience Act aims to improve the overall cybersecurity posture of the European Union.

Both include rules or guidelines that mandate specific cybersecurity standards for critical sectors such as manufacturing, energy and infrastructure, and also address issues related to incident reporting, information sharing and the establishment of a coordinated response to cyber threats. Both the US and EU plans prioritize protecting vulnerable OT technology that drives industry and infrastructure while promoting cybersecurity awareness and education. Educational efforts are integral to these strategies to empower organizations to protect themselves against cyber threats, as the companies themselves are the ones on the front lines. It’s essential to note that the specifics of these regulations will continuously change based on the evolving nature of cyber threats and the geopolitical landscape.

A Multi-dimensional Threat

A cyberattack on manufacturing and critical infrastructure poses severe and multifaceted risks that extend beyond immediate financial losses. Disruptions in manufacturing processes can result in significant economic impacts due to downtime, production delays and supply chain interruptions. These repercussions can cascade through interconnected industries, affecting businesses downstream and potentially causing widespread economic strain through the supply chain.

Compromising critical infrastructure, such as energy grids, transportation systems and water supplies, can profoundly affect public safety and well-being. Cyberattacks can manipulate or disable control systems, leading to power outages, transportation disruptions and environmental hazards. These disruptions not only inconvenience daily life, but also jeopardize national security and have the potential to injure or kill operators or even the population nearby.

Moreover, the theft of sensitive intellectual property through cyber intrusions can compromise other critical systems, reducing readiness to prevent future attacks. Data theft from manufacturers can also undermine innovation and economic competitiveness. Cyberattacks on manufacturing and critical infrastructure can have far-reaching geopolitical implications, as state-sponsored attacks can be tools of coercion or even warfare. The interconnectedness of global supply chains and infrastructure systems amplifies these risks, emphasizing the urgent need for robust cybersecurity measures to safeguard individual companies AND the part they play in the backbone of modern societies.

Understanding the Risk and Building Defenses

There are three main components to understand and plan for cyber defense. First, identify the risks, including the specific avenues of attack and all possible damage an internal or external hacker could cause. Second, identify current cyber defense processes and how to improve them to mitigate the risks identified. Third, create and execute a cybersecurity plan that implements the technology and strategies pinpointed. A cybersecurity stakeholder team whose focus is coordinated efforts across all aspects of the business to identify and mitigate cyberattack risks should lead this process.

• Build a stakeholder team to evaluate cybersecurity risk and practices. Include all levels and departments, from potential users to managers, decision-makers, and IT and OT teams.
• Evaluate current in-place cybersecurity processes and technology, explicitly noting known vulnerabilities.
  • What are the most significant threats?
  • What are the points at which an internal actor has access compared to where an external threat would intrude?
• Identify fundamental vulnerabilities in machines or other OT systems. Ensure the notes reflect any potential difficulties the team raises and include them in the planning phases.
• Identify opportunities for cyber defense process or technology implementation where the most value is added.
  • Create detailed hardware, software and training implementation plans to implement new cybersecurity measures.
  • Ensure the solutions allow flexibility and open customization to provide insight and optimizations for unique applications.
  • Look to industry standards organizations, established SOAR and SOC best practices, and the National Cybersecurity Strategy for guidance.
  • Create an implementation timeline.
• As you implement solutions, maintain the stakeholder team throughout the implementation phases and launch processes to identify improvements and ensure new systems and processes are fully implemented as designed.

In light of the increasing number of cyberattacks and the continually stricter regulatory focus on cybersecurity, businesses must have a complete and comprehensive understanding of their internal and external cyber risks and how to mitigate them.

Luis Narvaez is Regional Product Manager for Controllers and Cybersecurity for Siemens Factory Automation. He brings more than 10 years of experience with automation technology in a variety of industries ranging from theme park/entertainment to oil and gas, and machine tools/machining. Luis’ experience and passion to bring secure and smart manufacturing to industry makes him a subject matter expert in topics including digitalization, industrial cybersecurity and IT/OT Integration.

Subscribe to Industry Today