11 minute read
A PROACTIVE APPROACH TO PROTECT YOUR ASSETS
AS THE INDUSTRIAL WORLD BECOMES EVER MORE CONNECTED AND COMPLEX, THE NEED TO EMBED PERVASIVE CYBERSECURITY POLICIES IS PARAMOUNT, SAYS TIM GRIEVESON, CHIEF INFORMATION SECURITY OFFICER, AVEVA
In an age of rapid digitisation and always-on connectivity, the industrial landscape has never been more ready for transformation. Post-pandemic, companies have learned radical lessons about how to run and optimise systems in unpredictable operational times. As such, global organisations have been compelled take decisive action by putting technology at the very heart of their business processes. Cybersecurity is a key business differential in ensuring these operations are secure and resilient.
Advertisement
With the rapid and significant need to enable remote work and team collaboration, software solutions like
Cloud, Edge and IoT can pave the way for improved business performance and procedures. But with great opportunities also come challenges. As such, more complex industry technology solutions demand a heightened focus on cybersecurity and securely enabling the work-from-anywhere culture.
It’s no accident that the latest forecast from Gartner predicts worldwide spending on information security and risk management technology and services is predicted to grow 12.4 percent to reach $150.4 billion in 2021.
Cybersecurity was the top priority for new spending, with 61 percent of the more than 2,000 CIOs surveyed increasing investment in information security this year, the IT research firm said. Security services including consulting, hardware support, implementation and outsourced services represent the largest category of spending in 2021, at almost $72.5 billion worldwide.
Industrial risks
According to global cybersecurity analysts, industrial systems are still not yet sufficiently protected against the new and multi-faceted risks of digital transformation, despite being susceptible to increasing risks for many years. In order to be effective, company cybersecurity policies must proactively and holistically pervade the entire organisation. A balance should also be struck between mitigating risks and enabling new business initiatives. What’s more, it’s imperative that companies focus not only on training staff but also on selecting appropriate and best-of-breed technology partners who build security into the ecosystem of how they operate as opposed to charging extra or having security as an add-on.
Key security considerations
Industrial businesses that embrace transformation and have a holistic view of cybersecurity are benefitting from diverse technology ecosystem development, including connected devices, edge
control, apps, analytics and cloud services, which are enhancing business performance at an unprecedented pace.
It’s vital that your organisation’s approach to security is part of the organisational culture – using components that meet recognised standards and include encryption by default. Security must be integral to the design of any process or operation and fundamentally baked into the services that support the operation of your systems and business objectives.
Company checklist
The tsunami of risks focused on operating technology (OT) ranges from the exposure of intellectual property and lost production systems or data to serious fines and reputational loss.
Cybersecurity is a multi-faceted discipline requiring a proactive approach across the business. For your business to be best prepared against threats, it’s important to consider the following elements:
People
Ensure you invest in your people by providing relevant and timely security training for staff, contractors and third parties, which not only supports your organisation objectives but can be used in personal digital lives too. It’s essential to engage all your employees as active cybersecurity ambassadors by educating them on identification, prioritisation and understanding the changing security landscape including dangers of malware, phishing, unofficial USBs and social media oversharing so they can behave and act accordingly.
Network
It’s vital to maintain a unidirectional gateway between IT and OT systems, as well as running continuous vulnerability assessments and installing anti-malware solutions for industrial end points, as well as your corporate and lab environments.
Partners
Select vendors that will partner with you to protect critical data and understand your security, legal principles and privacy policies. Determine where and how data will be collected, used and stored. Ensure partners include security as a core component of their service offering as opposed to an optional extra. Ensure they take shared responsibility for good cyber hygiene and are transparent on what they can and cannot do to support your business.
Processes
It’s important to build a culture of cross department buy-in across management, IT, security and business operational teams for cybersecurity processes. In addition, you should develop,your cybersecurity program to ensure continual improvement ensuring you build in findings from regular audits and vulnerability assessments to ensure systematic risk burn down and capability improvement.
Devices
Ensure you change your IoT device passwords from the factory default; extend your security and password policies to mobile devices; and conduct regular intrusion testing and anomaly detection on all devices. Never assume your devices are safe and always validate and include them in your security assessment strategy.
Vendor checklist
When considering your cybersecurity needs, choosing the right partner is crucial. Software vendors play a key part in your cyber defence strategy. When considering a cloud or IoT partner, here are some key questions to consider:
Physical security
Where are their cloud services physically deployed? Where will my data actually reside? Where and how will my data be captured, stored and used?
Data security
How is your information protected – at rest and in motion? Does your vendor support unidirectional data transfer? How does your supplier deal with network outages?
Application security
How do they handle authentication, authorisation and account management? What is their approach to identity and access management (IAM)? Are they using a recognised secure development framework? What is their response to identification and remediation of known and unknown vulnerabilities?
Continuous monitoring and improvement
Do they have proactive monitoring and active security policies in place? Can they identify abnormal behavior and catch anomalous activity? What procedures are there to detect and isolate suspicious activity online? Do they use threat information derived from monitoring to continually improve security controls and techniques?
Security assessments
Do they have a proactive program of internal and external security audits? How do they deal with ongoing compliance with regulations, such as GDPR? Do they have a published security statement that you can read? When you detect vulnerabilities how do they disclose them and how promptly do they remediate?
Staff
How do you vet and train your staff? Do your staff hold relevant security certifications and experience – and do they share this information with you? Do your staff use third-parties as part of the service delivery and how do they ensure compliance with your security principles?
By including these basic cyber stages in your security strategy, you will take the first steps towards a complete protection strategy. In today’s world of ever more complex cyber threats, a comprehensive security strategy – covering all the basics – is no less than critical for protecting your digital and physical assets.
UNLEASHING INNOVATION
FOR ENERGY COMPANIES, DIGITAL TRANSFORMATION IS A CRUCIAL INGREDIENT. PETROFAC’S GLOBAL CIO, GEORGE EAPEN AND GLOBAL HEAD OF CYBERSECURITY, SHAHAB SIDDIQUI TALK ABOUT HOW IT AND SECURITY TEAMS ARE WORKING IN TANDEM TO DRIVE TANGIBLE BUSINESS OUTCOMES WITH DIGITALISATION AND AUTOMATION.
Can you share with us your digital transformation roadmap and goals?
George: The world has changed since the outbreak of COVID-19. The mandate for all IT organisations now is to enable the workforce in improving productivity. Being an energy company, we have many systems that work only on our network. The challenge was to make it work for the remote workforce. So, we have transformed and moved some of these workloads to the cloud and made it securely accessible for our employees. In addition, we are focusing more on digital optimisation to reduce costs and improve the bottom line. We are doing two critical projects on this front – Material Lifecycle Management to reduce waste, and Knowledge Management to enhance the efficiency of our engineering workforce. What we are doing is the automation of wing-to-wing processes instead of automation of individual tasks. For this, we start with process mapping by working closely with business stakeholders and identifying multiple opportunities in a single process to automate to see the real benefits.
How did you overcome the business continuity challenges during the pandemic?
George: Petrofac started its digital transformation journey in early-2018, and we were ahead of the game. We are one of the early adopters of digital technologies in the region. We rolled out Microsoft Teams, and our cloud journey was also at an advanced stage even before the pandemic. However, we used this opportunity to accelerate our digital transformation roadmap; we have done many things in weeks, which would have usually taken six months. The way I look at it is that automation isn’t a new thing. As human beings, we are always looking to improve efficiencies, and COVID-19 acted as a catalyst for that change in all organisations. One outcome of long-term remote working is that it has made our emplyees more digital-savvy because every home now is an “office” or a “school” and everyone is more familiar with the technology.
What role does cybersecurity play in your digital transformation journey?
Shahab: Traditionally, cybersecurity teams get involved in digital initiatives just before the project goes live. One major change that we have implemented at Petrofac is that the cybersecurity team is part of the digital steering committee, and we are involved right from the project ideation phase. Cybersecurity is embedded into all our digital projects, so it is not an after-thought. When it comes to remote working, we were already supporting it before the pandemic. However, COVID-19 allowed us to test our business
continuity plans, and the transition to remote working was completely seamless during the lockdown.
Is the cloud a key focus area for you?
George: It’s always been a big focus area. For most people, the biggest driver for cloud is cost savings, but it is also about scale and agility. The way I see it is someone else is running your data centre when you are in the cloud. Since we started our cloud journey in 2018, we have reduced the number of our data centres from five to two. However, I don’t think everything will move to the cloud as some workloads will always run on your on-prem data centre. We are pushing to move 70 percent of our workloads to the cloud so that we can spin off new services quickly.
Who do you think is responsible for security in the cloud – the provider or the user?
George: It depends on what is the model of engagement with your cloud provider. When you talk about the cloud, you can either have infrastructure-asa-service, or platform-as-a-service, or software-as-a-service. If it is platformas-a-service, it’s pretty clear you are buying the platform, and you expect the security aspects to be taken care of by the cloud provider. But in the case of infrastructure-as-a-service, it’s a different ball game, and the responsibility for specific aspects of security lies with the organisation. However, there are many other highlevel security aspects, such as data retention and protecting it from ransomware attacks.
All these should be taken care of by the cloud provider as part of the contractual agreement. However, when it comes to the partitioning and departitioning process related to data, no cloud provider is going to enforce that for you. That has to be done by the organisation.
How did you go about creating a strong security culture at Petrofac?
George: I joined Petrofac as its first CISO before being promoted to the global CIO role. I was fortunate that I had the support of the top management in driving a cultural change. When you talk about a cultural shift, it has to touch every single employee, so I went in for a long-term strategy. We did a lot of campaigns centred around cybersecurity, and the Petrofac communications team was incredibly supportive. It was not a one-off campaign but rather a series of communications designed to stick in employees’ minds.
We have also initiated campaigns among employees to report phishing emails. We also made significant investments in specific technologies for better cyber posture. I worked very closely with the rest of the IT functions such as the infrastructure team, the application team, and also third-party teams that work with us. The result was a better branding of cyber posture among our employees from technology and communication standpoints.
I’ve spent a lot of time with company leaders as well as people who can be influencers in a bigger group, educating them about what cyber is. We have also revamped our IT policies and procedures. One example is data classification drive, which requires all employees to classify and label the data they have created. It’s an excellent example of cultural change because you are asking them to do something different, which they haven’t done before.
Establishing policies and procedures is essential but reaching out is equally important. Usually, security policies are published on the company portal. But It is your job as a CISO to take it to the users.
