Automotive CISOs and CIOs already have extremely full plates, from addressing connected cars and IoT to electrification and 5G–and they continue to accumulate more. Securing the production floor, traditionally managed by production operations or advanced manufacturing engineering, is increasingly a new addition to their long list of responsibilities.
Historically, manufacturing operations were managed separately from IT. Common architecture, infrastructure and security standards that are already in place in organizations’ IT systems are often missing in OT/ICS environments. And they are old; it is not uncommon to find computers that are completely obsolete running end-of-life operating systems.
Furthermore, normal patching that’s done for IT systems is often neglected in OT environments for fear of the risks of “fixing what’s not broken.” Traditional IT systems are normally secured to at least minimum industry standards, while OT systems are frequently found to contain many vulnerabilities that were mitigated years ago on the IT side. As these old, unpatched systems are increasingly connecting to the Internet–creating what is referred to as the Industrial Internet of Thing (IIoT) and Industry 4.0 initiatives–huge new risks are emerging for organizations.
As a consequence, many automotive companies have recently been targeted by myriad attacks that have resulted in systems downtime, production slowdowns and stoppages and ultimately, lost revenue.
Cybersecurity leaders can mitigate the risk of vulnerable technologies and ensure cybersecurity across all IT and OT systems by following these 3 steps.
Given the extreme cost pressure experienced by organizations in the automotive industry, many companies face significant OT challenges related to technical debt, obsolete technologies in production, weak patch management and a lack of visibility into vulnerabilities. CIOs and CISOs now responsible for cybersecurity in OT as well as IT should consider doing a comprehensive vulnerability assessment across all aspects of their IT, OT and ICS.
It’s also vital to determine what’s important to your business–from what is considered acceptable risk to future business goals and priorities, as well as what your competitors are doing, and your clients expect.
One way to bridge between IT and OT and to grasp the bigger security picture for your company is to map not only IT, but also OT to CIS controls. This provides a common language for both sides of the coin and will help you understand how everything is secured and identify where you have gaps.
Gain clarity into failure points across people, processes and technologies. What is your organization driving toward, i.e. a certain number of finished goods per hour? What are the critical points to make that happen? Understand the security around these failure points. What is most likely to happen and impact them? Fix those things and wrap controls around it. You may want to engage a partner who can do this for you, bringing lessons learned from other high-risk, highly regulated verticals, like health care.
At this point, you will be able to prioritize your risks, ensuring that you address the biggest issues first.
It would not be unusual for vulnerability assessments of automotive companies to uncover tens of thousands of vulnerabilities. While it’s nice to know where these are, it’s nearly impossible to mitigate or resolve all of these issues at once. The key is to identify the most critical risks or those that are most likely to be exploited, focusing limited resources on the biggest issues first.
Consider hiring an experienced advisory partner–one who has successfully helped enterprises do this and who knows where the hidden risks are, instead of trying to figure it out yourself. If you are a typical CIO or CISO, you haven’t worked in this arena enough to avoid falling prey to common mistakes.
As a member of the automotive industry, which is highly sensitive to cost control, you may be especially pleased to hear this best practice. Although you may need to make investments to fix the issues uncovered in the assessment phase, you should first consolidate your existing technologies. Reducing the number of redundant technologies you already have will decrease complexity, lower the costs of licensing software and support, and minimize net new spend you may require.
Also, think about off-loading some of your security operations to managed services providers who not only can often get the job done at a lower cost than your internal teams, but will also relieve you of the pressure to continuously attract, develop and retain those elusive security professionals with the skillsets you need – a costly, ongoing effort.
Boards and senior leaders typically understand the elevated brand, financial and personal risks of cyber attacks via OT and ICS, which is why they’ve asked CIOs and CISOs to oversee the availability and security of all IT Systems, including the factory floor, in the first place. What they usually do not understand are the challenges, both technological and cultural, that you face in bringing IT and OT together and securing them effectively.
Making sure they understand the depth of these challenges, and the cost of not addressing them effectively, will be crucial to your success. Sacrifices may be necessary to invest in what you need to protect the business; certain business processes may need to change; some projects won’t get done to make room for this one. Having better security sometimes costs money and requires resources to focus on it. The Board needs to support those changes. Helping them understand will take planning and effort on your part, especially in creating and presenting a clear message, backed up by data, that will be required to earn their support.
They also need to support you as you communicate the changes that will need to be made across the business. The job of communicating to plant managers and other departments the importance of securing your factories will undoubtedly fall to you. Explain clearly what you’re doing and why, that you have the full support of, and mandate from the Board, as well as the impact and benefit to them and to the company as a whole. Keep them in the loop as the process moves forward, remembering to share and celebrate milestones and successes.
Threats change every day, as does technology. How you kept your factory safe today could change tomorrow. The best solution from yesterday may not be the best, or even around, today. Reevaluate tools, people, and processes on a regular basis to ensure they are still capable of protecting your organization.
A good question for every automotive CIO or CISO to ponder is this: how can you cost-effectively manage security across IT, OT and ICS to not only reduce risk, but also to harness the power of newly-enabled interconnectivity, digitization, information from IoT, and other factors? The steps you take to ensure cybersecurity for your organization may lead you to discover insights or generate new ideas to empower business growth.
The challenging, fast-paced environment and rapidly-changing marketplace of the automotive industry offers great challenges, especially for cybersecurity–but also provides immense possibilities for innovation and expansion.
Kurt is also co-founder and Managing Director of the Automotive Cyber Security Network (ACSN), a forum for automotive industry professionals to connect, exchange knowledge and engage in a community focused on securing the automotive sector. Kurt has more than 25 years of management experience, including 13 years leading global teams in the automotive industry.