Preventing Black Swan cybersecurity events
Sami Koskinen, Director of Digital Transformation, Beamex
How many of you have read about the hackathon where two security researchers used Generative AI to break into and take control of IoT and industrial systems? The event organised by Zero Day Initiative was organised in the USA in March this year. The two researchers used ChatGPT to write code and create a chain of security bugs that helped them crack their target (chosen from a prepared list). The duo succeeded in cracking the system 10 times and won USD 123,000.
The good news is that this was a safe and controlled experiment. The bad news is that the rise of AI and other digital tools has made it a lot easier for entities and individuals to carry out cyber-attacks. And what I worry about the most is so-called ‘Black Swan’ events, events that are so rare and unusual that they cannot be predicted or prepared for and can have immense impacts on different levels of society.
One potential Black Swan event is the prospect of a major pharma company being compromised by cyber attackers, potentially stealing IP, or meddling with manufacturing processes, resulting in defective products. Considering that most process industries run on a variety of industrial control systems, a mix of legacy and modern software, and employ thousands of people, it is not a far-fetched idea that these carry with them varying levels of cyber vulnerabilities. And as the Zero Day hackathon established, new technologies will make it easier for these vulnerabilities to be exploited.
At Beamex, we work with a variety of different process industries, including energy, oil and gas, and pharmaceutical players, all of whom are in different stages of digitalisation. So far, this has helped many of them stay isolated from cyber threats, but thanks to increasing connectedness, this will not be the case for much longer. And considering how vital these companies are to society, it is critical that we act now to increase their cyber resilience and lower the threat of a black swan event.
Acknowledge that you will be cyberattacked.
First, companies must come to terms with the fact that they will invariably be attacked. No company or industry flies under the radar. Now that is out of the way, let’s look at increasing cyber resilience. And one of the first steps to do this is to understand just how vulnerable your systems, processes and people are. Creating a cyber security strategy and identifying risks will help companies devote expertise and resources to handle these risks. Additionally, in the event a breach does occur, this will also allow companies to identify high-priority tasks and take the necessary steps to reactivate them as soon as possible.
Second, invest in technologies that can help your OT and IT communicate while ensuring there are no leaks. That is the key to making Industry 4.0 a success. Sometimes, companies in the process industry prefer to keep the vulnerable parts of their digital infrastructure isolated to prevent cyberattacks. In some cases, companies are using analogue equipment and processes to shield critical functions from cyber-attacks. I do not think this is viable in the long run since businesses will lose out on the advantages of digitalisation. For process industries which may not have the resources to build up their cybersecurity infrastructure, my strong recommendation is to turn to experts. IT companies spend billions on improving cyber resilience and cyber security, and they will be best equipped to protect your infrastructure while deploying AI and other digital tools to identify vulnerabilities and plug them. They will also enable you to integrate your OT and IT safely and securely, helping you reap the benefits of digitalisation quickly.
Third, cybersecurity should be treated as an ‘all-in’ effort. It starts at the individual level and then goes up to the organisational level. All it takes is one unsecured USB port or P@ssw0rd or clicking a malicious link to comprise an entire network. From the CEO to managers to field technicians, the importance of cyber security must be reinforced at every level. The use of digital tools and robotics can be used to enhance this, providing an extra layer of security by validating user inputs and actions.
Cyber security and an ecosystem approach.
Fourth, use the ecosystem approach and develop a coordinated response by sharing data and best practices. For instance, energy utilities could share anonymised data on the resilience of their systems, allowing others in the ecosystem to develop new ways to minimise cyber threats. Of course, for this, we also need to create a secure way of sharing this data. That is also something that can be solved if different players come together to create a secure and safe standard for sharing. At Beamex, we are working on a Digital Calibration Certificate (DCC) in collaboration with National Metrology Institutes to find a standardised way of delivering calibration certificates, especially in the context of Industry 4.0.
Finally, cybersecurity does not only extend to one’s own infrastructure and people. It must also be part of the extended ecosystem. At Beamex, we are constantly audited by 3rd party certification bodies, customers and stakeholders. We pay attention to risk management, an essential requirement for obtaining an ISO9001 certification. Additionally, we are implementing the 2022 revision of the ISO27001 information security standard into our Management Systems framework and in our Secure Development processes. Additionally, we are the only calibration company in the world to provide both calibration hardware and the software, allowing us complete control over data exchange between OT and IT, further strengthening ecosystem cybersecurity for customers. Vendor cyber security assessments, vulnerability scanning, and security testing ensures your digital infrastructure remains protected.
The current pace of digital disruptions has left many in the process industry sector wary of digitalisation and potential cyber threats. While that concern is warranted, no company can afford to let the benefits brought upon by Industry 4.0 slip by. As you saw from the example of the DCC, we at Beamex are working on ways to foster collaboration and co-creation to create a safer and more transparent world. If you have an idea that will aid this goal, get in touch. I am all ears.
You might also find interesting
For a safer and less uncertain world
Welcome to our series of topical articles where we discuss the impact that accurate measurement and calibration has on the world and our everyday lives.