While there have been advances in the cyber security protection of IT systems, the defense of OT systems is typically not as effective, or as easy to implement and enforce, which leaves the back door open to cyber-attack in many facilities.
Biomanufacturing plants are just like the rest of the world, experiencing a bewildering speed of technology change and integration. Today the difference between enterprise technology (IT) and plant floor instrumentation and controls engineering (OT) systems is becoming increasingly blurred as is the interdependence between the technologies and the people.
Figure 1 shows the evolution IT and operational technology (OT) systems.
Figure 1 – IT / OT Landscape – Connectivity Cybersecurity Risk Footprint ISA 95/Purdue and DPMM Model Levels
To crack this problem open the BioPhorum IT Cyber Security Workstream has been busy ‘comparing and sharing’ to understand what cyber security-related problems each member faces and document how they are responding – asking “What are our peers seeing?” and “What are they doing about these same problems?” This has helped them level out the different starting positions, maturity, views on risk and investment capacity, and made it possible to start writing some form of industry-wide cyber standards containing best practice controls and recommendations.
Out of this the idea was born for an education series of short papers that start a conversation about cyber security issues and analyze the different ways of approaching them. This, in turn, could lead to a set of standards being developed.
The BioPhorum IT Cyber Security Education series will contain several short papers, with scope for more as conversations continue. They will offer a range of benefits, such as:
- Providing ready-to-consume publications explaining basic problems
- Giving members useful reference information on common cyber security challenges
- Understanding and articulating the differences between IT and OT systems
- Translating technical-business risks to create a business case for change
- Help senior executives understand the problem and the improvement steps needed
- Encourage organizations to shift attention to developing effective cyber strategies.
The planned pieces are:
- Improving performance against boutique vulnerabilities: analyzing the impact, actions and lessons learned from some recent named attacks
- IT vs OT: characterizing the framework, differences and success metrics from each function
- Configuration management database (CMDB) use cases: summarizing the trends in usage, adoption, technologies and issues experienced
- CMDB data model: outlining a standard structure that could be used to describe a manufacturing system detailed in a shop floor/OT CMDB
- Asset Management of Operational Technology (AMOT) architecture and attributes: analyzing the architecture design, asset types, attributes, needs, interfaces and uses of technology on the shop floor
- Maintaining data within AMOT: reviewing the practices, policies and people needed to manage data in the AMOT systems
- Disaster recovery playbook: guidance for digital emergencies, the key content areas of a playbook and a ‘playbook in a box’ for plant-level IT and OT recovery
- Cyber security KPIs and reporting: guidance on typical KPIs, metrics and reporting that can be implemented within the OT environment, and its governance.
The phrase “Defense in Depth” describes an approach using multiple mechanisms to protect systems and data. There is never only one ‘lever’ to pull to improve security. The level of protection implemented is dependent on individual companies and circumstances.
The papers in this series start to ask questions such as: what are the different levers for each defense strategy? Who is currently working on that approach? Why did they make that decision? Is it working for them? What are they going to do next?
The first paper in the series, “Improving performance against boutique vulnerabilities”, can be found here. Look out for future papers and see what your peers are doing about cyber security in their manufacturing plants.
If you have any other topics that you would like to sense-check with your peers, or you would like to be involved in the group, please contact Lauren Morgan on email@example.com