6 Steps to Reduce Industrial Cybersecurity Risks

Regulators are ratcheting up the pressure on industrial organizations to implement robust cybersecurity measures. New mandates, like the U.S. Securities and Exchange Commission’s (SEC) cyber risk management rule and Europe’s NIS2 Directive, are driving urgency to better protect OT operations. The regulations add to rising challenges that industrial organizations face from factors such as remote access, supply chain vulnerabilities, and IT/OT convergence.

To overcome these hurdles, Rockwell Automation recommends the following 6 steps to help industrial organizations reduce cybersecurity risks and modernize operations to keep up with the pace of change.

1. Conduct a risk assessment

To get a handle on where your biggest risks are, start by identifying critical assets. Automated industrial threat detection tools are available to help you understand exactly what’s connected to your networks, as well as security risk posture of each asset or device.

Then consider OT penetration testing. Pen testing can reveal gaps in network architecture, assets and policies or processes most often used to breach operations.

Explore the following resources for valuable risk assessment information:

• NIST SP 800-30 — provides guidance on conducting risk assessments
• ISO/IEC 27005 — offers guidelines for information security risk management
• Industrial Cybersecurity Preparedness Assessment from Rockwell Automation — to gain a quick read of your organization’s cybersecurity preparedness and potential gaps

2. Prioritize security improvements

Apply a risk-based approach to help prioritize security upgrades to focus on the most critical gaps first. The risk assessment conducted in the first step above can supply insights about the gaps. To gain further context, ask questions such as:

• How critical is this asset or process to production operations, uptime, data integrity or other factors important to the organization?
• How are critical assets protected? Do current safeguards reduce risks? Are there missing cybersecurity protections that would greatly reduce the risk of a breach?
• What’s the potential cost if compromised, including downtime, compliance failure, fines, reputational damage and other factors important to the organization?

You must understand your organization’s risk tolerance before you can effectively prioritize gaps and improvements. Ultimately, your organization’s specific level of acceptable risk will guide your decisions here. To make the most accurate decisions, it’s best to apply some quantification methodology around risks and potential costs.

3. Build a cyber incident response plan

Timelines imposed by NIS2 and the SEC for reporting incidents were recently tightened. For example, NIS2 requires reporting known incident details within 24 hours and providing a full notification report within 72 hours. Likewise, the new SEC rule mandates disclosure of an incident within four business days after you determine the incident is material.

You can help your team respond and report incidents more effectively by establishing processes and procedures with a documented plan. Recommended incident response plan components include:

• Assigning key personnel to your incident response team
• Applying roles and responsibilities for each team member
• Capturing incident data, using the tools in place for incident analysis
• Understanding the steps and timelines now required for reporting, assessing and responding to incidents

4. Implement tabletop exercises

Tabletop exercises are another essential step for boosting your incident response team’s efficiency. Responders must practice the plan so they can work through the steps before they’re thrown into responding to a real cybersecurity incident.

Conducting exercises regularly (from quarterly to annually) will also boost your team’s confidence and competence, yielding continuous improvements, as well as increasing the speed and effectiveness of incident response actions. Larger organizations, or those in critical infrastructure sectors would be best advised to consider more frequent, even quarterly tabletop exercises.

Consult the following resources to learn more about how to implement tabletop exercises:

• The U.S. Cybersecurity & Infrastructure Security Agency (CISA) tabletop exercise packages
• The U.K. National Cyber Security Centre (NSCS) incident management guidance
• Rockwell Automation can also help set up and complete tabletop exercises

5. Enhance protection with defense in depth tools and strategies

No security tool, no matter how robust, can protect your OT environment against every threat. Boosting your cybersecurity posture with a defense in depth strategy will enhance your OT and organizational resilience against cyberattacks.

Defense in depth should include controls at every level, from the network and endpoints to applications and access management.

Rockwell Automation recommends the following best practices:

• Segment IT and OT networks with an industrial demilitarized zone (IDMZ)
• Consider a threat monitoring system to detect incidents, alert security teams and provide data collection for root cause analysis and reporting
• Deploy an endpoint management system to effectively address vulnerabilities
• Adopt tools such as antivirus, firewalls, data encryption and remote access control per your organization’s unique needs and requirements
• Constantly authenticate devices, connections and users by deploying Zero Trust access control policies
• Apply Common Industrial Protocol (CIP) Security to help protect endpoints against communication attacks
• Implement backup for critical OT systems to recover quickly from incidents

For more tactical information on how to defend in-depth, review resources such as the NIST Cybersecurity Framework, CISA’s website and CIS Critical Security Controls.

6. Gain stakeholder buy-in

As regulatory scrutiny rises, so too does pressure on boards of directors to better manage cybersecurity risks. Gaining buy-in from key stakeholders across your organization (plant floor to the top-floor) helps you build a strong foundation of trust, which will better support your efforts to fund and implement key security initiatives to help protect operations.

That’s what happened for one global manufacturer of consumer packaged goods. The organization achieved new levels of collaboration and partnership that involved those in multiple manufacturing plants, within IT and throughout the C-Suite, based on a step-by-step process involving each group with the right information and processes at the right time.

Prioritizing stakeholder buy-in has brought invaluable risk reduction benefits that continue to accrue daily.

Additional helpful advice

By investing in the right processes, tools and strategies, you canbuild a solid foundation for strong, comprehensive cybersecurity protection.

Luckily, there’s help available to guide you through the steps. Working with a trusted partner like Rockwell Automation, a leader in both automation and industrial cybersecurity, can help boost your in-house expertise as you plan, execute and improve cybersecurity initiatives.

Reach out to us here for more information.