Cybersecurity attacks are all over the news. As technology evolves, so do the threats. That is why it is so important for companies to look for secure solutions to keep data safe and help plan for and manage system shutdown, turnaround, and outage (STO) events, even if those events are not scheduled.
The World Economic Forum recently ran a survey that reached around 100 senior cybersecurity executives from around the globe through their Cybersecurity Leadership Community and found 80% of those executives view ransomware as “a dangerous growing threat that is threatening our public safety.”1 In other words, ransomware is a high-stakes threat to the digital world. It was also found that 97% of the community expressed business continuity, or standard workflow, as the main risk associated with ransomware attacks. You can read their blog on the more recent incident here.
So, what do these statements mean? Ransomware, defined by the Cybersecurity & Infrastructure Security Agency (CISA) as “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and systems that rely on them unusable.” This makes your firewall system and IT processes even more important than you originally thought because they are what keep your core systems running smoothly. If these systems fail to block threats, like ransomware, an unplanned STO can occur. Unfortunately, more than 1/3 of cyber incidents that were reported between 2013 and 2015 were in the energy sector.2
At Prometheus Group, we know you take security seriously and do everything in your power to protect your systems and data. Our solutions make your data protection practices that much easier to carryout. Our systems hold your historic data for you and make it easy to track/monitor events during an unplanned STO event, it does not have to result in an uptick of costs. Your data remains safe and intact so you can focus on the process of bringing everything back online, so to speak.
In a previous article, we addressed some of the risks associated with cybersecurity and mitigation efforts.3 Many of these risks still hold true and are mitigated in the Prometheus Group platforms. Risks include:
Unstable Environments: This comes from the continual evolution of technology. Ever-changing security compliance standards make meeting the current regulations challenging. Platforms can now conform with standards and automate much of the information connectivity, taking out the guesswork and unifying your data which mitigates risk of human error and potentially vulnerable digital documents.
Multiple Datasets: Most utility facilities, especially those in the energy business, work with multiple datasets in multiple systems. This creates a risk of numbers. Data fragmentation presents opportunities for data to be compromised, requiring more security for more systems. In today’s world, it is important to find a system that brings all your data to one central home, integrating and connecting securely with your existing asset management systems and giving you one hub for information to be maintained and protected.
IT and OT and IIoT: Information technology (IT), operational technology (OT) and the industrial internet of things (IIoT) where IT and OT converge create all-new challenges for cybersecurity. Different computing languages and process coverage makes prioritization difficult and bringing the two together for full coverage of your systems does not simply the issue of security. Some EAM, ERP, and CMMS platforms have built-in processes to keep your data clean though and help to govern your system without the regularly scheduled, third-party maintenance team, which saves you time and money down the road.
Keeping your data secure is critical to the success of your business and daily workflow. Here are some tips for protecting your maintenance management system data:
Maintenance-centered Cybersecurity Design: Cybersecurity solutions should be tailored to the business goals of industrial organizations. Goals should drive security priorities, especially when budget is limited. Additionally, solutions can and need to fit existing maintenance systems and processes (e.g., protection of specific data sets, securing data collection and analytics processes) without compromising the safety, reliability, and availability of your digital maintenance systems.
Implement IIoT Security Standards: The industrial internet consortium (IIC) has an assortment of best practices and white papers, one of which focuses on Managing and Assessing Trustworthiness for IIoT in Practice. To alleviate the challenges where IT and OT security converge, it is best to assess the trustworthiness of your systems. Trustworthiness, according to the IIC, is comprised of safety, security, privacy, resilience, and reliability.4 These characteristics are complex but ensure that your systems can fulfill their intended functions.
Security Policy Design: It may sound obvious, but it is crucial that plant operators designate personnel to design and enforce effective security policies. Policies should cover personnel security, access control, strong passwords, remote access policies, policies for securing computer equipment and devices, as well as policies for securing the computer network and software packages. Implementation should also account for modern solutions such as firewalls and other security devices like dual authentication.
Stakeholder Solution Engagement: Successful cybersecurity deployments occur largely because of stakeholder collaboration. Security expert efforts need to be paired with active engagement of cleaning staff, maintenance engineers, maintenance workers and plant executives. The latter engagement is a key to integrating the right security processes for maintenance systems within the plant and across the supply chain.
Foster Cultural Shift of Behavior: Cybersecurity within a plant is not only a matter of technical measures, but also a matter of cultural awareness. This awareness should create a shift towards secure behaviors in the digital workplace. For example, threats can come in the backdoor when maintenance employees open phishing e-mails or download malware from the internet. These actions can prove to be catastrophic, leading to cyberattacks against hardware devices or even individuals. To implement a cultural shift, organizations should invest in training, which is a prerequisite for engagement and security responsible behaviors.
Maintenance and Asset Toolsets: Toolsets and digital system suites help to keep data organized. Maintenance and asset management tools from solution providers with a deep understanding of current cybersecurity best practices should be evaluated so your team can have the necessary support for your data. Selecting the right tool(s) for your needs can make the difference between closing one project and closing ten projects!
While none of these actions are foolproof, they can get you on the right track to being cybersecure. It is important to consider the cyber needs of your business and the shutdown, turnaround, and outage implications of protecting your data. The mentality of “it will never happen to me” or “I’m too big to fail” does not apply to the digital realm. Check out how Prometheus Group solutions for your STO and maintenance management systems stay organized and secure!