Could New EU Directives Increase Industrial Cyber Security?

Cyber security is not a new topic, but it is increasingly a central factor in modern risk management in the industrial sector. Nevertheless, it is not just about management of risk but also a matter of personal responsibility.

Production related threats, such as production losses, impaired quality or delivery delays, are no longer the only risks. Management and privacy of data is equally important in any responsible and modern production environment. This has to be supported by well-organised management standards and frameworks that can deal with the ever-evolving threat of cyber threats.

This paper discusses how modern industry is threatened by cyber threats and outlines new EU directives and guiding standards that will incentivise and help businesses adapt.

​The current state of cyber threats in the industrial sector

When considering cyber security in the industrial sector, the challenges are traditionally associated with personal IT, office automation, business management and ERP (Enterprise Resource Planning).

The largest share of incidents is unintentional, caused by an individual’s lack of knowledge. This obvious flaw can be amended by increasing your workforce’s cyber awareness with a sufficient training program, which covers the basics of email phishing, malicious attachments and e-fraud.

The benefits of increased digitalisation or automation in the industrial sector are well known. What is less well known is how Industrial Control Systems (ICS) can be become a target for cyber attacks. Recent cyber-attacks are using malwares to disrupt or take control of critical infrastructure like electrical substations.

It is also not just infrastructure; there are also reports that hackers are also attacking safety systems (1). Theses growing number of incidents underline the fact that ICS are increasingly being targeted for cyber-attacks.

The industrial sector, especially process plants (food, chemicals, forest products etc.) are vulnerable to cyber-attacks from known and unknown sources. Successful cyber-attacks can lead to loss of production, unplanned downtime (production quality waste), disturbances to cash-to- order processes and the supply chain.

The impact is not just limited to production processes. Building technology, such as climate control systems, remotely controlled access control systems and surveillance networks can be surprisingly vulnerable.

Damage to these technologies can also damage production indirectly or even have a catastrophic impact on the local environment or community. For example, an attack on heating, ventilation, and air conditioning (HVAC) systems in a hospital or laboratory could directly impact people’s health.

Understanding how digitalisation can impact peoples’ well-being needs to be understood, managed and protected accordingly. The journey starts by assessing critical parts of infrastructure and building technology.

When assessing industrial processes it is vital to:

• Be aware of, and understand, potential cyber incidents
• Assess and identify “my risks and how they are handled”
• Understand the time and effort required to recover back to production following a cyber attack
• Build and increase your resilience

Too often, there are no clear plans. Back-ups are not tested and even smaller disturbances can easily cause chaotic recovery situations. This highlights why cyber threats have to be a standard element of your general risk management strategy in the industrial sector.

About upcoming changes in cyber security directives – “what’s in it for me?”

In 1995, the European Union introduced the “Data Protection Directive” (Directive 95/46/EC) to regulate the processing of personal data to meet privacy and human rights laws. However from May 25th 2018, new directives will come into force.

The “General Data Protection Regulation” (GDPR) will supersede previous directives. The aim of GDPR is to protect EU citizens from privacy and data breaches, including heavy penalties for violations. Within this new directive there are measures that look to protect industrial operations (2). These include:

• ​The authorities must be notified within 72hrs of first becoming aware of a cyber-security breach. This applies not only to the production unit, but also its customers, suppliers and other stakeholders.
• ​Anyone, whose data is managed by a data controller (e.g. registered customer data), can, at any time, free of charge, get a confirmation related to the data use.
• ​Data controllers have to erase personal data once it has lost its original purpose, is no longer relevant or a data subject withdraws consent.
• ​Data protection must be included at the start of designing systems, rather than an addition. It must be of the highest standard and protect the privacy of any data subject
• ​Establishment and appointment of a Data Protection Officer (DPO) What is apparent with these new measures is the level of increased transparency for data processing, attempted cyber-attacks or breaches. There is going to be no hiding place if errors occur which can be detrimental to a company’s reputation. Therefore just having a traditional IT manager role will no longer suffice. These new challenges mean it is necessary to appoint a Chief Information Security Officer (CISO).

Trustworthiness

Increased digitalisation in production means there is greater interaction between different systems which are controlled or monitored through computer-based algorithms.

Wireless sensor networks, measuring something in a given environment and transmitting that to a central unit (e.g. automatic pilot avionics systems), are typical applications in this area.

This is all combined with human interaction. All these moving parts create the cyber physical systems (CPS). The CPS needs to be incorporated into risk management practices (3).

Trustworthiness is an integral part in the CPS concept, with aspects of security, privacy, safety, reliability and resilience. Trustworthiness must be a basic requirement of any modern industrial site and a prerequisite to sustainable, advanced manufacturing and the digital business environment.

From a risk management perspective, combining GDPR and trustworthiness can be conducted by doing the following:

• ​CPS may include physical, analogue and cyber components. Engineers must determine how to evaluate the impact of their choices in terms of multi-level trade-off metrics
• ​Security, operational and reputational risk
• ​Safety, error rates (is there a possibility that data can be used against the processor?)
• ​Reliability, failure rates
• ​Privacy, unwanted disclosure rates
• ​Resilience, recovery rates

Resilience planning is done to mitigate against an attack and help with recovery. Data recovery following a security breach should be planned with a clearly defined process.

Ideally this should be practiced as well. In many cases, clear data backup routines can be the difference between a quick recovery and a total catastrophe. The key is how quickly this can be done to mitigate damages (e.g. production losses).

Turning theories into practice

ISO Standard 27001 is a commonly known and widely employed standard for management of information security and defines its related risks. This standard has traditionally been considered more as an IT management standard, but in environments with increasing digitalisation, it cannot be relied upon anymore in modern production facilities.

ISA99/IEC62443 emphasises the industrial control systems on four different layers (General, Policies and Procedures, System and Component). Furthermore the ISA99/IEC62443 represents a more advanced approach to industrial cyber security, specifically addressing the cyber security to control systems perspective. (4)

With a jungle of standards, guidelines and frameworks; selecting the right one for your business and industrial set-up is critical. Only once you have selected the most relevant ones can you establish the foundation of your ICS cyber security.

Equally important is the ability to maintain and evolve your cyber security. Pöyry has developed a simple approach to do this as illustrated in the flow chart below:

Asset management and cyber security

Processing or production industries are typically very asset intensive businesses. From the owner’s perspective, there is a huge amount of uncertainty and risk that is considered in the future production portfolio and business environment.

They have to consider important external factors such as the global economy, demand/supply changes, raw material pricing, employee restrictions, politics etc. Modern asset management includes a number of challenging questions, such as:

1. How to maintain assets to and still meet all set operational, sustainability and business targets?
2. What is the annual investment demand needed to meet any of the targets?
3. Should we replace or rebuild?
4. How can we mitigate any asset-related risks associated with unclear future market scenarios?

As you can see there is a huge amount that owner has to contemplate and manage. But it is vital that cyber security is given equal consideration. Therefore any asset management plan must include CPS. For example, equipment generation upgrades cannot only include hardware refurbishment or modernisation.

It has to include cyber security ICS (e.g. data privacy). Typically business managers tend to focus on reducing costs and time efficiencies. Meanwhile, procurement practices in processing focus more on direct assets costs, with maintenance and operational expenses being secondary.

Too often cyber-security drops down the agenda. However, failing to build in cyber security at the investment phase means that your new modern plant will in fact be old and inefficient from day one.

Summary

It is no longer sufficient to just deliver efficiencies or advanced sustainability. The integration of digitalisation in industrial operations is dramatically exposing industrial processes to unknown cyber security risks. Traditional asset management alone cannot ensure your safety.

However, all these challenges can be managed, but it requires a systematic approach, while continuously improving and updating. A suitable framework for everyone’s own business must be chosen, but being well planned is not enough if the plans are not enabled. That makes the difference. One might rephrase this fact in a following way: “Cyber security is a journey, not a destination!”

Acknowledgements

The authors wish to thank the valuable support by Mr. Petri Kankkunen for valuable comments to the contents of this article.

References

1. Threat Landscape for Industrial Automation Systems in H1 2017
2. Framework for Cyber-Physical Systems
3. Cyber security standards
4. www.poyry.com/cybersecurity