“The food and beverage industry has become a lucrative target for threat actors. Both are critical components of economies and, for many nations, they now represent a national security threat if compromised.”
Like other manufacturing sectors, the prospect of operational downtime is a situation that Food and Beverage manufacturers want to avoid at all costs. The main reason being the associated costs, with each downtime event amounting to significant sums per hour caused by product deferment or loss. Preventing downtime events, whilst ensuring data integrity of Operational Technology (OT) environments, present significant risks and challenges for OT cyber security.
In recent years, closer convergence between IT and OT has brought about a range of advantages in terms of connectivity and process efficiency across the sector, with analysts taking more information from the data generated at the machine/plant level across manufacturing, warehousing and distributor networks. However, this IT/OT convergence also increases the attack surface.
Without robust security controls and defensible architectures, a cyber attack starting at the Enterprise IT level can propagate down into OT environments and cause potential consumer safety risks and production downtime consequences. This is because cyber attacks can interfere with OT systems that control processes on manufacturing plant floors. This carries the potential of causing safety risks due to the fact that Food and Beverage manufacturer outputs are consumable products. The safety of these products depends on a careful balance of external factors, such as recipes, treatment and storage temperatures.
Perception (What is happening):
Comprehension (Why do I care?):
In the context of an organisation with no or limited OT cyber security risk management, CNB Tel recommends a holistic approach when defining an effective OT cyber security risk management strategy/programme.
The first step in this journey is to understand risk and consequences to the organisation. At a basic level, this means identifying the most critical OT functions essential to fulfilling the organisation’s business operations, and the potential consequences of a cyber attack against them. The knowledge of an organisation’s system custodians and engineers should be leveraged to identify methods an adversary could use to compromise critical OT functions. This valuable knowledge includes technical system architecture details, procedural and ways of working insights, like logical user access, third-party service provider scope, supply chain considerations, physical security etc. Real-world cyber scenarios seen across industries should be considered, of course, not all will be applicable, but to ensure completeness and due diligence they should be considered.
The ultimate aim of this initial analysis is to identify and prioritise risks that result in high-consequence events for the organisation. It also provides a high-level snapshot of current risk exposure and whether this exposure is within or out of organisational risk appetite/tolerance. Any subsequent OT cyber security strategy/programme and risk mitigations should be aligned accordingly with this analysis to ensure tangible risk reduction that is outcome focused. This approach helps organisations justify OT cyber security improvements and the associated costs by being armed with better information and understanding of “What, Why and How?”
The second stage in the journey sees the definition and establishment of an overarching OT Cyber Security Framework (OT-CSF) that delivers formalised policies, procedures, datasets, work instructions and best practice guidance designed for OT cyber security risk management. The OT-CSF should be aligned accordingly with guidance provided within industry frameworks such as:
The scope and depth of the OT-CSF must be realistic and defined based on factors such as plausible operational business risk and regulatory compliance requirements. An overburdensome OT-CSF may deliver perfect cyber security on paper, but in reality, will likely be ignored or worked around rendering it ineffective. At a minimum, an OT-CSF should include:
The above represents a foundational level of controls that can be supplemented as organisational OT cyber maturity increases. Supplementary controls can be procedural or technology-based and include:
Knowing which business risks, regulatory drivers, and real-time operational insights to focus on is only the start of the OT cyber security journey. Organisations must also be realistic about their ability to execute and sustain a strategy/programme, therefore they should ask:
The ultimate aim is to reduce an organisation’s exposure to weaknesses and vulnerabilities that could be exploited by malicious threat actors. Additionally, greater awareness of cyber risk and formalised ways of working reduce the likelihood of cyber incidents caused by workforce error or misuse of OT assets.
Of course, one size does not fit all, therefore a focused process of discovery and risk assessment is paramount to identify an effective but sustainable blend of controls that meet business needs and address the cyber risks being faced.
Mon – Fri : 09:00 – 17:00
General Enquiries
Whatsapp/Telegram
Dubai – UAE
Seoul – Korea
Zhejiang - China
© Copyright 2024 CNB Tel. All rights reserved