“The question is not if you will be hit, but when you will be hit”
Almost every day we read in the newspaper about cyber incidents and data leaks. And there are increasing numbers of cyber attacks on companies with industrial processes. Marcel Jutte (Hudson Cybertec) and Jacco van der Kolk (Ministry of Economic Affairs). during a lecture outline the issues at the Industrial Cyber Security event using practical examples. They also provide insight into how entrepreneurs can improve their digital resilience themselves.
By: Dimitri Reijerman
A consumer must be vigilant online every day. Moreover, abuses, including cybercrime, are more often reported in the media. This produces greater awareness. Companies have also become more open about the subject of cyber security in recent years, except when it concerns themselves, says Van der Kolk, who works at the Digital Trust Center of the Ministry of Economic Affairs: “There is still a kind of taboo on admitting that companies have suffered from cyber incidents. Despite legislation that includes a reporting obligation for organizations that are part of the vital sector, we notice that companies are very reluctant to report these cyber incidents.”
Jutte adds: “It is certainly not the most normal thing in the world for companies to make this known. In some ways, a fire incident is handled differently than a cyber incident. It is precisely by sharing information that the entire industrial sector can benefit. If an OT device at company A is infected, the same thing can happen at company B. One can learn from the other. Of course we understand that reputational damage can be incurred. Unfortunately, the question is not whether you will be hit, but when you will be hit. It is therefore important now to take the right precautions now.”
Vulnerability of OT systems
In addition to the vulnerability of IT systems, which can be found in almost every company, hardware and software on the OT side are increasingly becoming a risk factor within Industrial Automation. Van der Kolk: “For years, the systems within the OT were autonomous systems, separate from the regular IT system and certainly not connected to the internet. Some systems have been running for decades and were not designed with security in mind, but specifically with business continuity in mind. Social and economic developments have increased connectivity. More and more OT systems can also be accessed via the internet. Practical and useful for the operator who can quickly check a number of settings from home. But is that done safely?”
But not only existing, relatively old OT systems are vulnerable. According to Jutte, attention must also be paid to completely new systems: “Even now, components are still coming onto the market that are not cyber-secure. Of course, it remains companies that use this consciously or unconsciously. Companies should become more aware of the risks they run when using technology.” In addition, Jutte says: “There are (inter)national initiatives that, for example, will require suppliers to support updates for the products they supply for a number of years. There are also various (European) initiatives to introduce a quality mark in the field of cyber security. Certification of components and installation parts in the field of cyber security is an important step and more and more organizations will demand this.”
Increasing resilience
During the Industrial Cyber Security event, both gentlemen will introduce visitors to a number of options to improve the resilience of their OT systems. Jutte already gives an indication of what an action plan could look like: “In general, you have to think about what you can do before an incident, what you have to do during an incident and what you have to do after an incident. There is often a lack of awareness of cyber risks and the possible consequences. In concrete terms, this means knowing what is important in your company, ensuring security through backups, firewalls, good passwords, agreements with the system integrator and most importantly: ensure that your employees are alert and create a culture in which they are allowed and can report it if they do. feeling that something is wrong. This 'human firewall' is an important line of defense for you against cyber incidents and attacks.”
Van der Kolk has a number of additional tips: “Having a baseline measurement or assessment carried out in the field of cybersecurity is a good place to start. The outcome indicates, among other things, which installation parts are vulnerable to digital incidents.”
Role for the government
In conclusion, Van der Kolk also sees a role for the government, for example through the Digital Trust Center (DTC) where he is active: “In addition to legislation, sharing knowledge and starting a conversation about this subject is also a role that the government takes on. Has taken. By specifically helping companies organize information sharing and collaboration on this subject. The DTC has experience with this and now supports partnerships in the Netherlands in which companies work together on resilience. In addition, both the government and private parties are involved with national and EU legislation on the quality of digital products and services.”
“There is also a program underway, the digital hardware and software roadmap, in which not only the customer side is informed, but suppliers and producers will also be held accountable for their responsibility. The government also encourages scientific research into cybersecurity through various channels. From the Ministry of Economic Affairs, of course, with the intention of creating a safe environment as much as possible that allows enterprising Netherlands to further develop itself.”
Sign up for free for a visit to the Industrial Cyber Security event 2019 on October 9, 2019 in the Basilica in Veenendaal.