Tool helps process automation increase cyber resilience

The security of industrial process automation requires a different approach than IT. But how exactly do you determine resilience if a company wants to examine its own industrial control systems? The Digital Trust Center (DTC) developed a handy tool for this and will talk about it during the Industrial Cyber Security event on Tuesday, October 12.

On behalf of DTC, Jacco van der Kolk (relationship manager) will provide the lecture. We already spoke to him.

First of all, Van der Kolk asks how this tool came about? “A number of parties have decided, on behalf of the Cybersecurity Alliance, to pay more attention to the OT part of digital security,” says Van der Kolk. “In Operational Technology, availability is even more important than in IT. You cannot simply carry out updates within OT, for example, because then you have to shut down production. In certain cases that is not possible at all.”

He explains how companies the tool can be used to increase resilience against cyber threats: “We have devised a tool with which you can perform checks on security on the OT side. What have you already set up? What have you not got in order yet? What could you do to fix the missing elements? The tool ultimately indicates where a company stands in the field of cyber security on the OT side.”

The tool, which has been available since the end of July, uses a number of questions to determine how important OT is for a particular company. Van der Kolk: “If the OT is not critical, you will have to deal with fewer questions and the security level that a company must achieve is also somewhat lower. And vice versa. The questions are largely divided into the ISO standards that apply, covering a total of about fourteen sub-areas. A spider diagram ultimately gives you insight into where improvements may be needed.”

Because information about the security level of companies is very critical, DTC deliberately aggregates very little data from the tool, says Van der Kolk: “Privacy is extremely important with these types of tools. We do continuously improve the tool. For example, we have started to indicate more clearly which standards apply to a particular question.”

DTC is also active in other ways to inform companies about OT security issues. In the future, a legal basis may also be created that will allow DTC to approach companies more actively, Van der Kolk believes: “There is also a bill in the making that will allow us to approach companies unsolicited. Such as recently with the critical Citrix vulnerability: we are currently not allowed to approach vulnerable companies ourselves, but we will if the law is introduced. We have also started a pilot in which companies share their IP blocks and domain names. Based on this information, we can, in collaboration with the National Cyber Security Center, pass on specific threat information to a select group.”

Looking to the future, Van der Kolk is also aware of the fact that ransomware poses a real threat to the industry. “Hospitals are often targeted, because they do pay,” he says. “I can well imagine that they will focus more on industrial companies, because they will also pay if their processes come to a standstill. The question is to what extent OT and IT are properly separated from each other. Just think back to Stuxnet.”

Do you want the lecture by Jacco van der Kolk to attend? Register free of charge on the website of the Industrial Cyber Security event.