How Manufacturing CEOs can help resolve IT/OT convergence risks

Cybersecurity is at the top of the agenda

Cybersecurity is rising rapidly up manufacturers’ priority list. A major study commissioned by Fujitsu of more than 200 manufacturing ICT decision-makers across 17 countries uncovered that their top six business objectives were about just two themes: meeting financial targets and beefing up security. Security is the number one ICT challenge and manufacturers plan to invest heavily over the next 12 months.

This is a markedly stronger reaction than would have emerged even five years ago. For many years security has been a “distress purchase” – something you just have to do to protect against information loss, especially customer data and reputational damage. However, from talking to customers, it’s clear the drivers have changed, especially when protecting manufacturing systems. The role of security is increasingly seen as an enabler rather than a cost – great security enables you to be in business and reap the digital dividend.

Security pressures are mounting on manufacturers

More focus on cybersecurity is to be expected, given the significant rise in cyberattacks, not just against IT systems but also Industrial Control Systems and OT (operational technology) – the systems which control machines on the factory floor.

This is concerning for manufacturers. Ever since the Stuxnet virus, which targeted SCADA systems and is believed to have been responsible for causing substantial damage to Iran’s nuclear program, it has been clear that there is no such thing as an “airgap”. An airgap is still a common approach for keeping industrial control systems “offline” and separate from IT systems. However, as Stuxnet and the Colonial Pipelines attack in 2021 showed, it often fails to prevent viruses crossing from IT to OT environments due to known “zero day” attacks along with issues in process and policies.

In the context of Digital Transformation (DX), this is problematic. DX can have many potential objectives, but all depend on the increased use of data. In manufacturing, that data — usually from industrial controls systems previously kept in isolated silos — now needs to flow across the enterprise, therefore increasing the attack surface.

The convergence of IT and OT systems, especially at the network level, is compounding these security pressures. Legacy communication systems used for many decades in OT, for example, are now moving to become IP-based solutions. This is great from a standardization and cost point of view. However, even with good network segregation, it can also increase the attack surface of these systems.

How manufacturers are responding

The common thread for all these pressures is the convergence of IT and OT. The fundamental problem right now is thinking that yesterday’s response — perimeter defenses or using an airgap — can protect manufacturers from today’s advanced, persistent threats. The complexity of modern supply chains and the need for information sharing across enterprises and ecosystems are combining to render these approaches inadequate.

If you’re hoping for a silver bullet solution to all this, I’m afraid I’m going to disappoint you. The threat and the solution are much more complex than that.

Fujitsu’s research shows that enterprises get it. They are adopting a multi-layered approach to achieve good cyber security. That’s really positive, in our view, as perimeter defenses are not the only approach — you need alternative solutions for the many different technologies that sit on the perimeter.

It is fundamental to create a secure network flexible enough to enable the business to change and adapt as needed — but has security approaches embedded. And technologies like software-defined networks (SD-WAN) can keep IT, OT and IoT segregated. As will 5G, with its high density and low latency, allowing businesses to exploit cloud-based systems at the network edge – a phrase which usually refers to remote, far-flung locations where, until now, network connectivity has been poor or even non-existent.

Also critical is identity and access management. “Identity is the new perimeter” is a new mantra in infosec. It means knowing who or what is asking for access to your systems, be that a person, a piece of industrial control technology, or an IoT device, from any location. You must know what is normal and abnormal behavior.

Getting it right requires the CEO’s involvement

Getting all this right is really important. Manufacturing cybersecurity is what keeps CIOs and CEOs awake at night. In other environments, it’s about data loss — which is severe enough. But with OT, the stakes are higher, as people could get hurt or even killed.

Getting it right is also a cultural issue, notoriously the hardest of all business challenges.

Industrial control systems are typically owned by factory managers, not IT departments. They tend to be in place for a long time, during which things deteriorate, creating weaknesses. Modernizing them to interact with digital systems requires talking to IT, which involves new jargon, suppliers, protocols — and much else besides.

IT, in my experience, is not making a ‘land grab’ to own the OT element. But it has the most cybersecurity experience — and most networks are IP-based. The bottom line is that IT has established best practices to make systems resilient, and these must now be deployed across OT. It is logical that IT owns that role. However, this is a case of two separate worlds colliding, and it doesn’t always go well.

Who is best placed to resolve any boundary disputes as IT and OT converge? It comes down to who has the necessary level of authority to influence both. IT is now more likely to have its own seat on the board due to Covid-19. Production managers tend to report to the COO. Governance then is at the CEO level. They, after all, are accountable to investors if the factory goes down after a cyberattack – or to health and safety investigators — and possibly the police — if there is an accident.

Cybersecurity has risen to the top of manufacturers’ business agenda. It’s time for the CEO to become actively involved in key decisions to resolve the risks created by the convergence of IT and OT.

To read the full research report, click here

Click here to listen to my video interview with Craig Baty from DataDriven where I discuss how Manufacturers can resolve IT/OT convergence risks and other cybersecurity topics

Visit fujitsu.com/manufacturing to learn more