Insights: How to strategize Cybersecurity in connected and smart Manufacturing? - CIO Roundtable

#CyberSecurity #SmartManufacturing #CIOroundtable

Pro MFG Media discusses the challenges of Cybersecurity with CIOs of leading manufacturers in India

“You cannot defend what you do not know and when you do not know exactly how much you do not know, it becomes indefensible.”

When asked about what are the kind of vulnerabilities in your OT network, Jitendra Mishra, Group CIO Alembic Pharmaceuticals Limited, emphasized upon the importance of Hygiene not only in personal, but also for the IT/OT landscape. Hygiene begins with asset inventory, documenting all digital devices that enter the premises. He pointed out that the biggest challenge today is the new set of wearable devices and their ability not only to interact online but also their offline connecting capabilities. Which is the reason why auditing the security measures with periodic clinical trials like VAPT tests become very important in gauging the security status of the IT-OT systems.

“Things need to come as a big holistic picture of information security, rather than having any bits and pieces. It's not old technology, where you have some nut and bolt, and you're tightening it. It is a holistic picture, a big plan. And we have a very strong team committed to ensure that our things are taken well care because information security is one of the most important for the board or the director point of view. Even if we look into that strategic point, it is not the IT department who's actually working on that agenda. It is the corporate, the whole organization which contributes to having a safe environment.”

Speaking about organizational intent and participation of everyone, Mr. Vilas Pujari, CIO and VP, Corporate IT, ACG Worldwide chipped in with a very important point. Earlier, it was a trend to keep operations isolated from IT. The manufacturing experts would order machines as per their requirement and since Operations Technology was being kept isolated, the IT department had little or zero control over the assets that were brought in.

“In the last three to four years, what we have done was that any software or any hardware or anything that connects to the network is being procured, there has to be an IT participation and there has to be an approval from CIO in terms of technically accepting that procurement. Commercially, the Production team and the Operations team may decide what they want to buy. But anything digital, any computer, any laptop, anything that is ultimately going to get connected to our network, there has to be participation by IT. It is a rule which we have applied across the organization. As an IT person, as a CIO, I would like to know what digital asset is being brought into the organization, how it is going to connect to the network, even though it's not an IT network, it is an OT network. It's going to open up for something, even the supplier may want to connect to this or it connects to the hardware or an automation piece of software to maintain that or to operate that any of these things, whatever it is, it has to be with the involvement of IT.”

Another challenge is that of legacy systems. OT machines, unlike IT, are static in terms of upgrades to OS and migrating from one OS to a newer OS is a very big issue not only in terms of time but also in terms of development costs. “Windows XP was one of the biggest threats to us. You can't use Windows XP because there is no support. There are no patches coming up for security. This is something which is going to hit us in terms of, you know, security very hard. So we had a lot more than five years back we had started retiring the Windows XP assets we fought with the vendors to the extent we began upgrading the SCADA software to ensure that we are not left with Windows XP. We still have one or two of our equipment, which we have not connected to our network. We keep it aside, like in a standalone and individual manner. Now, the fall out of this is definitely there is a greater need for IT-IoT integration”, added Mr. Vilas Pujari.

Speaking about their Industry 4.0 journey Mr Atanu Pramanic, Group CIO, Hindalco Industries declared that the air gaps between IT and OT are a myth now with both the systems getting integrated as the technology progresses. “Every family of machines comes with its own set of challenges in terms of connectivity protocols and operability and control systems. It is the job of the IT team to understand the implications before plugging the new machine/device/process into the system”.

“Getting the right data at the right time is the key element in integrating IT-OT systems. We are talking about response, talking of security, talking of IT-IoT interoperability, but ultimately in the business world it is all pointless unless you get the right data at the right point in time. So the response time and hence the edge computing is gaining huge importance at this moment. For manufacturing units, it is of prime importance. When we are connecting our data to IoT, in remote areas, it may take a lot of time for uploading due to low bandwidth. Then retrieving the data and analyzing it within the manufacturing time frame might not be feasible. Which is why we need edge computing. When we don't allow the data to go at least at the runtime level to cloud, because we cannot wait for time for the data to come back from Cloud into the analysis. So that's where we are at this moment in the IoT journey. It is a mix of IoT operability, interoperability, security, data response time, IoT on the cloud, edge computing, all this together is where we are.”

When asked about defense in design when it comes to building safe IT-OT systems, Ashish Desai, CIO Chemical Business, Grasim Industries said that IT-OT strategies have been evolving over time. “Our earlier focus was on how to get all our entities into a single network. But thankfully, we realized that yes, we need to have a plan B as well. We need to ensure that the business can run on their own, but at the same point of time, how can you bring the control at the center? So in the last few years, we have started a journey of network segmentation. It is a balance between centralization and segmentation, just like it is a balance between going global and going local at the same time for a multinational business. It is about mitigating the risks by the simple logic of containment and independence while still being connected to be a part of the whole chain.”

“In an organization of our size and our expanse of geographies, asset inventory is a big challenge. From common printers to visiting engineers of vendors, the threat can breach the system through a simple USB port. The vulnerabilities stem especially from the OT because the machine vendors will not allow you to access their proprietary software even for a security upgrade like an antivirus or a firewall. And that is still kind of a grey area for cybersecurity professionals”

Commenting on asset governance and controlling access, Srinivasa Reddy, CIO, Granules India Limited, stressed on the approach that we should always treat cybersecurity as a Zero Trust Environment. Which means there has to be a strict access control for known persons (employees) as well as unknown persons (visitors/vendors). “Coming from the pharmaceutical industry, the biggest problem of the pharmaceutical industry is the maturity levels of the systems. Since most of the systems and for the systems means, you know instruments and equipment, either it is a laboratory or a production plant or packaging units, the assets we procure are from branded vendors. As an end user, we have no access to the integrated systems. The major difficulty that I see while implementing the activity is that we are not even allowed to implement the basic antivirus solutions. So, we are having strict data, production and control based group policy.”

“Speaking about security at the OT network level, the first line of control is that whenever any engineer comes up, we scan all their cyber gadgets, whether it is a phone, or a pen-drive, or any external hard disk, even a laptop. We have also implemented and seen some success using virtualization. We have all our OT devices into a separate network, through a VLAN or similar concept. By using various SCADA systems and kind of DCS systems, we can avoid dependency on endpoints, at least”, added Mr. Reddy

Bimal Puri, VP and CIO, Textile Business, SRF Limited emphasized upon readiness when asked about ransomware threats and cyberattacks. “If a ransomware attack happens, the most important thing is, do I have a plan in place? How will I isolate my backup systems, so that I can restore operations at the earliest? So, I think we need to go to the drawing board and we have to understand very clearly what our win-situation is. Whatever reason you are being attacked and you have been asked for the money, what is your plan to ensure that business continuity? By enabling the backup systems? So, to do that, you need an investment. To do that, you need to educate the top management. You might have capital constraints, but you will also need to look at the Risk vs Reward math. And most importantly is that this component a part of your plan or part of your framework, your protocol? The response to a cyberattack should include standard SOPs to assess the level of breach and procedure to safeguard other assets at the earliest”

Talking about awareness, Jayanta Bhowmik, Group CIO, Kesoram Industries, touched a common fibre that runs across manufacturing industries, the apathy towards IT. “It's been an interesting journey. For us IT people to venture into the IoT network and really get it full done. As a part of our enterprise SAP implementation, we had to connect and interface all equipment including those who were least compatible to the interface. We could connect to most equipment and energy meters and even some of the PLCs. To get the real time data from them into SAP, we needed to connect. Due to the reluctance of the people to really update and patch and execute the basic hygiene of firewalls and certain policy management. Considering the high level objectives and priorities of the operations department, we just moved on. So that's the one frustration that we that we are carrying as a community”

“As a pleasant surprise, I could really get certain value add from alternative options of getting intelligence and analytics. Big OEMs like Schneiders, Nokia and Rockwells have all done their own proprietary analytics. Instead of getting integrated analytics, you will have those islands of analytics whose communities and ecosystems have been progressing in their own domains. The versions that are coming out, definitely there is a lot of service security features and functionalities, which are getting embedded”

Wrapping up the discussion, Murali Rao, Cyber Leader and Partner, EY India, said that there are As – Asset, Analyze and Act. Get better visibility of your assets and then analyze. Prioritize what really requires to be done and how it needs to be done and what are some of the actions which have critical assets that need to be worked on. And finally Act, which is the preparedness and remedies.

Kartik Shahani from Tenable summarized the discussion focusing upon the easy steps of cybersecurity which are – Asset Inventory, Monitoring, Design and Control and finding the right balance between operations continuity and cybersecurity to ensure business continuity.

Rohan Vaidya of CyberArk concluded the proceeding bringing to the fore the important point of access control and privilege accounts which are basically the low-hanging fruits for hackers and cyberattackers.

Pro MFG Media Newsletter

Get regular manufacturing insights that matter and enable business.