ISA: Businesses need a culture change and higher cybersecurity standards
CYBERSECURITY is challenging, complicated, and causing a lot of challenges for businesses on their journey to digital.
For companies in industries such as manufacturing, mining, and construction, cybersecurity is a serious issue, especially as they look to digitize processes, automate workflows, and capitalize on data to drive innovations.
Industry bodies such as the International Society of Automation (ISA) provide support to such organizations — with initiatives such as the ISA Global Cybersecurity Alliance (GCA) which aims to help create a collective body of knowledge to combat cyber threats more effectively, across the board.
However, as ISA Executive Director Mary Ramsey told Tech Wire Asia, the important thing in cybersecurity is to bring about a change in mindset in a way that helps raise standards and adhere to higher benchmarks.
“If we take safety as an example, we’ve developed a reliable, well-known, almost universally utilized series of best practices, standards, and expectations around how to operate and maintain a safe process and facility.”
Ramsey points out that ISA’s member organizations are safety-focused; they are well-trained, conscious of safety risks, regularly engaging with safety experts to make sure that changes to their devices or processes do not carry safety implications, etc.
In most parts of the world, it can be said that companies have a strong safety culture and that executives at every level recognize safety as a significant risk area that needs to be monitored, evaluated, and invested in, and companies have access to the standards and tools required to achieve their safety goals.
“The same cannot be said for cybersecurity, yet,” emphasized Ramsey.
According to the Executive Director of the ISA, the vulnerability of systems and facilities have dramatically increased as organizations have deployed smart manufacturing technologies and the industrial internet of things (IIoT) to improve operations.
Increased connectivity brings the strengths of OT (operations technology) and IT (information technology) together to better leverage a company’s data and assets.
Obviously, these technologies drive productivity and lower costs, but they also widen the attack surface and increase the likelihood of internal mistakes with both cybersecurity and safety implications.
However, most facilities have only a few people who are even knowledgeable about cybersecurity vulnerabilities and protection schemas, and many companies are struggling to hire people with this skill set.
“While regulations and requirements for safety technology are well-defined, with harmonized standards used globally, cybersecurity standards and best practices are still gaining acceptance in many regions of the world.”
According to Ramsey, ISA/IEC 62443 (a cybersecurity standard created by ISA) has been adopted by the United Nations and is recognized as the world’s only consensus-driven series of standards for automation and control systems cybersecurity.
The series of standards is thousands of pages long and applicable to many different industries, and although the ISA GCA believes that user guides, industry application tutorials, and other materials will help companies make better use of these powerful standards in their facilities, they need to first adopt a mindset that accepts this.
Opportunities also exist to harmonize the ISA/IEC 62443 series with other relevant industry guidance, ensuring that asset owners and others have user-friendly access to meaningful best practices that will help protect their systems and facilities.
“In addition to the technical guidance that ISA and the member companies of the ISA GCA can provide, and perhaps just as importantly, we believe we can impact the culture in many industry segments and bring awareness to these cybersecurity challenges,” re-iterated Ramsey.
Ultimately, a change in mindset and a strong adherence to higher standards is key to avoiding vulnerabilities and ensuring better cybersecurity for the entire organization.
“Being secure, just like being safe, starts and ends at every single level of an organization, with well-trained people who pay close attention to details and understand the fundamental principles of protection.”