Executive Briefings

Companies Undergoing Digitization Need Protection Against Cyber Attacks

Several executives sound off about just what constitutes digital transformation of the enterprise, and the necessity to ward off cyber-attacks, especially as the IT and operations technology sides come together.

Companies Undergoing Digitization Need Protection Against Cyber Attacks

The Industrial Internet of Things is about more than merely connecting devices, sensors and systems. The value of connectivity is in the information that is shared. But the profitability of the IIoT is lost if crucial equipment and other assets are compromised due to inadequate cybersecurity measures. The following excerpts are from several experts who see the tremendous promise of IT-OT convergence, but who are concerned with protecting the most important assets that any company has.

Q: No doubt there are many definitions of the digital enterprise, but I’m curious how you see it at ARC. What’s your view there?

Andy Chatha, president of ARC Advisory Group: First, we recognize that industry is different, it’s very diverse. The needs, the business models, these are very different. Defining it, then, depends on what a company’s business model is, the industry it is in and so forth.

However, at ARC we view and believe that the digital enterprise has five key characteristics. You know, a few months ago we did a big survey and in part of it executives said their companies were becoming more customer-centric, and that becoming more agile is important to them. Companies, of course, have been trying to become agile for a couple of decades, for a long time, but going digital can take the agility and the flexibility to another level, a higher level. So that’s the first characteristic.

Secondly, as companies are going digital they can start actually changing their business model. They have to start looking for new ways to bring new opportunities and new capabilities to their customer. Improving the customer experience will be another key characteristic of going digital.

Third, companies have to start becoming more data-driven. Industrial companies have lots and lots of data, but now you have to start leveraging this data. Unfortunately, in the past, we didn’t have good tools for companies to leverage it, to make sense out of the data. Now we have lots of tools that can help companies make sense of the data and actually help realize some opportunities they didn’t have before.

Another characteristic of going digital is that companies have to start adopting open, secure software platforms. As companies are bringing more and more technology to their plants and to their organizations, it’s going to become more and more critical that all these technologies work together.

Lastly, and the fifth characteristic, is that no company, small or large can do it alone. Increasingly, companies have to encourage collaboration internally among their employees, plus they have to work with their partners. Because industrial inventories are very complex, their supply chains are complex, increasingly companies need to work with their partners more and more closely and collaboratively.

Q: You’ve outlined many of the components of the digital transformation that’s taking place, but there is one area that I believe we need to address: how to protect the enterprise, how to secure it.

Chatha: Companies have to worry about cybersecurity, certainly, because they face all manner of cyber threats. They need to make sure that all of these activities, all of the platforms they are acquiring, are secure. So, going forward, we believe that open and secure platforms will be critical for companies. When they are trying to select which platform is the right one for them, it will be critically important to choose the ones that are secure.

Q: Your title suggests the heavy emphasis and importance that ARC places on digitization of the enterprise. Walk us through what’s transpiring in your area now?

Greg Gorbach, vice president and head of ARC’s Digital Transformation Group: There are four big trends that come to mind. The first is the Internet of Things. So when we talk about IoT at ARC, we talk about connectivity from sensors and devices all the way up through networking, the cloud and analytics. So there’s a lot going on in that general space. Number two is analytics and machine learning. As we’re talking to clients, more and more we are fielding their questions about what’s machine learning, how to deal with predictive analytics, and what’s the impact of all that on their operations.

Third, is platforms. So we have the advent of the modern 21st Century software platform-as-a-service. That’s sweeping through the industry. I say “sweeping,” though really, it’s causing a lot of confusion. That’s especially so on the operations technology side, where industrial companies are struggling to figure it out. 

And then, finally, you have cybersecurity. A lot is happening there. It’s been a big topic for a couple of years, but it’s even bigger now. But we are seeing some progress with things like the Industrial Internet Consortium’s release of their security framework for the industrial internet.

Q: The view seems to be that security can’t be an afterthought or a bolt-on of some kind. Rather, it has to be “baked in,” if you will.

Mary Bunzel, general manager, Manufacturing & Industrial, Intel Corp.: We believe that security needs to be designed into every application and into every layer of the intranet and extranet outside the organization. Without that, no one will have the confidence to fully exploit all of the capabilities of the Internet of Things.

I believe until the security issues are solved, we simply won’t get to utilize the full capabilities that there might be. So, for sure, security needs to be built in.

Q: You seem to feel that most cybersecurity initiatives, at least in the automaton industry, go only halfway, that too much is assumed to be protected when it isn’t.

Olugbenga (Benga) Erinle, president, Ultra Electronics 3eTI: Cybersecurity in a lot of ways is the great unknown. Of course, everybody knows that there is a cyber problem, but they struggle to codify what it really is. In my business, and our legacy is in defense, we believe that true security is end-to-end security.

Q: But what does that mean, tactically?

Erinle: Look at it this way: Every parent knows, when you raise your kids, what’s the first thing you teach them? Don’t talk to strangers, right? But in the automation industry, we have a lot of devices on a network that are critical to running plants and automation systems, and these devices will “talk” to anybody, which is not good. Devices shouldn’t talk to strangers.

We do a good job in this industry of protecting our personal computers, the servers and the HMI systems; however, when you get to actual devices that get connected to the physical side of the network, we protect those things with firewalls. We sort of draw a big boundary around them and say we’re keeping the bad guys out. The problem is, if you get beyond that firewall, behind the defense line where the controls are, those devices will talk to anybody.

For instance, if a command goes to a controller to spin faster than it should, it will do it because that’s how they’re designed to operate. But no one in the 21st Century should be having computers or devices connected to networks that are, in essence, talking to strangers.

Q: It’s one thing to speak generally about cyber-attacks, but as a practical matter, how do they occur?

Harry J. Regan, vice president, Security Consulting Services, Securicon: When you look at how attacks actually happen, it’s rare that they just come through one attack vector. They usually are well planned and well organized with social and physical components as well as with the cyber component. 

Q: What devices or equipment, if any, are immune to either being attacked or being the conduit for a destructive cyber invasion?

Regan: The thought of your video camera attacking a target is a little disconcerting, certainly, but there are a whole lot of other devices that pose threats. Everybody has smart devices these days, and the possibility of compromising those into doing other malicious activity is really significant. But being able to a) identify what vulnerabilities can be exploited to use for malicious means is one thing, but then b) how do you defend against that?

Q: If disconnecting isn’t the answer, what is?

Gary Freburger, president, Process Automation, Schneider Electric: If you think about the Internet of Things and what’s happened over the last several years, it’s really around technology development in digitization and how that’s moving forward, how that’s driving the market.

So, it’s about connectivity. There are a lot of things that can be connected. You can look around your daily life and find all types of things that can be connected, from your home, your car, any of those kinds of things. But connectivity is only part of that. It’s really how do you build the automation and the technology to bring some value to that connectivity.

What we have to think about is, what’s the value of the Industrial Internet of Things to the customer? The value is profitability. How do we help them make decisions at the lowest-asset level and at the enterprise level to improve profitability? At the end of the day, that’s what the customer wants. He wants to be able to impact profitability. So we don’t do IoT just for the sake of connectivity. We do it to bring value to the customer.

Q: Often the discussion centers around the information technology side, but the operations technology side is just as critical, if not more so. Wouldn’t you agree?

Francis Cianfocca, founder and chief scientist, Bayshore Networks: Yes, and we’re here to help companies protect their industrial control systems that are starting to have connections to IT networks, and also to help them leverage the move to the Industrial Internet of Things, but to do that in a safe and secure way.

Q: So, what’s the challenge there?

Cianfocca: What we’ve found over the years is that what people really want — and need — to do is to block certain transactions coming over the network to the industrial machines because they might create unsafe conditions. So it’s a larger question than security. But to do that, you need to inspect at the data level.

Q: How has the security imperative been underscored by the convergence of IT and OT?

Cianfocca: I would say in the past year that people, certainly the large customers, are paying a lot closer attention to cybersecurity as it relates to industrial production, and two things are driving that. One of them, obviously, is a strong perception that these systems are vulnerable and if they are attacked, you’re exposed to a lot of risk, but that’s pretty basic and fundamental. The other thing is a growing recognition that if you do the IT-OT convergence and you start sharing information with customers and partners, it’s transformative and a tremendous amount of business value comes from that. But if you’re going to do that, share information, you’ve got to know where it’s going and how it’s being used.

It’s very clear to people that these are critical assets, the most critical assets in any company, much more critical than IT assets. It’s what you run your business on — whether you make automobiles, you make electricity, you make gasoline — this is the stuff that you need to protect at all costs. So there is recognition that if you are to share those assets, you must do it in a safe and secure way. But at the same time, you don’t want to change them, because they are working really well.

To view the video in its entirety, click here

Resource Links:

ARC Advisory Group
Intel
Ultra Electronics 3eTI
Securicon
Schneider Electric
Bayshore Networks

The Industrial Internet of Things is about more than merely connecting devices, sensors and systems. The value of connectivity is in the information that is shared. But the profitability of the IIoT is lost if crucial equipment and other assets are compromised due to inadequate cybersecurity measures. The following excerpts are from several experts who see the tremendous promise of IT-OT convergence, but who are concerned with protecting the most important assets that any company has.

Q: No doubt there are many definitions of the digital enterprise, but I’m curious how you see it at ARC. What’s your view there?

Andy Chatha, president of ARC Advisory Group: First, we recognize that industry is different, it’s very diverse. The needs, the business models, these are very different. Defining it, then, depends on what a company’s business model is, the industry it is in and so forth.

However, at ARC we view and believe that the digital enterprise has five key characteristics. You know, a few months ago we did a big survey and in part of it executives said their companies were becoming more customer-centric, and that becoming more agile is important to them. Companies, of course, have been trying to become agile for a couple of decades, for a long time, but going digital can take the agility and the flexibility to another level, a higher level. So that’s the first characteristic.

Secondly, as companies are going digital they can start actually changing their business model. They have to start looking for new ways to bring new opportunities and new capabilities to their customer. Improving the customer experience will be another key characteristic of going digital.

Third, companies have to start becoming more data-driven. Industrial companies have lots and lots of data, but now you have to start leveraging this data. Unfortunately, in the past, we didn’t have good tools for companies to leverage it, to make sense out of the data. Now we have lots of tools that can help companies make sense of the data and actually help realize some opportunities they didn’t have before.

Another characteristic of going digital is that companies have to start adopting open, secure software platforms. As companies are bringing more and more technology to their plants and to their organizations, it’s going to become more and more critical that all these technologies work together.

Lastly, and the fifth characteristic, is that no company, small or large can do it alone. Increasingly, companies have to encourage collaboration internally among their employees, plus they have to work with their partners. Because industrial inventories are very complex, their supply chains are complex, increasingly companies need to work with their partners more and more closely and collaboratively.

Q: You’ve outlined many of the components of the digital transformation that’s taking place, but there is one area that I believe we need to address: how to protect the enterprise, how to secure it.

Chatha: Companies have to worry about cybersecurity, certainly, because they face all manner of cyber threats. They need to make sure that all of these activities, all of the platforms they are acquiring, are secure. So, going forward, we believe that open and secure platforms will be critical for companies. When they are trying to select which platform is the right one for them, it will be critically important to choose the ones that are secure.

Q: Your title suggests the heavy emphasis and importance that ARC places on digitization of the enterprise. Walk us through what’s transpiring in your area now?

Greg Gorbach, vice president and head of ARC’s Digital Transformation Group: There are four big trends that come to mind. The first is the Internet of Things. So when we talk about IoT at ARC, we talk about connectivity from sensors and devices all the way up through networking, the cloud and analytics. So there’s a lot going on in that general space. Number two is analytics and machine learning. As we’re talking to clients, more and more we are fielding their questions about what’s machine learning, how to deal with predictive analytics, and what’s the impact of all that on their operations.

Third, is platforms. So we have the advent of the modern 21st Century software platform-as-a-service. That’s sweeping through the industry. I say “sweeping,” though really, it’s causing a lot of confusion. That’s especially so on the operations technology side, where industrial companies are struggling to figure it out. 

And then, finally, you have cybersecurity. A lot is happening there. It’s been a big topic for a couple of years, but it’s even bigger now. But we are seeing some progress with things like the Industrial Internet Consortium’s release of their security framework for the industrial internet.

Q: The view seems to be that security can’t be an afterthought or a bolt-on of some kind. Rather, it has to be “baked in,” if you will.

Mary Bunzel, general manager, Manufacturing & Industrial, Intel Corp.: We believe that security needs to be designed into every application and into every layer of the intranet and extranet outside the organization. Without that, no one will have the confidence to fully exploit all of the capabilities of the Internet of Things.

I believe until the security issues are solved, we simply won’t get to utilize the full capabilities that there might be. So, for sure, security needs to be built in.

Q: You seem to feel that most cybersecurity initiatives, at least in the automaton industry, go only halfway, that too much is assumed to be protected when it isn’t.

Olugbenga (Benga) Erinle, president, Ultra Electronics 3eTI: Cybersecurity in a lot of ways is the great unknown. Of course, everybody knows that there is a cyber problem, but they struggle to codify what it really is. In my business, and our legacy is in defense, we believe that true security is end-to-end security.

Q: But what does that mean, tactically?

Erinle: Look at it this way: Every parent knows, when you raise your kids, what’s the first thing you teach them? Don’t talk to strangers, right? But in the automation industry, we have a lot of devices on a network that are critical to running plants and automation systems, and these devices will “talk” to anybody, which is not good. Devices shouldn’t talk to strangers.

We do a good job in this industry of protecting our personal computers, the servers and the HMI systems; however, when you get to actual devices that get connected to the physical side of the network, we protect those things with firewalls. We sort of draw a big boundary around them and say we’re keeping the bad guys out. The problem is, if you get beyond that firewall, behind the defense line where the controls are, those devices will talk to anybody.

For instance, if a command goes to a controller to spin faster than it should, it will do it because that’s how they’re designed to operate. But no one in the 21st Century should be having computers or devices connected to networks that are, in essence, talking to strangers.

Q: It’s one thing to speak generally about cyber-attacks, but as a practical matter, how do they occur?

Harry J. Regan, vice president, Security Consulting Services, Securicon: When you look at how attacks actually happen, it’s rare that they just come through one attack vector. They usually are well planned and well organized with social and physical components as well as with the cyber component. 

Q: What devices or equipment, if any, are immune to either being attacked or being the conduit for a destructive cyber invasion?

Regan: The thought of your video camera attacking a target is a little disconcerting, certainly, but there are a whole lot of other devices that pose threats. Everybody has smart devices these days, and the possibility of compromising those into doing other malicious activity is really significant. But being able to a) identify what vulnerabilities can be exploited to use for malicious means is one thing, but then b) how do you defend against that?

Q: If disconnecting isn’t the answer, what is?

Gary Freburger, president, Process Automation, Schneider Electric: If you think about the Internet of Things and what’s happened over the last several years, it’s really around technology development in digitization and how that’s moving forward, how that’s driving the market.

So, it’s about connectivity. There are a lot of things that can be connected. You can look around your daily life and find all types of things that can be connected, from your home, your car, any of those kinds of things. But connectivity is only part of that. It’s really how do you build the automation and the technology to bring some value to that connectivity.

What we have to think about is, what’s the value of the Industrial Internet of Things to the customer? The value is profitability. How do we help them make decisions at the lowest-asset level and at the enterprise level to improve profitability? At the end of the day, that’s what the customer wants. He wants to be able to impact profitability. So we don’t do IoT just for the sake of connectivity. We do it to bring value to the customer.

Q: Often the discussion centers around the information technology side, but the operations technology side is just as critical, if not more so. Wouldn’t you agree?

Francis Cianfocca, founder and chief scientist, Bayshore Networks: Yes, and we’re here to help companies protect their industrial control systems that are starting to have connections to IT networks, and also to help them leverage the move to the Industrial Internet of Things, but to do that in a safe and secure way.

Q: So, what’s the challenge there?

Cianfocca: What we’ve found over the years is that what people really want — and need — to do is to block certain transactions coming over the network to the industrial machines because they might create unsafe conditions. So it’s a larger question than security. But to do that, you need to inspect at the data level.

Q: How has the security imperative been underscored by the convergence of IT and OT?

Cianfocca: I would say in the past year that people, certainly the large customers, are paying a lot closer attention to cybersecurity as it relates to industrial production, and two things are driving that. One of them, obviously, is a strong perception that these systems are vulnerable and if they are attacked, you’re exposed to a lot of risk, but that’s pretty basic and fundamental. The other thing is a growing recognition that if you do the IT-OT convergence and you start sharing information with customers and partners, it’s transformative and a tremendous amount of business value comes from that. But if you’re going to do that, share information, you’ve got to know where it’s going and how it’s being used.

It’s very clear to people that these are critical assets, the most critical assets in any company, much more critical than IT assets. It’s what you run your business on — whether you make automobiles, you make electricity, you make gasoline — this is the stuff that you need to protect at all costs. So there is recognition that if you are to share those assets, you must do it in a safe and secure way. But at the same time, you don’t want to change them, because they are working really well.

To view the video in its entirety, click here

Resource Links:

ARC Advisory Group
Intel
Ultra Electronics 3eTI
Securicon
Schneider Electric
Bayshore Networks

Companies Undergoing Digitization Need Protection Against Cyber Attacks