Digital Manufacturing at Risk

Hi Securing Things Community,

📢 Cybersecurity or Digital Transformation Maturity Assessment + Sample Request for information (RFI)!🛡️

Many manufacturers, still struggle with starting out on defining and or executing their Digital Transformation and or Cybersecurity Strategies and maturity (yes, both journeys have a completely different focus and goal). One that would drive innovation for production operations to help produce more with less, predict failures and provide state of production operations in real-time accurately, and the other that could potentially ensure that operations stay resilient to cyber threats and consequently avoid any production loss / downtime respectively.

But there are solutions to both these problems and help is available out in the market.

If you are in this situation, your manufacturing environment is most probably at risk, both at, getting crushed by competition, and or getting penetrated by the adversaries.

Whether you are CIO, CISO, OT / automation expert, or part of operations senior leadership team and have recognise the crucial importance of having both strategies in place, act now and raise political capital awareness internally.

Though these two strategies have totally different focus, goals, skills sets required, organisational alignment, investments and support needs, however, they have some commonality in terms of the approach and execution. I have highlighted some in a previous article titled “Digital Transformation & Cybersecurity Strategy - Premier”.

Discovery - Business Inventory!

One of the first steps in both Digital transformation and Cybersecurity strategy journey is discovering and identifying the business inventory. This foundational step helps:

• OT Solution Architects or industry 4.0 leaders or System Integrators identify the current state of the business (i.e. 3.0 or 4.0 and which processes could potentially be automated). May also potentially identify what you were doing wrong if previous transformation efforts have failed. Key is choosing the right partner.

• OT Security Architects or Cybersecurity leaders identify the current state with assets, associated vulnerabilities, and related attack surface for the organisation. Interested in learning more on OT security assessments, check out a previous article on OT/ICS Cybersecurity Assessments/Reviews.

To support such an exercise, you’ll need to plan and request for data and information collection. Below is an example sample Request for Information (RFI) and Workshop tracking worksheet that I’ve used while performing initial discovery (note - this is not an exhaustive list and may vary per project needs). Develop one that suits your specific project goals accordingly.

You’ve Done the initial Discovery - Now What?

After completing the discovery phase, which involves conducting interviews with personnel from both the IT and OT/production control network teams, reviewing relevant documents and network architecture, conducting a walkthrough of the plant floor, and collecting data such as manual processes, printouts, packet captures, configuration details, and connectivity information:

• for the digital transformation maturity review - your solution architect would have identified your digital transformation maturity level / scale, established potential transformation use cases.

• for the cybersecurity maturity review - your OT security consultant or architect would have identified potential cybersecurity risks and improvement opportunities in terms of people, processes and technology.

Cyber Defense Matrix across Automation Stack

A possible way of looking at your business inventory and data collected is to use Cyber defense matrix (by Sunil Yu) and identify devices, applications, networks, data and users at each layer of automation stack (from cloud to factory floor down to the PLCs/edge or physical devices), potential risks and security controls around pre-cyber event and post-cyber event.

Above diagram highlights a sample list of potential security controls that may exists, or may be missing, suitable or required for your environment. The cyber defense matrix, also shows you the degree of effort / dependency across people, process and technology to implement any of these security measures. This is just one of the many ways to present cyber security controls gaps for easy understanding.

Note: Once you’ve established a baseline need for addressing cyber risks, and completed your rapid assessment, execute remediation / strategy and as you gradually mature perform a thorough Digital Transformation Maturity Assessment (using RAMI or others) and or Cybersecurity risk assessment (using standards like ISA/IEC 62443), respectively for your environment.

There’s much more to securing things for your digital manufacturing environment.

Approach the two pronged problem that puts your manufacturing business at risk, at the pre-eval phase together, and help save your business time, money and resources.

CIOs, CISOs, CDOs, OT / Automation leaders, how are you addressing these different needs for your manufacturing environment to making sure you remain competitive and also secure? - do type in comments below and enrich this resource.

My Ask

Do share your feedback.

Your feedback and input is valuable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your continued trust and support. If you like this or any of my previous editions, please share within your circle.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.

Here's to Securing Things together. Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow: #securingthings on LinkedIn | @securingthings on X/Twitter & YouTube.