Cybersecurity is a growing challenge across many industries, including the nuclear supply chain. Dr Dimitrios Anagnostakis, Nuclear AMRC research engineer and co-author of a new report on cybersecurity for advanced manufacturers, explains how companies can deal with the risks.
With increasing use of advanced digital systems and information technology (IT) across all sectors, the potential for accidental or malicious harm is also rising. Everyone working in industry needs to be aware of cybersecurity risks and how to manage them.
From an IT perspective, cybersecurity sits within three main principles: confidentiality, to keep sensitive data safe and protected; integrity, to maintain accuracy and completeness of data; and availability, to ensure the proper functioning of a system so data can be accessed when needed. All these aspects need to be maintained for the secure operation of an IT system.
In a manufacturing environment, the same principles apply to operational technology (OT) systems which include all the computer-controlled manufacturing equipment used on the shopfloor along with associated hardware and software. Availability is usually the priority, as any downtime will cost money, followed by integrity and confidentiality.
In advanced manufacturing, OT systems make up a large percentage of an organisation’s assets. To improve operational efficiency and offer higher quality products and services, IT and OT need to converge. There are plenty of overlapping areas between IT and OT in a connected data-driven manufacturing environment, but effective strategies might not be in place to protect data, infrastructure and people.
Large organisations are likely to have invested in cybersecurity, but smaller companies may lack the time or resources or underestimate the risks. Even if your organisation has invested time and effort in securing an IT certification such as Cyber Essentials, it won’t necessarily cover your OT.
OT-related decisions are often made on the shopfloor by operations staff, with less engagement with IT and security teams. This may result in a variety of technologies and capabilities which will require significant effort to integrate and manage with existing IT infrastructure.
Nuclear challenges
Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, with risks to security, economy, and public safety and health. It’s a particular challenge for the nuclear sector, including manufacturers in the supply chain.
As in most industries, digitalisation of nuclear is well underway with growing use of digital systems to replace legacy infrastructure. This has led to an increased deployment of modern hardware for connecting existing systems, collecting data, enabling automated data processing and eventually creating valuable insights to inform decision-making. However, this also brings a series of cybersecurity challenges.
Each digital system and end-user device may constitute a point of access for cyber-attackers, potentially leading to critical incidents such as shutdowns, data breaches, and physical damage to operating systems. Nuclear facility operators need to carry out a proper cybersecurity risk assessment so vulnerabilities and associated threats can be identified, and the appropriate measures and precautions are taken.
From a nuclear manufacturer’s point of view, the challenges remain the same as in other industries such as aerospace, oil & gas, and defence. Components have extremely high value, as do the data generated throughout their manufacture, so it is critical for manufacturers to maintain the highest possible level of cybersecurity.
Understanding the threats
With the rapid adoption of connected manufacturing equipment, companies need to map the state of their infrastructure and identify any potential cyber-threats. These maps will then facilitate an effective cybersecurity risk assessment so countermeasures can be applied. An effective assessment will ensure that business assets and production machines will be protected and kept available, while sensitive data will remain secure and accurate.
As systems are increasingly connected across manufacturers, supply chains and industries, cybersecurity readiness is currently not as mature as it needs to be to provide a sufficient level of protection from current and emerging threats. Manufacturers need to seriously consider the implementation of a cybersecurity strategy.
This is why I recently worked with colleagues from the AMRC and other High Value Manufacturing Catapult centres to write a detailed introduction to cybersecurity risk assessment for advanced manufacturers.
The report aims to help manufacturers with limited knowledge to identify potential threats and prioritise actions for reducing the risks. We also explain how to frame a strategy and policy for cybersecurity, and take the necessary measures to protect your data and assets.