The Center for Industrial Cyber Security has presented its study “Benefits of cybersecurity for industrial enterprises”
In the framework of the XVII Meeting “The Voice of Industry”, held on May 4 in Madrid, the Center for Industrial Cyber Security (CCI) presented the document “Benefits of cybersecurity for industrial enterprises”, which contains the testimonies of An exclusive group of executives on cybersecurity. The need to raise the awareness of the boards of directors and other business leaders was very present in the talks, demonstrations and debates of the meeting.
José Valiente, director of the CCI, started the day by announcing that the Center has three new regional coordinators, in the United Kingdom, Belgium and Turkey.
Miguel García-Menéndez, responsible for Corporate Governance and Strategy of the CCI, presented the document “Benefits of cybersecurity for industrial companies”, attended by Antonio Rodríguez, Air Liquide and Ignacio Álvarez, from Siemens, who facilitated the Access to various managers that appear in the text.
Manolo Palao, co-founder of the Innovation & Technology Trends Institute and one of the co-authors of the study, also explained that “cybersecurity should be shared by the board of directors and technology managers, but in practice This distribution does not exist, there are great barriers, serious misunderstanding between the CISOs and the management committee. “
Miguel García-Menéndez explained that the study focuses on the role of the board of directors and the director general in cybersecurity, as well as the threats to the industry in the digital age, the enablers for the development of industrial cybersecurity, the benefits for Industrial companies and the testimonies of management people.
Garcia warned: “We do not try to turn board members into technologists,” but he stressed that “in the United States there has already been a chip change in counselors and managers, cybersecurity is beginning to be taken quite seriously and not here” . He ended by remembering when, in 1999, an oil pipeline from the Olympic Pipeline Company exploded in Bellingham, Washington. There were three dead and one vice president charged because they had the SCADA systems disconnected, using them in maintenance work.
Then spoke Óscar Bou, partner-director of Govertis, who showed how to implement an industrial cybersecurity management system with the SandaS GRC platform. Bou explained the need for a holistic approach in environments as complex as industrial ones, with different systems, valuation criteria, threats and levels of risk. He emphasized: “We have to go down to the field level, it is very important to involve plant managers to report what is happening, even in remote substations, everyone should ensure that the controls are effective.”
Loic Guezo, Trend Micro cybersecurity strategist, provided an interesting list of examples where he highlighted a demonstration of attacks against industrial robots: the introduction of a small defect, as it would be a difference of 2 mm in the drawing made by the robot, can To mean millionaire losses. According to a recent Trend Micro study, 10% of industrial systems are infected and some viruses have been responsible for major attacks, such as the suspension of 13 production lines in a company affected by the Zotob virus, which caused losses of 14 million.
Enrique Domínguez, director of strategy for InnoTec System, and David Marco, head of the line of industrial cybersecurity business in the same company, explained that the cyber incidents managed by CCN-CERT and InnoTec have gone from 4,003 five years ago to 20,940 in 2016 , Being the majority of criticity “High”. Domínguez and Marco especially warned against extortion: “It is a trend in all sectors, in industry they show that they are in the plant and, if not paid, attack.” 20% of companies are not prepared to respond to computer incidents, they said.
The morning ended with a panel discussion on “Corporate resilience and technological dependence”, moderated by Susana Asensio, responsible for ITC Projects. Susana spoke of the VUCA (Volatile, Uncertain, Complex, Ambiguous) world in which companies can only “adapt or succumb”. The debate was attended by Antonio Rodríguez, of Air Liquide; Jesús Mérida, of Técnicas Reunidas; Juan Mataix, of Palo Alto Networks, and Eusebio Nieva, of Check Point.
The rapporteurs valued rapid decision-making, adequate data collection, flexibility and adaptability, internal integration of technological complexity or the adoption of “top-down cybersecurity measures” as keys to success on the road to digital adaptation , Throughout the company, “said Juan Mataix. As for the strategy to achieve this, Eusebio Nieva stressed that “most companies want to go to digitization, but do not know how.”
As for the technological resilience of industrial control systems, Rodríguez stressed that “this is the same as before, when the factories did not wear a helmet, it is the same now with cybersecurity procedures for USBs and others.” Jesús Mérida stressed the lack of sharing of information in the sector and the fact that “everything stays in theory, measures are not implemented.” Eusebio Nieva criticized the “immobility” and all agreed on the need to raise awareness of management. Asensio also pointed to the need to have fully identified the person responsible for cybersecurity within the company.
With the afternoon came the practical cases. Edcorta Echave, consultant for Grupo CMC, and José Luis Laguna, technical director of Fortinet, showed how to protect an industrial environment from someone who performs a network scan, in order to gather information for a targeted attack. The experts said that in their work they continue to run into antiquated equipment, null or rare native security measures, systems that are not updated or upgradable, new vulnerabilities and increasingly sophisticated threats.