“Fresh and new air”; this has been the general opinion of the attendants to the Industrial Cybersecurity Center event, held last February 11th in Madrid. This activity gathered about 80 profesionals willing to learn about the maturity of some industrial organizations in relation to their cybersecurity capabilities.
The event started with a presentation of Samuel Linares and Susana Asensio, during which it was summarized the two years of activity of the Center, and the role played in the awareness and cooperation tasks among its members, which has been a differentiating element to raise the cybersecurity capabilities of the industrial sector.
These two years of intensive work has generated a strong community, an international level reference, being the country most advanced in this field. It has triggered, as well, an increasing number of organizations and professionals joining this field. Currently, there is a trusted environment that allows a confident experience sharing, as well as a mutual learning process. The new phase of the Center can be called under the name of “Sharing Experiences”.
José Valiente, the newly appointed Industrial Cybersecurity Center Director, together with Ignacio Paredes, presented the cybersecurity maturity tool designed and developed by the CCI. This tool has gathered a significant number of contributions and comments from the Center’s ecosystem members.
The tool has been applied to four organizations, two critical infrastructure operators and two industrial organizations. This is a very practical tool that can be adapted to the features of each organization. Then, the evaluation is performed taking into account facts such as the automation degree of the organization, the infrastructure type and the sector to which the company belongs.
The first release of the tool has considered 122 objectives for companies with high profile and 99 for companies with low profile. The solution has been built on other world widely used and implemented models, but tailored to the needs and requirements of the companies and entities belonging to the Center.
The tool allows not just evaluation the organization itself in relation to industrial Cybersecurity, but to measure against other companies of the sector, offering benchmarking capabilities.
Javier Urtiaga, PWC Partner and responsible of Cybersecurity for Spain and Latam, introduced the need to identify meaningful metrics and indicators; this must be the first step to measure the maturity of the organizations.
It is an important element of the cybersecurity maturity the relationship between Risk and Government. The value of the Industrial Cybersecurity Center for industrial organizations is extraordinary since it does not exist a widely accepted and agreed model to be implemented.
The cybersecurity industrial maturity can only be measured once their operational context is known, and taking into account that not all the attacking vectors are of technical nature.
For this reason, PWC proposes a model based in three levels:
· Government indicators that take into account as well three elements: the organization internal capabilities to face threats, the availability of specialized resources, and the current on-going training plans to achieve such specialization.
· Risk Indicators
· Identificación de KPI’s.
These three levels allow the company to assess its maturity level in relation to Industrial Cybersecurity, and perform accordingly.
Susana Calvo, from the certifying company DEKRA, presented its ERM proposal built under the ISO 31000 model.
According to DEKRA’s experience, it is very important that the organizations include along business indicators, cybersecurity elements.
This can only happen if there are taking into account three main facts:
· Knowledge of the market and of the competitors.
· Knowledge of the stakeholders
· Integral risk analysis of the company.
Currently, industrial cybersecurity indicators are not integrated yet in the business, due to the general immaturity of the sector. DEKRA urges the organizations to include this type of indicators for the impact they may have in business performance: “what cannot be measured cannot be improved”.
A differentiating factor of all the Industrial Cybersecurity Center events is the practical approach to the topics covered, as well as the experience and information exchange. In this specific event, Jose Luis Vega, the Security and Infrastructure Responsible of the Food company CAPSA FOOD presented how his company applied the tool to measure its Industrial Cybersecurity level.
CAPSA FOOD is a well known Spanish company, with presence in the Stock Market, currently in an international growth process. Its production and manufacturing process is deeply tied to the quality process, having about 50,000 sensors in its industrial plants. In addition, the Company has to follow very strict quality measures derived from the strong regulation of the sector.
The company got some immediate benefits after applying twenty seven objectives, such as:
· To immediately identify improvement areas.
· The relevance of developing a cybersecurity culture to present in an efficient way the results to the Board and to the Top management.
· To identify and to value the most critical assets for the business.
· To design more effective investment plans.
· To standardize the industrial processes.
All these measures help with no doubt, to generate a higher value for the stake holders.
The traditional Closing Roundtable of all the events of “The Industry Voice” had in this occasion an industrial representation of four highly meaningful sectors, such as:
· Energy, represented by Gas Natural
· Food, represented by CAPSA
· Engineering, represented by Técnicas Reunidas
· Telco’s, represented by Telefonica
The Roundtable Chairman, Miguel Garcia-Menendez, after a brief introduction, asked the following questions:
· Are the organizations proactives or reactives in relation to Industrial Cybersecurity?
· What are the risks that reactive organizations must consider?
· What is needed for an organization be proactive in relation to Industrial Cybersecurity?
· How the legal framework and regulation can help in the proactivity of the organizations in relation to this field?
· Which other actions may encourage cyber activity?
Although it is very difficult to summarize all the answers, we may point out some conclusions:
· In the Cyberspace all the countries are neighbors
· The Top Management awareness on cybersecurity issues is an essential element to minimize risks. When there is sensitivity on the topic at Board level, there is always budget assigned to approach this type of activities.
· It is very important that vendors, EPCs and industrial suppliers are aware of the risks to build their solutions with the appropriate security measures.
· The regulation and legal framework is an important compelling event for taking cybersecurity measures, although there is the risk that such measures are designed just to fill the regulatory gap.
In summary, Cybersecurity has evolved from being “an expert” topic to be a differentiating competitive value.