FEATURE: Cyber-informed engineering perspective needed for cyber-defense (Part 3 of 3)

Pittsburgh — (Part 3 of 3)

In order to effectively and efficiently protect assets from a cyberattack, companies need to go beyond IT security and evaluate cyber risk from a cyber-informed engineering perspective, according to a security specialist with a focus on manufacturing.

Mark Fabro, president and chief security scientist at cybersecurity consulting firm Lofty Perch, said that despite the disadvantages inherent to purpose-built systems like steel mills, the expected and deterministic behavior of the system can also be an advantage when developing cybersecurity measures.

Part 1: Manufacturing faces distinct challenges in cyber risk mitigation

Part 2: Steel mills have unique challenges, vulnerabilities to cyberattacks

"Interestingly, critical infrastructure and manufacturing have an advantage in doing consequence-driven cyber-informed engineering to narrow down the specific cases that are important to them. Cyber-informed engineering has significant value in defending these types of systems," Fabro said.

For organizations with a network of mills, Fabro recommended implementing a defense-in-depth strategy in and among company assets. A plant existing on its own separate network may reduce the opportunity an attacker has to move laterally within a particular network, but security must be implemented to account for an adversary with local access at a facility and the risk associated with removable media and transient devices.

Separate networks are a good idea, but the separation must be enforced with effective access control, anomaly detection and up-to-date security policies and procedures that enforce security at a corporate and programmatic level, according to Fabro.

A steel industry chief information security officer (CISO) also highlighted the need to implement defense-in-depth strategies in the steel industry.

"Recent events, including the growing prevalence of ransomware, have made this a priority for manufacturing and steel companies," the source said. "For any industry, including steel, there is no silver bullet. You have to apply defense-in-depth strategies to protect your network. The steel industry needs to know that this risk is not going away and is only going to grow, so we need to make cybersecurity a priority where it isn't already."