Omny’s Head of Customer Success, Tommy Evensen, was born into the industrial world. Touted as the Oil Capital of Europe, Stavanger, Norway, is Evensen’s hometown, so the oil and gas industry was simply a way of life. Later, his career would take him offshore, and it was here, in the middle of the North Sea, where he first started to understand just how vulnerable these critical assets can be.
“When I started digging into the security of some of the systems used to control offshore assets, I discovered major holes. Many of them. I could control an offshore rig from my living room,” Evensen says.
This sparked something in Evensen, a desire to raise awareness about the “major holes” and work to improve defenses against cyberthreats. Even though safety has long been a priority in industrial work, Evensen says its definition is too limited. He believes ‘safety’ in industry must also encompass protection against cyber threats, as more and more heavy equipment and critical infrastructure comes online.
“I guess I’ve turned into a sort of OT security evangelist, preaching about what can go wrong. Why we need to be thinking about this. Why we need to assess the risks. And why we need to prepare.”
Growing cyber awareness across industry is where we start.
Cyber security conversations with industrial players have become easier in recent years, he says. There is greater awareness and more interest in risk mitigation.
“War is upon us now, and we see cyber capabilities being weaponized. You can knock out a power grid in Ukraine, as we’ve learned. And this has caused many asset owners to start moving in the direction of resilience-building and protection.”
Cyber regulation for critical infrastructure, like NIS2, isn’t far off in many parts of the world, which means heavy asset owners may no longer have the option to sit idly by until the breach occurs. And luckily, much of the knowledge and resources already exist to help asset owners navigate their own cybersecurity journey.
Don’t know where to start? Evensen shares 3 tips to start building your cyber defenses.
- Know thy assets. When you ask an industrial operator if they know all the assets they have, the most common answer is ‘no’, according to Evensen. There are so many unknowns. This is the first thing to fix. It’s about having an overview of your industrial assets, knowing how they are connected, and understanding what cyber defenses you already have in place to protect them (and more importantly, what’s missing).
- Understand the risks. Industrial companies are doing risk assessments already, but typically for things like fires or chemical spills. Not for cyber vulnerabilities, says Evensen. With an overview of your assets now in place, assess where the biggest risks lie. Where are you most vulnerable? What will get you the most value out of protecting from potential cyber-attacks?
- Merge safety and security. Safety is the gold standard for industrial companies, and now cybersecurity needs to be included in that standard. Implement cybersecurity measures, help employees understand them, and even run training drills so that people know how to react when attacked. Your cyber defenses are your lifeboat, and it’s important that everyone is aware of that lifeboat and how to use it, explains Evensen.
It's time to open the cybersecurity ‘can of worms’
Evensen worries that security is all-too-often forgotten in the rapid digitalization of industrial organizations. “Optimization”, “efficiency”, and “cost reduction” are considered the primary targets for companies, while security is often swept to the side. That’s because cybersecurity in the industrial world is complex and often opens a can of worms that can be challenging to manage, he says.
“Digitalization is often driven by return on investment; reducing the load on people, reducing resources. It is not about adding requirements. And security is just that, adding more requirements - seeing the holes, and putting resources in to fill those holes.”
There’s no silver bullet when it comes to cybersecurity for industrial companies, Evensen is quick to say. It comes down to having the right people, working together across their silos, and using technology to see your operations holistically and assessing your cyber risks.
As he says, “It’s time to build your cybersecurity lifeboat.”
We think it's an excellent time to start building your cybersecurity lifeboat. Why not talk with a member of our Omny team for a little advice? Leave us a note through the link below and we will help you find the best path for you.
.jpg?width=290&name=_Tommy%20(1).jpg)