Have there been emptier words in the context of cybersecurity than the notion of “building security in from the start?” The idea is absolutely spot-on—we should be designing systems and networks that are ruggedly tested for vulnerabilities and code defects during development and before they’re put into production. But the endless parade of hundreds of vulnerabilities every second Tuesday of the month from Microsoft, Adobe, Apple, and many others proves we’ve done otherwise.
Given the flurry of state-sponsored threat activity against critical infrastructure, including manufacturing, many people are talking about secure-by-design principles, and there are pacts being signed by companies pledging to do just that.
Here’s one person’s plea: Just Do it. Please.
Secure-by-design as a concept within manufacturing and OT assets is long overdue. And today, IT-OT convergence has brought a new urgency to this issue. The digitization of manufacturing assets and resulting data within this critical infrastructure sector means that new efficiencies and analytics are possible—and a must in order for companies to remain competitive—especially in highly integrated, smart manufacturing implementations.
As with any new technology venture, cybersecurity risks are part of the territory. Introducing OT connectivity and integrations with IT systems and third-party suppliers expands the attack surface and attack vectors available to threat actors. More IT-OT connectivity introduces new vulnerabilities, new areas of exposures that can be exploited easily with commodity attacks.
Therefore, integrating security from the outset in the overall system interconnect design is a must. We can no longer just bolt on cybersecurity capabilities after systems are in production. Secure-by-design practices must be a top-down priority. Executives must insist upon this from their CISOs, application and network development teams alike. Integration managers must not deploy new software or firmware updates without robust checks first on virtual or physical twin environments that have successfully taken place, ensuring the integrity of the software on the day it’s deployed in manufacturing or critical infrastructure.
Organizations that are hesitant to include security in the software development process must understand that while there may be an initial outlay in costs, not only in expertise, systems and tooling, this cost is modest compared to possible production delays/downtime, the benefits outweigh those costs tenfold. OT environments are already complex, yet a breach that impacts production processes, either by disruptions or manipulation, can bring unprecedented downtime to organizations. A recent Claroty Team82 report on the business impacts of cyberattacks impacting cyber-physical systems revealed that nearly one-third of survey respondents said recovery time from breaches took longer than a month; 20% experienced operational downtime of between two and more than seven days.
Manufacturing processes that are disrupted or manipulated as a result of a cyberattack can impact manufacturing system availability or the safety of operators or the public. Companies can experience financial losses, halt the product supply chain, cause overall production shutdown, loss of intellectual property, and more. This is all in addition to intangible costs like damage to customer or partner relationships, company brand reputation, or regulatory implications.
Secure by design, however, is gaining steam. CISA has made a concerted effort to market this as a must-have for critical infrastructure organizations. CISA insists that products be secure out-of-the-box with security features enabled by default such as multi factor authentication, logging, single sign-on, and more at no extra cost.
CISA published guidance in April 2023 pointing the finger at software manufacturers, presenting a real urgency to revamp design and development processes to allow only securely designed products to be shipped. It also recommended eight secure development practices such as conforming to a software development lifecycle such as NIST’s Secure Software Development Framework that presents sound practices toward this end.
Software builders are also encouraged to raise the maturity of vulnerability management programs to focus on the elimination of entire classes of vulnerabilities and view defect management as a core business matter, not just a security matter. There’s more guidance around the use of open source libraries, secure defaults for developers, and hiring developers well versed in cybersecurity.
This is critical within today’s landscape. For manufacturing companies, secure by design allows us to finally be proactive about risk management and be leaders in this aspect of our sector. No one understands truly how dynamic plants are, and the effects of disruptions. Lessening that risk with a proactive approach to secure development will pay immediate dividends and provide long term benefits to suppliers and manufacturing.
Resilience, meanwhile, is the cybersecurity industry’s stated objective. A secure by design approach ensures that manufacturers are on the right road and manufacturing assets can stand up to cyber attacks. Business stakeholders can be assured of rapid recovery in the event of an incident.
Tangentially, secure by design ensures a handful of compliance and governance wins, and lowers recovery costs, and in the end protects the invaluable trust between you and your customers.
Secure by design isn’t an empty concept. It’s crucial. And it can work. We just have to do it. Please.
Jim LaBonty is the retired Director and Head of Global Automation Engineering for Pfizer's Global Engineering & Technology division. In this role he primarily focused on establishing the strategic direction and harmonizing control system solutions across 42 manufacturing sites globally, including securing the development of Pfizer's COVID-19 vaccine. Previously, LaBonty held senior engineering and system architect roles at Rockwell Automation, Eli Lilly & Company, and Eastman Kodak Company. He now leverages his decades of experience to help firms with their corporate OT cyber strategy and global program execution, with the goal of protecting manufacturing.
