This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.
Cybersecurity of Your Operational Systems: Are You Ready?
The media regularly report on the impact of cyberattacks in the industrial sector. Crucial to social cohesion and the economy, transportation is one industry that operates under the omnipresent threat of cyberattack.
In Quebec alone, several recently reported events have revealed the industry’s vulnerability, leading to production stoppages as targeted industrial equipment and/or computer networks have been paralyzed. The ever-increasing number of officially disclosed attacks is but a glimpse into the actual situation, the full scope of which is still impossible to comprehend.
One indisputable fact remains: the financial and reputational stakes cannot be denied. No company can afford to fall victim to an attack that leads to service breakdown, holding users, customers, suppliers, and employees hostage. In light of the situation and increased cyberrisk factors, businesses should be vigilant and prepare appropriately to ensure the resilience of their organization.
Increased Cyberrisk Factors
Resilience refers to the ability of a person, ecosystem, or economy to resume optimal operation after trauma, disruption, or crisis.
Just as viruses threaten human health, it is practically impossible to anticipate when or what kind of attack could jeopardize the survival of a business. Beginning to tackle the situation right away by determining the current status of the organization is not only possible, but highly recommended.
Where to begin?
A few self-assessment questions
- Is the organization ready to react in the event of a cyberattack?
- What operational systems face the greatest risk?
- What percentage of the budget is dedicated to operational cybersecurity?
- Have a cybersecurity program or other protective solutions been implemented? Have they been reassessed?
- Are the skill sets required to assess cyberrisk exposure and solution rollout available in-house?
Adopt Best Practices Now
As we’ve previously discussed, assessing cyberrisk and risk mitigation measures should extend to the entire ecosystem in which businesses operate. It involves conducting a complete 360-degree analysis that includes company processes and structure, as well as those of every vendor in the supply chain.
The process should consider systems in the broadest sense (information technology, operational systems, equipment, machinery, etc.) and the people that run them, as digital security is still often compromised by human error.
The first stage of working toward greater cyberresilience consists of mapping operational systems. Drawing up the list of attack surfaces to determine the most vulnerable systems and the scope of risks the organization is facing helps define what level of protection is appropriate and what measures should be taken.
That means making cybersecurity a priority in all day-to-day operations and at the highest levels of the organization, for easier decision-making and resource mobilization. Changes to the organizational structure may be needed to ensure responsibility for cybersecurity is entrusted to the right people with the skills to make the necessary decisions.
The next stage involves implementing an operational cybersecurity program that includes a review of the corporate computer architecture. Business technology systems can be accessed in multiple ways, and every point of contact should be considered – critical systems, of course, but also interconnected subcontractor systems that handle increasing volumes of data. That’s why collaborating with the various parts of the supply chain is essential to securing systems.
Successful cybersecurity programs rely just as heavily on cross-functional collaboration within organizations. Having specialized teams take part in the process helps limit the impact on systems, as they have an invaluable understanding of technology.
Change management underpins the entire process. It is important to lay the foundation for the teams involved, and more broadly, to raise employee awareness about the nature of cyberrisks and how employees can make a difference day to day, helping them grow more vigilant. Communication, education, and training efforts are necessary. Areas of responsibility can also be reviewed so that the organizational structure of the business reflects the importance placed on cybersecurity.
Beyond integrating a well thought out operational cybersecurity program to operations, periodically reviewing and validating measures in place is essential to keeping systems secure and adapted as technology develops.
The last stage consists of conducting regular audits of the cybersecurity program, along with complementary activities including surveillance and continued training for the teams involved. With these tools, businesses are in a better position to keep up with the new standards and regulations they will have to integrate over time, both when it comes to securing current systems and to designing and developing future systems.
Rising to the Challenge to Set Yourself Apart
The threat is latent. Business rolls on and it is in the interest of businesses to stay one step ahead and maintain their competitive edge.
Overlooking cybersecurity could put essential business relations at risk and threaten the survival of organizations. Businesses whose systems perform well but fail in terms of cybersecurity could be excluded from requests for proposals. Conversely, businesses with solid cybersecurity programs would be in an influential position and could prompt its own customers to adopt higher security standards, for the benefit of their entire ecosystems.
Operational systems that are covered by cybersecurity programs could even provide a competitive edge over the short term, as the vast majority of businesses are only beginning to implement such programs. Being ahead of the curve puts organizations in an enviable position.
While being prepared for attacks doesn’t prevent them from happening, it does help targeted businesses react quickly and appropriately. In doing so, they demonstrate their earnestness, skill, and professionalism, all of which inspire trust among customers and suppliers.
Technology is developing rapidly, and new fields of expertise are emerging in both computing and engineering. As a result, organizations should secure the right skill sets to uphold system cybersecurity over time.
Standards in the field are also evolving. Staying abreast of regulations and certifications being adopted in the markets in which businesses operate help them make sure that their systems are designed to upcoming cybersecurity requirements. It seems likely that regulations stemming from the ISO 21434 standard will be adopted progressively across North America. Businesses can draw from this standard to set up robust processes that ensure the highest levels of security.
In a similar vein, staying on top of legislative developments could lead organizations to make a real difference, or at least foster the adoption of secure practices. Keeping a log of cyberincidents is a good example. Beyond the documentary interest in strengthening organizational security processes, such logs could become standard in the near future. Canadian regulations are evolving, and bill C-26 is set to make it mandatory for businesses to report the cyberattacks they fall victim to, rather than the current voluntary disclosure.
Anticipating the adoption of such rules and complying with them now, if not outright going beyond set security criteria, puts businesses one step ahead in a changing environment. Taking the lead could even help set them apart and give them a say as these new regulations are developed.
Cyberthreats are ever-shifting disturbance vectors businesses must learn to deal with. Cybersecurity is not an end in itself, but it is becoming one component of businesses’ operational and financial health, and ultimately, of their survival.
As with any threat or crisis, the degree of preparation is often an indication of how quick and efficient organizations will be in recovering and resuming normal operations. Businesses can adopt a preventive approach to cyberthreats and develop greater agility, making a major positive difference in the long run.
Get the free white paper to learn how to meet cybersecurity challenges in transportation.