Kontakt
Suche
Unter Umständen sind Sie an der Website von Bilfinger in %s interessiert.
Zur Länderseite
Andernfalls wählen Sie hier Ihre gewünschte Länderseite aus.
+

Working on your cyber resilience

With the war in Ukraine and Russian hostility, cyber resilience is more important than ever before. Digital attacks on targets in the ports of Rotterdam and Antwerp are to be expected, according to several experts. Therefore, it is crucial to prepare for them. Director Evelien Bras of FERM explains in this article what companies can already do now, and Jeroen van Hardeveld of Bilfinger Tebodin talks about the services Bilfinger is developing in this area.

For starters, Evelien Bras does not have a reassuring announcement for companies in the process industry. 'The number of cyber attacks is high. If you count every attempt to enter a company network as an attack, large companies in the Rotterdam port area have more than a hundred thousand of them per year. That includes phishing emails, which are sent in large numbers in an untargeted manner. Even if you're talking about attacks on an SME, you can assume an average of twelve a day. So you shouldn't wonder why you would be attacked, because it just happens, even if you are not a specific target. It's better to ask yourself what risk you run if someone comes in, and prepare for that.'

 

Losing reliability

Especially for an industrial company, your reliability is the biggest asset you can lose, Evelien argues. 'Anyone can be attacked. But it's hard to explain if you haven't thought about what to do. Your actions during a cyberattack determine the trust your environment has in you. That's why Evelien recommends including a cyber attack in your regular program of security drills. 'For an industrial company, the biggest risk is the mixing of IT and plant control, also called OT. Can you cut that loose, mitigate the attack and revert to manual control in an emergency?

 

Fort Knox

With that, she is certainly not advocating less IT. 'Especially given the developments in the labor market, I think we should fully commit to as much digitization as possible. That trend is irreversible. But do it safely. Basic principles here are: watch out for phishing and scamming. Install timely updates and patches, and segment your IT and OT systems. As with fire safety, compartmentalizing your systems is also essential, so you can always isolate an infected area. And secure your process technology like Fort Knox!

 

Connect

Cyber security is increasingly becoming a management issue. Rightly so, thinks Evelien, "because it's about continuity and reputation. You have to weigh the risks carefully. Because what a technical department might see as an acceptable risk, the legal department might see very differently. So make a plan and include which dials you want to be able to turn as management. Which contract can I continue to execute? Which stakeholders do I need to inform? And keep up, developments are moving fast. In that respect, as a company in the Rotterdam port area you can join FERM. That offers a number of advantages. We share best practices, we have threat information from governments and you can spar with us about cyber resilience.'

 

Standard for cyber security

To help companies with their cyber resilience, Bilfinger Tebodin is developing a number of services. Jeroen van Hardeveld says, "With us, this development arose from our years of experience with risk analyses in the process industry and integrating Safety Integrity Systems (SIS) into the process. That is about functional safety of a process. It is built independently and alongside the process control system to bring the process to a safe state; even if the control system should fail. Meanwhile, the standards for this have evolved. For example, the current standard IEC 61511 states that you must include cyber security in the design of the SIS . And there is new legislation coming up that companies in the process industry will have to deal with. That's the EU's NIS2 directive. This directive tightens some obligations and more sectors are going to be covered by the EU NIS2 directive.

 

New regulations

More and more companies will have to comply with these regulations. 'And I don't rule out that the new law will be accelerated or expanded more quickly to other sectors, given the growing threat,' Jeroen says. Companies need to prepare for the fact that significant investment in cyber security will be required. 'You have to remember that, as a rule, a factory is built for a lifespan of 20-25 years. So many factories are still running on old systems from around the year 2000. By way of comparison, in that year you still worked on your PC with Windows 98 or Windows XP. That poses irrevocable risks. Because in addition to those outdated systems, many factories have consciously or unconsciously links to the Internet. For example, a supplier may once have built in a GSM modem to enable remote maintenance. That has advantages, but also risks.'

 

Risk analysis

Bilfinger Tebodin is therefore developing and offering new services. Jeroen: 'First, we help companies with a risk analysis. In this we not only map out the risks but it is also an obligation from the new NIS2 directive. And we can make a business continuity plan for companies. In this you lay down exactly what you are going to do if an unexpected intruder does get into your system. For example, we create a scenario to get back up and running safely as quickly as possible. Moreover, we will think along about the network structure of the control system. And about the physical design of your security: for example, should we secure some network cabinets with an extra key? Is there a working access system?

 

Maintenance plan

So companies will have to make adjustments to their OT a part of the maintenance plan. 'Start with an inventory of what you have,' says Jeroen. 'What PLCs do you have in the plant, what servers do you have, and what operating systems do they run on? How are they connected, who has access to the systems and what are the remote access agreements? The next step is to see what needs an update. Both in terms of systems and policies. In all these steps, Bilfinger Tebodin can help. From designing a new system to assisting with the necessary changes to your existing systems and making sure you have the right documentation.'

 

National Cyber Security Center

More tips and advice: https://english.ncsc.nl/

Zurück

Kontaktieren Sie uns

captcha
Ihre Nachricht an
captcha