The gap between IT and OT remains as wide as ever. Cyber4Industry considers the level of maturity to be “catastrophic.”
The digitization of industry has significantly increased the attack surface of industrial systems and, inevitably, the number of security incidents is growing. Explanations from Gregorio Matias.
“Today, securing industry means ensuring that IT and OT converge by speaking the same language. Unfortunately, given the level of maturity in cybersecurity in industry in general, we are still a long way off!”
It has often been mistakenly thought that the less computerized world of industry could slip through the cyber net, explains Gregorio Matias, CEO, MCG. “Nothing could be further from the truth. These two worlds are now fully interconnected and interdependent, particularly when it comes to IT security.”
To meet the IT/OT challenge, MCG and AgiNTech joined forces in 2022 to found Cyber4Industry. Their mission: to ensure the continuous protection of production lines with cybersecurity solutions adapted to different environments. In a nutshell, to “reconcile” two worlds that do not understand each other.
Industry 5.0: putting people back in the picture
There is a sense of urgency. Everywhere, we are seeing an increase in security incidents directly linked to the digitization of industrial facilities. “Long connected internally, automation systems now communicate with the outside world; exchanges between production and management will become increasingly frequent. More than attacks on the industrial system, these are often attacks that rebound and affect the management system. However, these interactions between IT and OT are increasingly necessary to exchange production data with the ERP, implement predictive maintenance, or even send data to the cloud.”
Industry 4.0, Industry 5.0… Digitalization is spreading. And it is accelerating with the adoption of IoT, the cloud, and now AI. “This transformation broadens the attack surface and creates greater interdependencies and hips between stakeholders with an interest and responsibility in securing critical infrastructure.”
The challenges of IT/OT convergence
However, even though the exposure surface has expanded considerably, industrial systems are often outdated. How many PLCs and SCADA control systems were installed twenty or more years ago? How many production sites are still running Windows XT?
“Industrial systems were often designed before cyber risk was really taken into account. And even though the Stuxnet attack in 2010 gave pause for thought, the industry as a whole is slow to react!”
For Gregorio Matias, two worlds are unwittingly at odds with each other. Within the same company, IT teams focus on cybersecurity and data confidentiality, while OT teams prioritize personnel safety and the availability of industrial equipment. “Add to that a language barrier between IT and OT teams, and you have all the ingredients for a ticking time bomb. “
NIS2, training, awareness…
In the meantime, NIS2 has arrived. The European directive significantly strengthens industrial cybersecurity by expanding the sectors covered, imposing stricter risk management measures and incident reporting obligations, and extending requirements to the entire supply chain. Clearly, NIS2 will have a ripple effect between large contractors subject to European regulations and their subcontractors.
It is therefore absolutely crucial to raise awareness and train staff in detecting cyberattacks. “Operators know their machines and are fully aware of how their tools normally react,” insists Gregorio Matias. “The challenge now is to raise their awareness of cybersecurity issues. An informed person is worth two. And I think this is a point that ties in with the principles of Industry 5.0, which emphasizes collaboration between humans and machines.”
