Simple Solutions That Work! Issue 16

36 Foundries must take a universal approach to Industry 4.0 cybersecurity; a policy method that includes people, process and technology. They must develop a security plan and identify the biggest risks to the foundry operations referred to previously. Some of the questions include: • What practices/procedures/ equipment can affect foundry processes? • What will happen if a practice/ procedure/equipment fails? • What is required and how much time will it take to restore the failure? • Is our network safe? • Is our intellectual property safe? • Is our supply chain safe? • What do we do next? Creating a traditional risk assessment matrix is a good way to plan for failure. An example is: Once the matrix is completed for all foundry operations, real time events can be in an OT report that states risk. Then clear guidance on how to improve foundry procedures and safely implement Industry 4.0. Although in no particular order of importance, some of the weakness found in my company’s operations are: • Lack of awareness among the workforces - We have no formal cybersecurity training program. Individuals who have a company owned PC • Inadequate protocols and standards - This point relates to the first point, yet management has one little to improve standards. Management must be involved, take the lead and set the tone. • Poor firewall configuration or unmanaged remote access - We have good firewall protection, but our remote access protection is average. We have customers who sometimes give us remote access to their PLCs for remote troubleshooting. are verbally instructed the do’s and don’ts, but it is very informal. • Use of USB devices, internet, and handheld devices - We have some rules about cell phone use, but they are nearly impossible to enforce. Now that smart phones can do anything including business email and networking, risks increase. In Industry 4.0/IIoT foundry machines will be communicating with maintenance manager’s devices about prescriptive maintenance. • Improper backups - We had a server crash only to discover that the back up drive had been inoperative for several months. We sent the drives to a repair/recovery company with about 65% success. The rest was lost. As this practice grows in popularity network protection must be considered. • Poor malware protection • There are 100’s of malware applications on the market today. One problem experienced in my company is users discontinue malware protection with the excuse that “it slows my computer down too much.” Another good protection from malware is very high-quality daily backups. Now that risks have been identified, we must develop security procedures. Due to the critical nature of cybersecurity the Cybersecurity and Infrastructure Security Agency (CSISA) was created by the Federal Government. Their catalog is available at https://www.cisa.gov/ publication/cisa-services-catalog In addition, on 12/04/2020 Congress passed Public Law No:116-207 “The Internet of Things Cybersecurity Act of 2020." This bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specified steps to increase cybersecurity for Internet of Things (IoT) devices. IoT is the extension of internet connectivity into physical devices and everyday objects. Other frameworks and standards such as IEC 62443, ISO 27001 and 27002, NIST Special Publication 800-82 and the NIST Framework for Improving Critical Infrastructure Cybersecurity have been created as guides. While both IT and OT are important, foundry managers must make a clear distinction between IT and OT management. This can be difficult in that IT and OT priorities are sometimes different.