The Siemens white paper, Cybersecurity in the dairy and soft drink industry, which can be downloaded here, looks at international regulations and minimising risk for businesses. This is a brief summary of its content.
All markets looked at in the report have similar frameworks for their regulations – a mixture of technical standards, obligations to report incidents, and monitoring of compliance with standards.
The plant operator is always responsible for IT security. Even if plant operations are partially or completely unsupported by the company’s own personnel due to outsourcing, the plant operator is still responsible. Siemens show that cybersecurity is an ongoing process with regular risk assessments and the development and implementation of mechanisms to mitigate risk, and training for staff to increase awareness and put procedures in place should there be a breach.
Siemens identify four types of cybersecurity risk and recommends a multi-layer approach as attacks can come from inside and outside the company. It states that “Security measures must be as varied as the potential risks.”:
- Untrained attackers – looking for known vulnerabilities
- Trained attackers – e.g. ransomware attacks
- Industrial espionage – including former employees
- State-driven attacks – for financial gain or to destabilize regimes
Further threats to information security come from the environment itself – e.g. fire, flood, vandalism etc so protections need to be in place to prevent a loss of data should the IT system itself be damaged.
The need to access networks remotely has added additional security pressures, necessitating the use of firewalls, the segmentation of systems so that partial failure doesn’t lead to complete failure, continual monitoring, and limited access to critical components.
Siemens point out that “The best technical and organizational security measures are useless if a company’s employees are negligent.” The white paper outlines that those with responsibility for the cybersecurity of the business should be clarified and that regular training should be undertaken.
An emergency plan should be in place for the company in the event of a hack or the discovery of a security breach.