Awareness of cybersecurity best practices by all employees and role-players and having a zero-trust mindset are important to protect infrastructure and industrial facilities and make them more resilient against cyberattacks, Internet protocol camera manufacturer Axis Communications engineering and training manager for Middle East and Africa Rudie Opperman says.

"It is not only about technology, software and the cyber-readiness of devices. Focusing on processes, procedures and employee awareness is as important," he tells Engineering News.

Cyberattacks on industrial information and communication technology are happening worldwide, impacting on industries and critical infrastructure and causing disruption in some cases.

"Whether an oil pipeline or water infrastructure, these types of attacks are happening across the world. The malicious actors are varied, the cybercrime industry is vast and the attacks are increasingly sophisticated.

"Responding to these threats is multifaceted, and building resilience in all elements of the environment relies on all role-players doing their part," he says.

For example, for Axis Communications, it starts by having a robust cybersecurity posture or strategy, which requires it to take due care when sourcing its components and designing and making its equipment.

"We design our hardware with cybersecurity in mind, such as by having encrypted devices, all communications being encrypted, and the platforms that manage our intelligent devices being secure by design."

Each role-player in industrial ecosystems must have a firm cybersecurity posture at the start of any implementation and must, at a minimum, meet required cybersecurity regulations and standards.

"Companies have varying resources to dedicate to cybersecurity. While larger companies may have more resources to deploy, and smaller companies can adopt different strategies, including using service providers, every company must do its bit and insist that its suppliers and service providers do the same," says Opperman.

Further, as devices become more intelligent, they add greater value and become more valuable targets, hence the need for companies to have cybersecurity policies and procedures in place, which must be regularly updated.

"New technologies are leading to new types of attack, while intelligent, secure-by-design devices are helping to defend industrial facilities. All parts of industrial ecosystems should aim to constantly improve to resist new attacks and threats."

Additionally, industrial networks and ecosystems must be secure and each component must securely co-exist with others and support broader cyber resilience. This is partly addressed by each company implementing fundamental cybersecurity standards, such as encryption of devices and communications over networks.

However, securing industrial ecosystems relies on all parts of the ecosystem insisting on and implementing cybersecurity processes, as well as communicating with the ecosystem to meet and then exceed regulations and requirements, he notes.

"For example, our devices can only boot up with authentic firmware installed and we use safely stored encryption keys that we use to sign our videos so that it can be proven that a video was generated by a particular device and has not been altered," says Opperman.

He acknowledges that employees may become frustrated with the additional administrative burden of cybersecurity, such as multifactor authentication and automatic sign-out when inactive.

"This is where creating awareness among everyone in the company about their role in ensuring cybersecurity is important. Also, companies should acknowledge and explain that employees will need to take extra steps to access their tools, and the reasons for them."

The IT department may, for example, be implementing minimum requirements and employees must understand their own roles and requirements in ensuring industrial cybersecurity, he adds.

"Critical infrastructure is the lifeblood of countries, and the health of countries is defined by the health of their critical infrastructure. Public and private cooperation to protect this infrastructure is something that should be promoted and grown.

"Private companies have the experts and cutting-edge knowledge. Working with governments and State-owned enterprises, they can ensure this infrastructure gets the support and cyber protection it needs," Opperman says.

"We are seeing more of this and it is good news, but more must be done to embrace and promote this approach to protecting vital infrastructure."