When you see the words “industrial cybersecurity,” often it’s in reference to industrial control system and network security. In other words, “industrial cybersecurity” tends to largely be focused on industrial networks and the devices connected to them.
But in a world where our interactions with these devices and networks are conducted via software applications, an equal amount of attention on the security of these apps is warranted. This is especially important given the explosion in industrial apps for mobile use that has occurred over the past decade.
A new report from Cisco AppDynamics looks at the issues facing businesses as they confront the new issues raised by application security in a more dynamic IT environment. The report—The Shift to a Security Approach for the Full Application Stack—notes that 92% of technologists admit that the rush to innovate rapidly since the start of the COVID pandemic has come at the expense of robust application security during software development. In the manufacturing sector, 89% agreed with this statement. In addition, 71% of manufacturing industry respondents say application security hasn’t kept up with the pace of application development.
The four biggest factors for attack surface expansion cited by manufacturing industry respondents to the survey are:
- Increased use of IoT/connected devices
- Rapid cloud adoption
- Accelerated digital transformation
- Working from home/hybrid working models
Other key manufacturing industry-specific findings from the report include:
- 56% of manufacturing industry respondents say they are overwhelmed by the volume of security threats and vulnerabilities to their organization.
- 44% think their team has necessary skills to manage application security threats currently faced.
- 65% feel the organization is vulnerable to a multi-staged security attack that could affect their full application stack in the next 12 months.
- 62% say current security solutions work well in silos but not together and fail to give them comprehensive view of their security posture.
- 93% say it’s critical/important to contextualize security in order to correlate risk and prioritize fixes based on potential impact.
- 17% say IT operations and security teams collaborate on an ongoing basis.
- 74% say a DevSecOps approach is critical to effectively protect against a multi-staged security attack on the full application stack.
- 38% have started using a DevSecOps approach.
According to RedHat (a supplier of open-source software designed to work across platforms), DevSecOps is “an approach to culture, automation and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle. To take full advantage of the agility and responsiveness of a DevOps approach, IT security must also play an integrated role in the full life cycle of your apps. In the past, the role of security was isolated to a specific team in the final stage of development. That wasn’t as problematic when development cycles lasted months or even years, but those days are over. Effective DevOps ensures rapid and frequent development cycles (sometimes weeks or days), but outdated security practices can undo even the most efficient DevOps initiatives.”
What DevSecOps means for industrial security
To get a better understanding of what this means for Automation World readers across industry verticals, we connected with Wes Sylvester, vice president of Cisco Industry Solutions Group.
Describing the difference between application security and network security, Sylvester said, “Application security protects source code and information assets at the software level. Networking security protects the overall infrastructure of the network. While there are key differences, it is important to remember that application and network security are connected. A vulnerability in the application could allow hackers access to the broader network and all other connected endpoints. On the other hand, a vulnerability in the network could give hackers access to applications running on that network and all data it’s collected.”
While securing both—apps and network—is clearly important, Sylvester stressed that the main point of focus should be on “knowing where your vulnerabilities are. This is why solutions that offer visibility across the entire network are becoming critical to maintaining ongoing business operations.”
In Cisco’s research for its new report, the company was careful not to ask about which apps were causing the most concern. Sylvester said Cisco did this so as not to pose any additional security risks to manufacturers. However, Sylvester pointed out concerns around several different types of apps used in the manufacturing space, such as those used for data collection, machine monitoring, proactive maintenance, digital workflows and employee engagement, as well as advanced apps using artificial intelligence and machine learning.
Another issue Sylvester stressed is the need for industrial companies to view cybersecurity beyond the traditional IT/OT (operations technology) perspective.
“When we are talking about security, absolutely everything is connected,” said Sylvester. “Security should be at the forefront of every network design, not patchworked in later. This is where DevSecOps is key.”
DevSecOps is an approach where application security and compliance testing are integrated throughout the software development lifecycle, rather than being an afterthought at the end of the development pipeline, explained Sylvester.
“Essentially, DevSecOps [development, security and operations] forces a shift from a siloed security approach, to observing the full stack,” he said. “This allows vulnerabilities to be addressed across multiple applications throughout the network. The reality is that having OT and IT secured separately isn’t good enough anymore. DevSecOps helps bridge the gap, securing each device, end point and application from the ground up.”
Leaders relevant to this article: