Analysis of Cybersecurity Risk for Factory Systems

Abstract

As the digitization of factory systems progresses and the number of digital connections between factories increases, cybersecurity risks throughout the supply chain also increase. In fact, there have been many cases where factories have stopped due to damage from ransomware. For large companies, it is possible to secure the budget and personnel for cybersecurity, including outsourcing. However, almost all small and mediums enterprises　(SMEs) are facing with the difficulties to secure them. In this paper, we used a web diagnostic tool for simple risk assessment of factory systems using the checklist for understanding the rough risk posture in the appendix of " The Cyber/Physical Security Framework for Factory Systems" formulated by the Ministry of Economy, Trade and Industry in November 2022. After analyzing the evaluation results and interviews with 170 companies collected through the survey, we analyzed the common challenges for promoting security measures for the factory systems of SMEs. In previous works, several cybersecurity guidelines for industrial control systems in a factory have already been published such as IEC 62443 series, NIST Cybersecurity Framework. However, it is too time consuming and difficult for SMEs to utilize them because these guidelines have over 100 requirements and need specialized people who understand both cybersecurity and industrial control systems well. Therefore, we have developed an easier risk assessment tool based on only 32 requirements. The tool was cogitated to visualize the rough risk posture of factory systems by scoring (20%-100%) the achievement of each requirement. We also gave the risk weight to each for adjusting the difference of the effectiveness for the risk mitigation in our previous work (under peer review). As a web tool survey result, more than 80% of SMBs found it inadequate to mitigate cybersecurity risks. We categorized the cybersecurity risks into the four pillars which are “People”, “Process”, “Technology” and supply chain risk management of assets in the factory system (FA SCM). We saw some common results in each category below: “People”: No awareness of executives, stakeholders, no governance and organization, no collaboration between IT and factory organizations, no educational contents for mitigating the risk in the factory. “Process”: No risk assessment, no assets management for factory systems, no security policy and rule, no procedure and back up asset for incident response. “Technology”: Some countermeasures are installed such as firewall, endpoint security solutions, but not managed well, no network segmentation, no log management, well done for physical security. “FA SCM”: No management for system integrators and asset vendors, no procedures for mitigating the cybersecurity risk for procurement of FA assets. We also found out “People” factor is the root obstacle because no dedicated people for cybersecurity in a factory organization causes the insufficient risk mitigation of the other three categories. If SMEs need the people in charge, it is essential for the executives to commit the investment for human resources. We plan to analyze the results more and build the standardized approach for cybersecurity for factory systems of SMEs in the future work.

Keywords: Operational technology (OT) security, Risk analysis of cybersecurity for factory system, Risk assessment tool for factory system

DOI: 10.54941/ahfe1004251