Development of Approach for Improving Cybersecurity Governance for Factory systems

Abstract: As the digitization of factory systems progresses with mutual digital connections among them, cybersecurity risks throughout the supply chain also increase. In fact, there have been many cyber incidents where factories have stopped due to damage from ransomware. For large companies, it is possible to secure the budget and personnel for cybersecurity, including outsourcing. However, almost all small and mediums enterprises　(SMEs) are facing with the difficulties to secure them.In this paper, we focus on how to improve governance for factory systems because our previous research revealed that it is the most critical challenge for SMEs to reduce cybersecurity risk of factory systems.In previous works, we developed an easier risk assessment tool consisting only 32 requirements based on Japanese government guidelines for factory systems. As a web tool survey result from 225 factory sites, more than 80% of SMBs found it inadequate to mitigate cybersecurity risks. We categorized the cybersecurity risks into the four factors which are “People”, “Process”, “Technology” and supply chain management of assets in the factory automation system (FA SCM). Some common results derived from the follow-up interviews show “People” factor consisting of governance and awareness is the root obstacle of the insufficient measures. So, we decided to clarify how to improve “People” factor for SMEs.To achieve it, we need to overcome two common challenges from our interview’s analysis below:- No risk assessment in the factory systems for common understanding the risk posture among the stakeholders (Executives, IT people, factory people)- No governance organization structureUsually, they installed some measures along the existing guidelines without considering. It causes that they become a mere shell. Our approach improves the failure.To consider the first challenge for SMEs, we developed the easy risk assessment workshop for factory people inspired by “Consequence-driven, Cyber-informed, Engineering” by Idaho National Lab which is originally developed for the engineering of critical infrastructure systems, because it has very simple concept for starting from the impact of the most undesirable events such as explosion, loss of quality control and production outage which can be easily understood by SMEs with insufficient cybersecurity knowledge. We conducted the workshop for people from some factory sites and succeeded to clarify the business risks in the factory systems.The second challenge is also important for “People” factor because SMEs need to build the management system for mitigating the risks derived from the workshop continuously.We applied the COBIT5 governance framework for enterprise IT to the management system for factory systems. The beauty of COBIT5 is the separation of governance and management. We used the concept for factory systems and determined a reference architecture of organization arranged to the roles in the normal and emergency state.In conclusion, we developed the effective approach improving governance for factory systems for SMEs. Our tools will be available in GitHub soon after the paper published.We plan to continue to consider how SMEs improve their cybersecurity readiness along the 32 items of Japanese guidelines.

Keywords: Operational technology (OT) security, Cybersecurity Governance for Factory Systems, COBIT5, Consequence-driven, Cyber-informed Engineering(CCE)

DOI: 10.54941/ahfe1004781

Cite this paper:

​