OT risk assessment for multinational manufacturer: DNV Cyber assisted transition to cyber resilience
OT risk assessment for multinational manufacturer: DNV Cyber assisted transition to cyber resilience
The manufacturer wanted to understand the vulnerability of its operational technology (OT) assets to cyber attacks.
DNV Cyber conducted a risk assessment programme across multiple sites.
The assessment provided information and tools for understanding and responding to the sector and customer’s cyber risks.
This project was delivered by Applied Risk, a DNV company. DNV, Nixu and Applied Risk joined forces to form DNV Cyber in 2024, creating one of Europe’s fastest growing cybersecurity services businesses.
A multinational manufacturing company had two reasons for wanting to understand the vulnerability of its operational technology (OT) assets to cyber attacks. On a macro level, it was aware that organizations in the same industry had experienced security breaches, and its directors were keen to determine whether the company as a whole was vulnerable to similar attacks.
On a more granular level, it sought to understand the level of risk it might face because of the maturity of the cybersecurity controls of its existing OT systems and components.
DNV Cyber was able to respond to the company’s needs by launching a risk assessment programme across various sites. The assessment also enabled the manufacturer’s various stakeholders to understand the nature and scope of the challenges facing the sector.
The programme was supported by the leaders of the company’s engineering and IT divisions, with the latter recently having been tasked with overseeing OT systems. It was also favoured by the head of the company’s cybersecurity team, which was responsible for integrating security solutions into systems overseen by the IT division. It was strongly endorsed by the company’s head of automation, who proved to be an influential advocate once the programme was underway.
The company cited three reasons for choosing the programme over its competitors:
Focus on OT security and engineering practices
Thorough understanding of the differences between IT and OT systems and how cybersecurity controls need to be adapted for the differing environments
A wide range of skills and solutions and an agnostic approach.
The manufacturer gained a repeatable cybersecurity process.
DNV Cyber identified the vulnerabilities within the OT systems.
Stakeholders combined to make cybersecurity policy for the whole company.
Manufacturer faced five key cybersecurity challenges
From initial discussions, it was clear that customer’s primary focus was production, with security considerations typically outweighed by concerns about downtime.
Managers and executives had only recently become aware of the risks facing OT systems, so were not accustomed to thinking of them as targets.
Budgetary constraints existed because profit margins were falling in manufacturing. The push for cost-cutting led many departments to cut back on security as they reduced the scope of ongoing and future projects, as well as planned upgrades.
The manufacturer’s OT landscape included multiple sets of control systems. Some were legacy technologies that could not easily be updated to meet current security standards and/or were not compatible with the security solutions used in the company’s other facilities.
The OT systems received support and upgrade services from third parties, so on-site technical knowledge was often limited. Since these third parties did not always provide security management for OT systems, on-site familiarity with cyber security was also limited.
I think we all have a better picture now of what steps we can take to ensure business continuity while also sharpening our technological edge.
Managing Director of manufacturing company
Assessing cyber risk and future-proofing cyber resilience
Working closely with the customer, a high-level risk assessment determined the business, reputational, and health, safety and environment impact in the event of system compromise or failure, and the likelihood of this happening. The risk assessment aimed to identify the worst-case unmitigated risk to the System under Consideration (SuC), and the residual risk after implementing barriers. The assessment required participation of stakeholders from engineering, functional safety, IT and the business disciplines.
The output of the assessment was used as input to the grouping of assets into zones and conduits and the detailed risk assessments which covered the ‘as-is’ situation and recommended zoning and conduits based on IEC 62443, the leading industry standard for securing industrial control systems. Applying a holistic approach to cover all risk areas including people, process, and technology, the assessment:
Defined at a holistic level the worst-case cyber threat scenario based on inputs such as the corporate risk matrix and business impact assessments.
Defined the business criticality/consequence of the worst-case scenarios, complemented by using relevant inputs from the safety discipline work related to HAZID and HAZOP activities.
Described which OT systems and packages had critical functionality required to implement the safety systems and barriers, and defined the generic independent layers of protection for these systems.
Defined the likelihood of the worst-case scenarios.
Based on previous steps, conducted a relative risk ranking of unmitigated risks relating to the SuC’s systems/packages.
