Secure supply chains are crucial to the industrial sector’s cyber defence
Significant advancements are being made to digitalise and automate industrial operations. Critical infrastructure is becoming more and more digitally connected to make society safer, bring down costs and increase efficiency. But digital transformation carries emerging risks. Rising geopolitical tensions, war in Europe, a cost-of-living crisis, energy supply shocks and widespread food insecurity are shining a light on just how vulnerable critical infrastructure is the more connected it becomes.
Cyber threats to industrial facilities are becoming more common, complex, and creative as operational technology (OT) – the control systems that manage, monitor, automate and control industrial operations – is increasingly networked and connected to IT environments. The manufacturing sector recently became the world’s most cyber-attacked industry for the first time, according to IBM’s 2022 X-Force Threat Intelligence Index. Other industrial sectors, including energy and transport also appear within the top ten.
Production shutdowns, safety incidents, process disturbances and other service disruptions are all potential consequences of a cyber-attack on industrial operations. Life, property and the environment are at stake.
It’s no surprise, then, that cyber security is rising up the boardroom agenda in industrial sectors. Cyber security risks are now business risks, and business leaders are recognising that cyber security is a pre-requisite for digitalisation and automation excellence.
The supply chain security challenge
Industrial companies’ investment in cyber security is now increasing. More focus is being placed on identifying where companies are vulnerable to attack, and putting the people, process, and technology measures in place to defend their IT and OT environments. But all this effort will make no difference if the security posture of a company’s supply chain is not equally strengthened.
Companies can have complete oversight of their own vulnerabilities and have all the right measures in place to manage the risk, but this doesn’t matter if there are undiscovered vulnerabilities in their supply chain. One issue can escalate or ‘domino’ into many others. The supply chain is a very attractive target for cyber criminals because it potentially provides a single-entry point to multiple companies’ environments.
Supply chain security risks have not gone unnoticed by OT security professionals. The majority say their organisations are at risk because of their inability to ascertain the security practices of relevant third parties and to mitigate cyber risks across the OT external supply chain, according to research conducted by Applied Risk, a DNV company, in 2021.
Many suppliers and manufacturers of equipment integrated within OT systems simply lack the people, processes, and technologies to demonstrate the cyber security of their products and services. By adopting a cyber security programme, investing in training of the workforce and following a Secure Software Development Life Cycle (SDLC) process, the risk of security vulnerabilities in products in production can be improved.
Vendors’ systems used to be standalone. Now, they are increasingly connected within IT/OT systems internally and externally in much larger critical infrastructure ecosystems.
Applied Risk’s study found that only a third of OT security professionals say their organisations conduct regular audits of their main suppliers, and just a quarter (27%) conduct due diligence prior to contracting with new suppliers.
Companies with industrial operations need to pay greater attention to assuring that equipment vendors and suppliers demonstrate compliance with security best practice from the earliest stages of procurement and throughout the lifecycle of a project. Strengthened data management securing information and data sharing between suppliers, customers and other partners, limited access to critical assets – next to implementing monitoring and threat detection systems – improve supply chain cyber security by mitigating the risk of cyber-attacks. And if things go wrong, have an incident response plan in place to manage the threat and act fast.
Time to take action
It is now time for both industrial operators and their suppliers to face these challenges head-on. Increasingly, suppliers must assure themselves that they have the right measures in place to defend their products and systems from cyber threats. They must also be in a position to demonstrate their security posture to companies procuring from them.
The overriding principle to mitigate against assets and operations being compromised by a cyber-attack is to protect, detect, respond and recover. This is in line with industry best practice including the National Institute of Standards and Technology’s (NIST) cyber security framework.
The Centre for Internet Security (CIS) sets out benchmarks for vendor product families to help protect systems against threats more confidently while The Open Worldwide Application Security Project (OWASP) Foundation provides free online resources for web application security.
For many organisations, however, the challenge in ensuring cyber resilience is understanding and identifying where their vulnerabilities are. By having a clear overview of attack surfaces and potential entry points, you can prioritise the vulnerabilities and non-conformities that must be addressed. Robust and often straightforward mitigation measures can be put in place to address most vulnerabilities.
When it comes to demonstrating security posture, it pays for suppliers to be able to prove that they conform to a growing number of industry standards and practices. These standards include IEC 62443, the international series of standards that address cyber security for operational technology in automation and control systems, and ISO 27001, the standard for information security management systems and their requirements.
Recommended practices are also available to help companies on their path to compliance with industry standards. For example, DNV’s Recommended Practice DNV-RP-G108 provides best practice on how to apply the IEC 62443 standard in the oil and gas industry.
Help is at hand from industrial cyber security specialists, including DNV, for those companies who don’t have the in-house expertise to undertake this work themselves. They can help to identify which standards are most relevant to comply with, uncover companies’ compliance status, what outline what needs to be done to achieve compliance before helping to put mitigating actions in place.
For companies procuring products and systems from suppliers, we recommend that supply chain audits and vendor cyber security requirements are implemented during procurement, installation and operation of equipment, systems, and software. By defining requirements up front, and regularly reviewing suppliers against those requirements, understanding the supply chain’s cyber security posture becomes less of a black box. Vulnerabilities can be more easily identified. Mitigating actions can be undertaken more collaboratively. Assessments should be undertaken continually, rather than periodically, to ensure resilience against new and emerging cyber-attack vectors.
Tighter regulation on the horizon
Companies with industrial operations who have not yet put their own cyber security and that of their supply chain on their to-do list may be incentivised to do so by tightening regulation. For example, organisations providing essential services (including energy, drinking water supply, transport, healthcare and more) in the European Union (EU), will soon face tougher cyber security regulation than ever, with the threat of more and greater fines and/or withdrawal of license to operate if they do not comply.
The revised NIS2 Directive strengthens cyber security requirements on companies, introducing top management accountability for non-compliance and streamlining reporting obligations. Crucially, the Directive also puts more focus on cyber security of supply chains.
The NIS2 Directive suggests forcing individual businesses to address cyber security risks in supply chains and supplier partnerships to address the security of these ties. The idea is that it will improve supply-chain cyber security for important information and communication technology at the European level. Building on the successful strategy used in the framework of the European Commission’s Recommendation on Cybersecurity, Member States may conduct coordinated risk assessments of vital supply chains in collaboration with the Commission and the European Union Agency for Cybersecurity (ENISA).
The revised Directive on Security of Network and Information Systems (NIS2) to come into force in January 2023. Member States have until October 2024 to homologate NIS2 into national legislation and while it is estimated that organisations within NIS2 scope will have to start complying by mid-2024 with relevant national laws.
Organisations in industrial sectors should now think about NIS2’s scope and if their operations fit within it. An organisation should consider the organisational, financial, and technical actions that will be necessary to get ready for NIS2 compliance if it looks likely that they will fall under the new legislation’s purview. For instance, the European Commission anticipates that organisations’ ICT security spending will increase by up to 22% in the first few years following the introduction of NIS2.
In-scope organisations should also monitor how NIS2 is implemented in the important EU jurisdictions where they conduct business.
If you think your organisation might fall under the scope of the NIS2 Directive, my advice is to get advice. DNV’s white paper on the Directive is a great starting point for identifying what new cyber security laws mean for industrial companies in Europe, and what you need to do to get ready to comply.
Jalal Bouhdada, Global Cyber Security Segment Director, DNV
Subscribe to the free Maintworld newsletter here!
Why companies are moving to condition-based maintenance
Every day experienced and capable people are trying to second-guess the maintenance requirements of the machines that populate their plants. The reason is simple: an effective maintenance program increases uptime, decreases maintenance costs, reduces unplanned outages, and extends the lives of assets. In today’s highly competitive market, companies of all sizes are looking for ways to run a leaner and more efficient operation.
An effective maintenance program must include a way to collect and analyse vibration data. After all, vibration matters wherever critical motors exist.
Critical motors can be found in just about every manufacturing plant and facility. As an example:
• Food and beverage plants often operate on tight margins. That can make reliability maintenance a challenge to implement, especially since these facilities are interested in training and the ability to scale to cover critical assets.
• Automotive manufacturing operations often have larger reliability teams and stronger buy-in for downtime prevention.
• Machinery manufacturing plants vary in their approach to reliability, but condition monitoring applications are getting faster.
All these industries share the objective of integrating data and analytics into their maintenance programs to transform them into reliability programs. The right program increases equipment availability and performance by identifying and removing the cause of potential failures. Reliability programs can significantly reduce the possibility of failure and its impact.
Some of the frustrations with current condition monitoring solutions include a lack of high-precision, in-depth intelligence, time-consuming, complex installation and setup, limited diagnostic range and service offerings which increase total cost of ownership.
In addition, some condition monitoring solutions can be hard to scale to multiple assets and data sets for individual products are often siloed which leads to systems detecting only one type of fault. Wired and wireless-only sensors are often incompatible with plant network infrastructure resulting in reams of unusable data.
As maintenance is a means to operate safer and more efficiently, industrial plants across the globe are taking a more proactive approach by moving away from simply responding to the crisis of the day. Today, the immediate goal is to find and fix problems before there is a breakdown. The long-term goal is to drive business value.
The value of condition-based maintenance
Monitoring and studying the trends of machine health are staples of predictive maintenance. However, condition-based maintenance (CBM) is a better term because no one can predict when a machine will fail. CBM uses machine condition data, contextual data, trends, analytics and knowledge of specific machines to determine how machines are performing.
Wireless vibration sensors for vibration screening and analysis are one of the most powerful ways to enact CBM. Monitors like the new Fluke 3563 Vibration Analysis Sensor are attached to critical machines to track vibration data over time and identify faults. Using accelerometers, vibration monitors measure changes in the amplitude, frequency and intensity of vibration. When combined with the LIVE-AssetTM Portal software, teams can spot patterns, receive alerts about anomalies and compare measurements.
While critical machines benefit from more powerful vibration analysis sensors that provide in-depth data to help determine the nature of a problem, the new Fluke 3562 Screening Vibration Sensor is an effective way to track semi-critical machines. The Fluke 3562 is a battery-less sensor that runs on power provided by either a thermoelectric or photovoltaic energy harvester. The screening sensor collects snapshots of data, such as vibration levels, temperature and humidity, and trends the nine highest FFT peaks by magnitude. Taken together, vibration screening and analysis combined with software, create a powerful condition monitoring solution that detects if machines are functioning correctly.
Using condition monitoring to inform CBM
CBM is based on machine condition data that can be read by condition monitoring devices or transmitted by sensors connected to the machine. The advantages of this approach include:
• Always-on asset monitoring: When internet-enabled devices are connected to software, measurements are automatically aggregated around the clock. Data is stored in the cloud, assigned to assets, and organised for users to review.
• Faster identification of the root cause of a problem: Teams can swiftly troubleshoot assets using different condition monitoring devices and compare measurements over time to quickly pinpoint anomalies.
• Monitor equipment safely from anywhere: Wireless sensor measurements are automatically sent to the cloud without human intervention, enabling teams to access data remotely on smart devices.
Creating a connected reliability program
CBM is part of a complete connected reliability program. Fluke Reliability supports companies by building data systems that provide cost-effective maintenance and reliability. The company’s products keep customers informed about their assets’ health with advanced software solutions and services driving better maintenance decisions, such as improving productivity, increasing uptime and reducing costs.
Ankush Malhotra, President at Fluke Reliability
Subscribe to the free Maintworld newsletter here!
Strategic view of asset management – managing emerging trends and perspectives
Many trends and perspectives impact how asset management strategies are formulated and implemented. My thesis, “Supporting strategic asset management in complex and uncertain decision contexts,” explored this topic and won the EFNMS 2021 Ph.D. Award competition. Due to covid, the official award ceremony was postponed to the Euromaintenance conference that will be arranged in April 2023. Currently, the key topics of the thesis are increasingly crucial for organizations.
ISO 55000-2 (2014)
defines AM as the “coordinated activity of an organization to realize value from assets.” At a strategic level, asset management decisions are often uncertain and complex. Uncertainty is the deficiency of information about an event, its consequences, or its likelihood. In contrast, complex systems have a history, are evolving, and involve many interacting elements, where minor changes may have significant consequences. This complexity and uncertainty stem from factors such as long and varying lifetimes of assets, imperfect information on which the decisions are based, complex technologies, information systems and organizational structures, and multiple stakeholders with possibly conflicting needs and requirements.
The dissertation (completed in 2019) identified key trends and perspectives affecting strategic asset management: regulation and legislation, sustainability, circular economy, climate change, enabling technologies, ecosystem, business models, risk management, robustness and flexibility, and life cycle information management. There is a need for methods supporting strategic asset management that consider these aspects of managing the uncertainty and complexity related to strategic asset management.
Re-evaluation of key trends
More concrete requirements and demand for a sustainable society have sparked several new legislations, regulations, standards, and guidelines that affect asset-intensive industries. These include EU Green Deal, Fit for 55, EU Taxonomy for sustainable economic activities, and Corporate Sustainability Reporting Directive. Role of stakeholders and the impact of (lack of) social responsibility has become more visible. Since 2019, there has been a need to re-evaluate the list.
Investments in the low-carbon industry and energy efficiency have been abundant. Minimizing greenhouse gas emissions is on everyone’s agenda, and biodiversity is the focus of manufacturing industries. New regulations are expected to force organizations to verify and quantify the green claims. The global pandemic and war in Ukraine have emphasized the risks of dependency on extra-EU raw materials, components, and competencies. Supply security and military aspects are among the key decision criteria in strategic asset management. Current and future energy prices are increasingly crucial in asset management decisions. Furthermore, which role can AI take in automating and assisting asset management decisions?
There is a call (figure 1.) to build resilience against the impacts of these disruptive phenomena and to identify opportunities within them. These phenomena have far-reaching impacts on many parts of production systems and infrastructure. They are interconnected with megatrends such as circular economy, sustainability, and digitalization, which are already transforming businesses.
The focus is establishing an asset management system and strategic plans that inform investment, maintenance, operation, and sustainable end-of-life decisions. From a strategic asset management perspective, these disruptive phenomena disrupt the use of assets, alter investment volumes in the asset base, alter the timing and nature of production disruptions, and may even result in the shutdown of production units.
Circular economy as a key for sustainable asset management
Circular economy emerges as one of the main topics for strategic asset management. Strategic asset management already incorporates many aspects of the circular economy, such as reducing waste and keeping assets in use through effective maintenance. Adopting life cycle thinking in strategic asset management aligns with the goals of the circular economy by maximizing the value of assets. Assets are stockpiles of valuable resources, including critical raw materials (CRMs), and any degradation results in value loss.
However, incorporating circular principles more deeply into strategic objectives would increase the sustainability of the asset management system and the organization. This requires a more comprehensive understanding of strategic decisions’ economic, environmental, and social impacts and incorporating circular design strategies into decision-making.
Examples of such decisions include investing in greener production systems, investments, and practices to increase energy and material efficiency, prioritizing non-critical, biobased, or secondary raw materials, maintaining and remanufacturing production systems, and reusing or recycling them at the end of their first life cycle and essentially all actions towards preventing waste and downcycling.
Concluding remarks
This article outlined some of the main topics of my dissertation. The main contributions of the dissertation were: 1) emerging trends and perspectives in strategic asset management, 2) advancing the classification of methods supporting strategic asset management, and 3) developing and testing novel methods for supporting asset management decisions.
The dissertation is available to read at: https://urn.fi/URN:ISBN:978-952-335-397-8 .
Jyri Hanski, Senior Scientist, VTT Technical Research Centre of Finland.
Subscribe to the free Maintworld newsletter here!
EuroMaintenance comes to the Netherlands
The maintenance workforce has grown again this year. However, there are challenges facing the sector. For example, the increasing ageing of the population is causing a high average age (46 years), an increase in the number of vacancies (15 vacancies per maintenance organisation) and an increase in the outflow (8.9%). Of the outflow, a large group (43.5%) leaves the organisation because of retirement.
In the coming years, efforts should be made to increase the inflow of new personnel. One way to achieve this is by attracting more women (current share 8,4%) and more people with a migrant background into Maintenance. Furthermore, efforts should be made to retain these groups within the maintenance organisation.
Questions need Answers
– These and many more questions cry out for an answer, says Ellen den Broeder, General Manager NVDO and leader of the EuroMaintenance project team.
– With many hundreds of professionals attending EuroMaintenance in Rotterdam, the Netherlands, we may be able to find a solution. And besides, we also like to share the rosy picture: within the sector there is increasing confidence in recruiting enough staff. 60% of companies say they are confident about attracting enough technical staff and 71% say they are confident about attracting enough technological staff.
The outflow due to dissatisfaction has decreased (35.5%), which means that Management and Maintenance is an attractive sector to work in. These and many more figures are the outcome of the yearly Maintenance Benchmark in the Netherlands.
Asset Management at its Best
The NVDO Maintenance Compass is an annual publication and provides insight in the status of, and trend in the Asset Management industry. Based on key figures, trends and vision documents, the NVDO aims to help the Asset Management industry deal with developments, challenges and opportunities in the Asset Management field.
– Our maintenance market amounts to roughly 36 billion Euros, equivalent to roughly 4.5% of the gross domestic product (GDP). The maintenance market as a whole employs approximately 300,000 professionals, this means that 3.0 to 3.5% of the Dutch working population is employed in the maintenance sector, Den Broeder says.
Diversity will deliver a high-level conference Keynotes, Workshops and Inspiring Tables
– Since there are a couple of changes in the total employee base that catch the eye, we decided to give the Huma Factor prominent place at EuroMaintenance. Not only will the keynotes cover the theme, but some of the workshops will also give an answer to the problems we all deal with, Den Broeder says. Besides the workshops and the keynotes, there is an Inspiring Table at the end of the second conference day to inspire the audience. EuroMaintenance welcomes 36 workshops, 11 keynotes and 3 Inspiring Tables. All of them are of the highest quality and of international stature.
Increasing focus on innovations and big data
Besides the Human Factor, there are four more themes to learn from at EuroMaintenance: Asset Performance, Safety, Smart Industry, Sustainability.
– The opportunities offered by innovations and big data are being embraced more and more. A solid 70% of the organisations holds the opinion that their own industry is either ahead of, or on-par with other industries. A vast majority is convinced that they adopt a sufficient amount of innovations and technology in order to at least keep up. However, the most important barriers to the adoption of innovations are a lack of capital and a lack of knowledge.
Den Broeder refers to the Maintenance Compass again. Data driven working is becoming ever more common according to her. It is evident that all these issues are of the attention of EuroMaintenance.
– We all look forward to welcoming hundreds of professionals from all over Europe. NVDO, EFNMS and Ahoy Rotterdam ensure that Rotterdam, the Netherlands, will be the Maintenance Capital of Europe during 17,18,19 April. See, Hear, Learn!
EuroMaintenance Team Member
Ian van den Brink (NVDO):
Some one-and-a-half years ago I joined the NVDO-team and EuroMaintenance has been one of our focusses from when I first started. It feels as if we have been working together for many more years than we actually have, and I am incredibly proud that we are accomplishing such a strong, high calibre and international event with our small team! In the past months we have been hard at work, and it has all paid off with the incredible enthusiastic responses we are receiving from everyone involved. The Global Maintenance Professionals are waiting eagerly to once again meet each other at EuroMaintenance and I am very excited to speak to all of them in the European Maintenance Capital, Rotterdam!
EuroMaintenance, the largest European conference on maintenance has existed since 1972 and is an initiative of the EFNMS (European Federation of National Maintenance Societies) and organized by the Dutch Maintenance Society NVDO in April 2023. Maintenance NEXT is the most important platform for industrial maintenance in the Benelux and will be held next-door. The largest European maintenance conference will be held in Rotterdam from 17 to 19 April.
Subscribe to the free Maintworld newsletter here!
Latest
