Skip to the content

Cyber security a no-brainer in threat-filled world

It’s the type of story that sends a shiver up the spines of all company executives...

Maintenance contractors arrive at an unmanned piece of industrial infrastructure that contains control and safety systems vital to the company’s operations and security. There they spy somebody with a laptop connected to the system – the person is not authorised to be there, it’s not known who he is, and the company has no knowledge of what he is doing.

Crucially, the company doesn’t have the programs and protections in place to recognise and defuse such a potential cyber threat...

Peter Jackson hopes it’s a cautionary tale that spurs companies, particularly those who rely on operational technology (OT) such as industrial control and safety systems, to invest the time, energy and money in cyber security systems.

“Ignorance is bliss and security by obscurity are things of the past – you do not get to decide if you are a target,” says the director of cyber security for Taranaki company Engineering Control Limited (ECL).

“Advanced persistent threat (APT) activity is increasing globally. The aim may be to disrupt or even cause injury. For example, one group at the moment is targeting safety systems – the systems that shut down an operation quickly and safely – which is pretty scary.”

Peter and ECL, which is a founding member of the Energy and Industrial Group (EIG), are specialists in the field of OT cyber security.

Having gained knowledge of automation network management through the company’s 20 years of designing, building, installing and servicing process automation and functional safety control systems, Peter was asked to consult on and provide industrial cyber security for a client. 

“I recognised quickly that a lot of our industrial clients were underserved in this space, so as I worked with that client, I developed our own internal capabilities,” he says.

Since then he and his team have become leaders in the area – studying and gaining qualifications, running summits and speaking at New Zealand and international conferences.

The growth in uptake and demand for ECL’s knowledge and services has seen the company set up a separate industrial cyber security business unit – ECL Cyber – with its own website https://eclcyber.co.nz/.

He says traditionally, industrial companies have focused their cyber protection on their enterprise IT – servers, web stations, laptops, devices, and cloud infrastructure – largely ignoring their OT.

“It was thought that no-one would ever target industrial networks. But everything is connected and vulnerable to security threats.

“Often industrial organisations have a cyber security budget and IT gets the lion’s share, whereas the majority of their revenue comes from the control system.”

Peter suggests companies get a better understanding of their infrastructure and what security they require.

“Asset identification is a big one – knowing what is talking to what, what should be there and what shouldn’t. Knowing whether you’re secure is difficult without having asset identification, network security monitoring and defence-in-depth in place.

“Network segmentation is also important. Segmenting the controllers by plant or by type, rather than having one flat network. Therefore if something happens, whether malicious or inadvertent, the impact is minimised, plus it’s easier to monitor and see deviations from the baseline.”

When providing cyber security, ECL uses a range of applications, both open-source and paid tools, and fit for purpose solutions.

“It’s very important that we tie the OT cyber security in with existing IT cyber security programs. That’s where it’s great to have our experience through the automation side of the business completing our strong IT knowledge and skills. We have a depth of knowledge of industrial control and safety systems that typical IT cyber security firms don’t have.”

ECL managing director Guy Heaysman, who is EIG deputy chair, says the EIG has played a valuable role in the company’s success and growth, including the cyber security business.

“Building those connections and relationships across energy businesses and the industrial sector has helped us secure work throughout New Zealand. Taranaki is a great place to do business and the EIG companies support each other to make sure that continues.”

We're keen to hear from you

How can we help

For more information on how the Energy and Industrial Group members can help you, or if you would like more information on becoming a member of the Energy and Industrial Group, please contact the manager using the below contact details.