Expert advice on cybersecurity defences for digital transformation projects from industry veteran Yogi Schulz

Yogi SchulzYou don’t want to see a headline about your cybersecurity lapses. Nor do you want vocal critics to sully your carefully cultivated stellar reputation. You want to avoid the cost and disruption of cleaning up after a cybersecurity incident.

Treating cybersecurity as an afterthought or something others will address during digital transformation projects is always a mistake. It leads to leaving avoidable cybersecurity holes that bad actors love to exploit.

Thankfully, there are steps you can take to guard against the vulnerabilities that digital transformation initiatives often uncover. Here are actions 6 through 10 from the top 10 actions organizations can take to minimize cybersecurity risks during digital transformation.

You can read actions one through five at this link.

Evaluate SCADA/IIoT integration points

cybersecurity digital transformation
Related Stories
How to reduce the risks of email attacks

Is my iPhone snooping on my conversations?

Analytics create databases just waiting to be hacked

Some digital transformation projects bring SCADA/IIoT data from operational technology (OT) infrastructure into the realm of IT systems. Often, different executives manage these two realms with dissimilar mandates and priorities.

Evaluate the cybersecurity risks of the digital transformation projects’ SCADA/IIoT integration points. These points are often represented by a server or network device whose management responsibility is vague or ambiguous. As a result, the cybersecurity defences can be uneven.

Act on the conclusions of your integration point evaluation. They typically include the following:

  1. Clarifying roles and responsibilities for the devices.
  2. Updating and perhaps upgrading the devices.

Test Application Programming Interfaces

Most digital transformation projects develop custom application programming interfaces (APIs) for integrating databases or to allow software developers of external partners to access specific applications within the organization’s computing environment.

When attackers discover these APIs, they can easily create software to cause data breaches. The response to this risk is to ensure the following:

  1. Test the API software thoroughly.
  2. Change authorized credentials to access the API regularly.
  3. Log use of the API and review the log regularly.
  4. Store the API source code securely. Never publish it at an open-source repository.
  5. Limit the circulation of the developer guide for using the API. Please don’t post it on the web.

For a more technical discussion, please read API security: 12 essential best practices.

Assess technology changes

Often, digital transformation projects introduce changes to the suite of information technologies in which an organization operates. New technologies introduce or revise cybersecurity risks.

Your project team should update its IT cybersecurity risk assessment when technology changes occur and act on new findings.

Confirm CSP cybersecurity defences

Many digital transformation projects include a cloud component. That component can be either the use of a computing infrastructure operated by a cloud service provider (CSP) or a cloud operated by a SaaS provider.

Because most CSPs operate extensive cybersecurity defences and proudly describe this work as a valuable customer benefit, most customers don’t invest more effort in cloud cybersecurity assessment or testing.

It’s prudent to allocate a modest effort to confirming the comprehensiveness of your CSP’s cybersecurity defences.

Conduct an OT cybersecurity risk assessment

Sometimes, digital transformation projects reveal that the realm of operational technology (OT) has not received the same amount of cybersecurity attention as IT. In this case, an OT cybersecurity risk assessment should be conducted.

The International Society of Automation (ISA) standard Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program (ISA-62443-2-1) provides valuable guidance for developing a business rationale for OT cybersecurity investments.

Organizations materially reduce cybersecurity risks by including these actions in the scope of their digital transformation projects.

Yogi Schulz has over 40 years of information technology experience in various industries. Yogi works extensively in the petroleum industry. He manages projects that arise from changes in business requirements, the need to leverage technology opportunities, and mergers. His specialties include IT strategy, web strategy and project management.

For interview requests, click here.

The opinions expressed by our columnists and contributors are theirs alone and do not inherently or expressly reflect the views of our publication.

© Troy Media
Troy Media is an editorial content provider to media outlets and its own hosted community news outlets across Canada.