Whether they generate or distribute power, or extract oil and gas, or facilitate communications, industrial companies house critical infrastructure vital for a nation’s economy. The advent of Industrial Internet of Things and the convergence of IT and OT infrastructures as well as the growing number of sensitive information have significantly expanded the threat landscape. As a result, governments and enterprises alike are doubling up their efforts to secure these valuable resources. TÜV Rheinland’s regional manager for Asia Pacific, India, Middle East and Africa – Digital Transformation and Cybersecurity, John Ramesh shares insights into the evolution of the industrial sector and why security transformation within the space is now more important than ever.
Can you please give an overview of TÜV Rheinland’s operations? What have been some of the highlights at the company over the past 12 months?
Established in 1872, TÜV Rheinland has been assisting critical infrastructure sector organisations on matters of safety and security for over 145 years. Our key services include compliance assessment and certification, testing and implementation of security frameworks and practice in line with internal standards as well as local and global regulations.
Over the past two decades, we have been operating in the Middle East, India, Africa and the Asia Pacific regions. We cater to a variety of industrial and critical sectors such as utilities, oil and gas, transportation and shipping. One of our primary offerings centres on enabling organisations to comply with local cybersecurity laws and regulations, remediating cyber incidents and achieving higher maturity of cyber resilience for their industrial and operational technology (OT) assets and facilities.
As for the Asia Pacific region, we have a laboratory stationed in Malaysia. We also have several strong partnerships in Japan, where we focus on delivering technical expertise centreed around GDPR, artificial intelligence, governance, risk and compliance management (GRC), testing and certification, OT and industrial cybersecurity and more.
Some of the key highlights, we have achieved over the past year, include signing a number of memorandums of understanding (MoUs) with large regional organisations to collaborate on cybersecurity services within industrial facilities.
We have also made significant investments in our regional operations. In addition to our strong presence in Oman, we have further bolstered our IMEA operations by opening new hubs in key countries such as the UAE and Saudi Arabia with plans to open more in the pipeline
As part of our expansion plans, we have also hired top consultants and industrial and OT cybersecurity experts. This is in line with our commitment to bridging the current skills gap in the market and our vision of expanding our capabilities beyond traditional testing, inspection and certification.
How have industrial control systems evolved over the years and how have Internet of Things technologies impacted industrial systems?
Over the past few years, Industrial Control Systems (ICS) have undergone a rapid transformation fueled by innovations in automation, technology and communication. From traditional systems to modern hyper-connected complex networks, automation and control systems have now evolved to become an integral part of organisations within the critical infrastructure sectors.
The industrial plants, which once relied on legacy systems, have now become more agile and efficient, providing greater advantages for businesses.
Furthermore, as we realise the Industrial Internet of Things (IIoT) era, we can expect a new wave of innovation heading towards this sector. An unprecedented number of devices or “things” are forming hyper-connected systems that will allow organisations to collaborate and process information in real-time. We will see technologies such as artificial intelligence (AI) are increasingly transforming automated control systems paving the way for smarter operations in the industrial sector.
TÜV Rheinland is well-equipped with the right tools and expertise to support the digital transformation for IIoT across many industries including utilities, manufacturing and oil and gas.
What do you think are the biggest cybersecurity risks that will affect ICS and IoT devices?
Cyber threats have increased significantly over the last few years and it appears to be coinciding with the geopolitical scenario within the region. Therefore, we can expect geopolitical issues to contribute to significant risks that will affect ICS and IoT devices. Many industrial facilities in the region were constructed more than a decade ago and currently house technologies that lack the capability to deter today’s threats. Any disruption on these devices that are deployed in critical infrastructures can cause major societal impact.
How can information sharing help improve security around ICS?
Information sharing is key in enabling government firms and enterprises with ICS assets to raise security awareness. For instance, if a utility plant is experiencing malicious traffic, anonymised sharing of this information can enable government authorities to determine the widespread impact of that specific cyber incident. This collective information will also allow them to proactively devise strategies that will help organisations protect themselves against similar threats.
Can you elaborate on TÜV Rheinland’s offerings in terms of enabling the security transformation of regional firms?
TÜV Rheinland has a comprehensive set of offerings focused on aiding industrial organisations to identify and prioritise their security requirements based on risks and compliance with global and local laws and regulations. We also have the right expertise in helping an organisation design the appropriate cybersecurity strategies that are tailored to their specific security requirements. We support our customers across all stages of implementation from vulnerability assessment to penetration testing to training and consulting services, which are all aimed at improving their security posture.
Why is it critical for security professionals to have adequate cybersecurity training and gain industry certifications today? How can this give them a leg up over their competition?
Cybersecurity training and obtaining certifications are key to achieving both the cybersecurity objective of an organisation and for enhancing a security professional’s career perspective. This not only give security professionals the credibility when dealing with sensitive and critical industrial control systems but also helps them gain trust from different stakeholders of their organisation.
In such a complex area of cybersecurity, a third-party verified certification programme can help companies benchmark the expertise of their teams against the demands of the industrial cybersecurity landscape.
There are plenty of emerging certifications in this sector but the TÜV Rheinland approach focuses on the key requirements of safety and cybersecurity. We have recently launched a new Certified Operational Technology Cybersecurity Professional Programme (TÜV) in response to the growing demand for specialists in industrial cybersecurity. This part of the cybersecurity market is challenging to address and anything that helps improve quality is beneficial. It actively assesses candidates using a combination of a professional career review, interview and technical examination. Experts who meet the required standard will receive a certification from TÜV Rheinland.
What kind of technologies do organisations need to prioritise if they are to reduce their current threat levels?
It would be ideal for organisations to prioritise investing in technologies that will provide them visibility over their cyber-physical and digital assets. This is to ensure that they can proactively detect, monitor and manage any kind of malicious activity in their environments. However, there is an incorrect notion within the industry that technology can solve most, if not all, of the cybersecurity issues that we face today. In reality, it will take more than just implementing the latest technologies from the market to address these threats. There needs to be the right synergy between people, processes and technology to achieve the best possible outcomes in mitigating the cyber risks that exist in the landscape.
What do you think are the technologies that will have the biggest impact in the cybersecurity industry in the next two years?
Industrial technologies are undergoing rapid innovation and transformation. The convergence of IT and OT, as well as the increasing number of connected devices, will have the biggest impact on the industrial cybersecurity space.
What can regional firms expect from TÜV Rheinland in the next 12 months?
A recent study that TÜV Rheinland conducted predicted a number of trends surrounding the industrial security space. Some of these include: cybersecurity will continue to be a boardroom issue; IoT cybersecurity will continue to face a major standardisation challenge and the skills shortage will distort the labour market.
In addition, we also found that threat detection and response depend on maturing security orchestration; Red Team Testing and Agile Security development are gaining greater mainstream acceptance; and finally, cybersecurity will define digital economy winners and losers.
With these factors in mind, TÜV Rheinland aims to continue delivering specialised services and solutions focused on securing industrial cyber-physical infrastructure. We will also continue to augment our offerings to help organisations achieve desired levels of compliance and cybersecurity with optimal levels of investment.