Just like most manufacturing facilities, the plant floor at Charter Steel, an American supplier of special bar quality (SBQ) steel products, has become more connected over the years, both among devices on the floor and between the industrial and enterprise networks. While a more connected plant floor provides numerous benefits for production and quality, it also means the plant is now more vulnerable to a number of cyber security risks as more critical operational technology (OT) assets depend on networking capabilities.
Unlike IT cybersecurity incidents, an OT cyber incident can lead to damage in the physical world and put human safety at risk. To prevent a potentially disastrous situation, Charter Steel decided it needed to bring in third-party assistance to facilitate a holistic approach to its OT cybersecurity risk-reduction efforts and disaster recovery preparedness. The Charter Steel team, led by its Director of Automation and Technology, reached out to us to discuss a manageable approach to how they should proceed.
A Multi-Phase Approach to Assessing and Addressing Cybersecurity Risks Across Facilities
Since Charter Steel has three facilities – two in Ohio and its corporate headquarters in Saukville, Wisconsin – together with Charter Steel, we decided it would be best to start the cyber assessment at a single location. After creating a basis of understanding this site’s OT environment, we assessed the cyber posture and presented a report with findings and recommendations to address the current gaps. From here, Charter Steel then asked us to put our findings into a format that could easily convey the facility’s biggest cybersecurity risks to IT and management teams. Using the standardized NIST Cybersecurity Framework (CSF), we created a quantitative assessment and radial chart that visually highlights the facility’s current state in the core functions of identify, protect, detect, respond, and recover.
After completing the first assessment at the Cleveland facility, Charter Steel contracted us to conduct the same assessment for its other two sites in Saukville, Wisconsin and Fostoria, Ohio. About halfway through these assessments, we realized the results were nearly identical to our findings from Cleveland and recommended that we, instead, refocus our efforts on creating a cybersecurity plan and program to address the common risks we were finding across facilities.
From here, we worked together to create a cybersecurity plan with an OT cybersecurity program structured around the NIST Framework for Improving Critical Infrastructure Cybersecurity. One of the big pieces of this program involved breaking down the traditional wall that exists in most facilities between OT and IT to assemble an internal OT cybersecurity team that converged the two groups. Once the team was in place, we worked with them to first tackle an area where the NIST CSF analysis revealed improvement was needed most – recovery and respond.
ACE worked with the Charter Steel team to run several mock disaster scenarios for the identified assets and then helped develop standardized disaster recovery procedures and back-up techniques for these major systems. Charter Steel is now working to develop robust back-up solutions using equipment for which the IT organization will take ownership.
“ACE was instrumental in making the IT and OT relationship work by partnering with us to build trust and collaboration across our teams and remove traditional IT/OT barriers. Today, we have an excellent team, including ACE, that is focused on current and future cybersecurity initiatives,” said Joel Multerer, Charter Steel’s Director of Automation and Technology.
Read the full case study to learn more about the ongoing efforts to harden OT cybersecurity across Charter Steel’s manufacturing facilities