Since 2016, Renata Araújo has been the Industrial Cyber Security Specialist at Braskem – Latin America’s largest petrochemical company, with 36 industrial plants spread across Brazil, the U.S., Mexico, and Germany, producing over 16 million tons of thermoplastic resins and other petrochemicals per year. But as the company grows, so do their cyber security concerns: how to safeguard their giant OT environment from cyber threats?
As a first step, an industrial cyber security function was established to work closely with the already existing industrial IT one. Renata leads the initiative. We caught up with her to gain a deeper understanding of the cyber threats keeping her up at night and the solution-oriented initiatives keeping her busy.
Q: What would you say are your biggest concerns at present?
A: I’d begin with connectivity in our plants, where the use of 4G is raising important security concerns. High on the list are also remote third-party access, OEMs not releasing updates for old components and not embedding cyber security in their products – or rather, offering cyber security solutions as an additional package to purchase. Last but not least, is the challenge of finding people with industrial cyber security skills – and the fact that industrial cyber security training can be very expensive doesn’t help either.
Q: Can you tell us about a challenge you faced and overcame?
A: We’ve struggled a lot with the right cyber security maturity model to refer to and assess our company with. So we developed our own maturity assessment model. We did this by basing ourselves on international ones, such as by drawing from ISA99 and ISO27001, to name the most renowned ones. We also came up with an index to express the maturity level in numbers, because numbers make it easier to prove a point with decision makers. Numbers really help you get your message across, catch the attention of budget-holders, and ultimately get them to commit to making cyber security investments.
Q: How are you coping with the fast pace of digital transformation?
A: We’ve luckily reached the point where cyber security staff is involved in the conversation when the business decides to adopt new and innovative technologies. However, although cyber security solutions are perceived as a tool to prevent losses, they do not generate returns. As a result, it is still difficult to get decision makers on board with them. How can we change this mentality? I still haven’t cracked the code, I’m afraid.
Q: How are you and your colleagues managing to raise cyber security awareness across the enterprise?
A: The first step towards raising cyber security awareness is to understand how paramount it is to spread this awareness across all levels of seniority and in every department, because anyone can be a threat vector. Every company should have a programme manager coordinating cyber security trainings and efforts and tailoring the message to the employee’s background. For example, when addressing people with an automation or process control background, it has been useful to talk about safety. When addressing people with no cyber security background, it has been useful to provide them with actual facts to illustrate our message, such as by showing results of penetration tests we’ve conducted.
Q: What kind of success stories would like to hear about from other asset owners?
A: For me personally, it would be really beneficial to hear success stories on adequately overseeing the IT-OT relationship, on keeping security at the core in relation to layers of automation environments, and on the adoption of the cloud in industrial environments.
Renata is an advisor helping curate the Latin American edition of the globally acclaimed Cyber Security for Critical Assets summit (CS4CA LATAM). Join her this October 29th-30th in São Paulo with your delegate passes, inclusive of: access to the full agenda, a PDF copy of all presentations (post-summit), refreshments during networking sessions & seated lunches, and a CPD certification at https://latam.cs4ca.com/
