Everyone understands that security becomes an issue when companies use Ethernet in industrial environments. But it’s often difficult for companies to approve the time and funding needed to set up security systems that are efficient and cost effective. In the current downturn, justifying these expenditures is a critical aspect of securing corporate assets.

Avoiding waste is critical, but it can postpone investments and leave a company vulnerable to shutdowns and other problems that can occur if viruses, attacks or other problems cause networks to shut down. That changes when regulators in environments such as power generation force vendors to beef up their protection. The Independent Electricity System Operator (IESO), which monitors the electric power grid in Ontario, Canada, took major steps after the North American Electric Reliability Corp. (NERC) began enforcing security compliance regulations for utility companies in 2007.

Meeting NERC mandates required a major network overhaul. “We started from the ground up, taking out all the networks, then upgrading them and putting modern operating systems on our equipment,” says Ben Blakely, Information Security Officer for IESO.

The Toronto-based company also added a number of other software tools. “We added a patch management system, put in a lot of anti-virus scanners and added TippingPoint technology,” Blakely says. TippingPoint Technologies Inc., Austin, Texas, is a 3Com company that supplies network-based intrusion prevention systems. “We wanted to get a system that would gather data and monitor what was happening on the wire. But we also wanted to make sure we weren’t blocking appropriate messages,” Blakely says.

Where’s the money?

Steps like these are just as important in unregulated industries. But before making a move, many companies are looking at security from a new stance. Security must contribute to the bottom line, helping increase uptime and reduce risk while justifying all expenditures of time and money. That focus on return on investment (ROI) has gained importance, given the sluggish economy. “Security without a good return on investment is a waste of money. But if you do it well, you get a good ROI,” says Eric Byres, chief technology officer for cybersecurity consulting and products company Byres Security Inc., of Lantzville, British Columbia, Canada. “Like safety, security pays for itself.”

It’s widely understood that the downside of the shift to Ethernet and transmission control protocol/Internet protocol (TCP/IP) makes security more important, offsetting the upside of improved corporate compatibility and reduced costs. But this understanding doesn’t always translate to increased efforts to reduce risk. Vendors of manufacturing equipment note that regulation is a key driver for the level of emphasis that firms place on security. Those in regulated fields don’t have a choice, while many in non-regulated fields are taking their time before spending precious resources on security systems and processes.

“Companies can almost be segmented into two halves. Process automation is usually more progressive and mature, driven partly by government mandates in areas like oil and gas,” says Doug Wylie, business development manager at vendor Rockwell Automation Inc., in Mayfield Heights, Ohio. “In factory automation, the focus on security is not as great.”

Running safely

Linking safety and security is becoming more common as companies look to trim any expense. Both are closely related to one of the most critical parameters in the industrial world: uptime. When either safety or security is compromised, production is usually stopped, regardless of whether the problem was caused by employees or outsiders.

“Security often means keeping out malicious attacks, but it can also mean keeping systems up and running. Companies need to control the often-unintended consequence of human actions,” Wylie says. “Companies need to look beyond cost and look at the value of protecting information and equipment.”

Late last year, Honeywell emphasized the links among security, uptime and safety when it began offering security courses created by TÜV Rheinland, which certifies facilities in Europe. “The training modules are designed to provide practical advice that manufacturers can use to help them be better prepared to deal with potential incidents, avoid downtime and protect their people,” says Scott Hillman, a marketing director for Honeywell Process Solutions, the Phoenix-based process automation vendor.

One of the biggest factors in security is to understand the entire network and acknowledge its weak and strong points. That begins with creating a solid architecture, then doing plenty of testing to fully understand the nuances of the full network. The latter step is a critical aspect of success.

“The real key to managing risk is to know more about your system than any hacker can learn. You ...