In this post-Stuxnet era, Langill says the biggest threat facing manufacturers is still the same threat that existed pre-Stuxnet. That threat is: The general poor level of awareness in the production industries of the real threats and consequences of cyber security breaches.
“Some manufacturers think they’re safe because you can’t blow up their plant by messing with their control systems,” Langill says. “But they’re missing the point, because the threat is not blowing up your plant but having something happen that keeps you from manufacturing the products that contribute to the bottom line, or by impacting your ability to make a product to spec and thus negatively affecting your reputation.”
When it comes to cyber security impacts such as these, every industry is susceptible.
If you remove grand attacks like Stuxnet, which is a threat most manufacturers will never face because of its highly targeted, highly sophisticated and highly funded origins, and look at more common attacks like the Conficker worm, you get a better idea of the real threats and consequences you face.
In case you missed it, last fall SAB Miller released information about what Conficker cost the company based on the loss of production at its Romanian plant during the four hours it was shut down to deal with the worm. During those four hours, the company lost more than $11 million.
“People think the threat comes from bad guys,” says Langill. “But the real threat comes from employees who don’t know what they happen to have in a document that they’re going to open on a computer they shouldn’t be opening it on.”
You have to understand your threat agents and separate them from your threat vectors, Langill advises.
What Suppliers Are and Are Not Doing
Though he sees a number of automation suppliers doing the right things to help manufacturers address security issues, he sees many more who are going about it the wrong way.
“Vendors are not in the business of doing security,” he says. “When they try to do it themselves, the end result will always be inferior to what could have been produced by people who spend all their time dealing with control system security.”
Some of the positive signs Langill sees happening on the supplier front include:
- Siemens is planning to release a new communications processor that provides point-to-point authentication directly in the protocol. “We know that this issue is number one—the most important thing we need. What they’re doing is ambitious, it’s a game changer, and it shows they’re taking this seriously,” Langill says.
- ABB and General Electric are partnering with Industrial Defender. “That’s showing commitment to security, not just rebranding people inside your company as security professionals.”'
- Schneider has been engaging third parties to do assessments and validations on their systems. “They want these outside companies to stress their systems.”
Too many vendors, however, are still not treating security as a real part of their solution. “They still try to do security as though end users just need to follow their practices and buy a firewall and everything will be okay,” Langill says. “In addition, vendors are still not typically offering security assessment and validation during commissioning activities.”
One interesting way Langill suggests to help determine the strength of a vendor’s commitment to the security of their systems is to visit their Web site to see if you can find information on security without typing “security” into the search engine on their page. “Chances are, you can’t do it,” he says.
>> Security Sessions at The Automation Conference
Don’t miss your chance to learn directly from Joel Langill about how to protect the control systems in your plant. Joel will be delivering two cyber security sessions at The Automation Conference, May 22-23, 2012. One of his sessions will be focused on cyber security for processing facilities and the other will be directed at discrete manufacturing operations. Sign up to attend at www.theautomationconference.com.