Security - Another Reason For an Automation Architecture

If you weren't convinced before, sitting through the Anti-counterfeiting and Brand Protection sessions at the ARC World Forum was enough to convince anyone that there are a bunch of bad people out there who don't care what kind of harm they cause to your company or to your customers.

And while on the topic of security and bad people, we can't overlook the increasing need to be concerned about cyber threats to our control and automation systems.

The critical process and infrastructure industries such as chemicals and power distribution are under federal mandate to treat the threat of cyber security seriously. Honeywell's acquisition of Matrikon is an indication that process control vendors and their customers are taking this threat seriously. But let us not forget that the best known attack on control systems to date was on peripherals related to PLC's by the Stuxnet worm that attacked systems involved with Iran's nuclear program.

Deliberate attacks and accidental security incidents have shut down or caused dangerous outcomes in an auto plant, at least two nuclear plants, and a sewage treatment plant. I am sure that there have been many more incidents that I, and perhaps the general public, are not aware of.

Cyber attacks can come from many sources; hackers, professional criminals, someone your company failed to hire, someone who left the company disgruntled, or a competitor intent on doing your company harm or steeling your secrets. Attacks may be overt where it is obvious that something is wrong or covert where someone may have embedded a bot into a controller, PC or communications device to eavesdrop on conversations, data or operations. The threat is potentially much greater than the Y2k threat which had no criminal or political intent behind it.

ISA issued the first part of the ANSI/ISA 99 standard on the topic of security for manufacturing control systems in 2007 and the second part in January 2009. Work on a global standard is underway. The process industries will be the first to fully adopt these standards. In my estimation, large DCS process control systems will be much easier to protect than the PLC systems that are deployed in most manufacturing plants. The primary reason for this is that DCS systems are typically installed according to a well engineered and consistent ARCHITECTURE. The PLC systems in most plants have been installed in a helter-skelter fashion without any well thought out plan of construction.

Protecting systems from cyber attack requires an active and ongoing campaign involving people, processes and technology. It is difficult to manage people, define processes and apply technology when the underlying infrastructure has no common design attributes as would a well-architected automation environment.

I don't expect most manufacturers to start a cyber security program for their automation systems anytime soon. I believe that we have some time to learn from the process and critical infrastructure industries. But, I have no false allusion that we will be able to avoid cyber security issues in and around our plants for ever. One way to prepare would be to review ISA99 and review your automation architecture, if you have one. If you don't have one, now would be a good time to develop one, not only to improve the effectiveness of your operations but also to prepare for the day when your president asks what his company is doing about cyber security for manufacturing assets.
More in Home