Large-scale networking for monitoring and control has resulted in significant productivity and quality improvements in process and manufacturing operations. But, complex networking brings vulnerabilities that can be exploited, causing malfunctions, production delays, safety issues, equipment damage and major loss of revenues.
Most automation products and systems, such as PLCs and RTUs, have been optimized for real-time I/O performance, not for secure networking. They typically have no isolation between different sub-systems; if a problem occurs in one area, it can quickly spread throughout the network. In many cases, operating personnel have few tools to isolate and identify the source of problems, which may lead to lengthy shutdowns. Often, new vulnerabilities are discovered at rates that make it hard for security developers to keep up.
In spite of apprehensions over the impacts of Stuxnet and similar security breach events, industrial cyber security has mostly been ignored due to lack of understanding of solution costs. Beyond more newsworthy cyber attacks on commercial businesses, industrial-incidence rates have been relatively low.
But the risks keep increasing, with growing threats from professional hackers, foreign-based competitors and perhaps even foreign governments. For many, industrial security is still in the "insurance policy" category. Many simply elect to take the risk.
Here are some key cyber-security questions to consider:
• Extended use of wireless equipment and mobile devices (laptops, iPhones, iPads) for network access creates new targets for smart snooping and security attacks.
• Virtualization in industrial environments brings new vulnerabilities that have not been adequately addressed yet.
• Rapidly increasing use of Cloud services with undetermined security issues.
• Social media information provides new mechanisms for network penetration. Outsiders can gain access into private systems by gathering company details to send emails that include malware attachments.
For automation and process controls suppliers, systems must be designed with cyber security in mind. They need to recognize that the objective of good security is not to anticipate every possible type of attack, but to make systems harder to compromise, particularly at entry points.
Excellent technology exists, but what’s lacking is an understanding of cyber security as a competitive, revenue-generating advantage. Instead of including security technology in the cost of up-front product development that offers differentiated advantages and benefits, many suppliers consider cyber-security as an after-the-incident service-revenue generator.
On the international front, China is generating good growth and the automation majors are making security a priority in that market arena. However, some consider that security is not a problem because their systems operate with closed networks. This is simply avoiding the issue and typically a “fix” is offered after vulnerability is discovered.
More recently, standards are emerging. This drives many of the larger players into offering, at minimum, a firewall as an option. Many are starting to think about embedded solutions.
The mindset that security is just an add-on needs to be curtailed; it is not that simple. Security is a vital part of any manufacturer’s way of operating today.
Suppliers react to what customers want. End-users must demand that suppliers offer more security in their platforms; if they don’t demand it, they won’t get it.
Here are some security equipment trends:
• Cyber security technology embedded in network switches and routers, as well as in automation system vendors’ products.
• A wide range of hardware platforms for cyber security field devices, ranging in size from postage-stamp dimensions to large rack-mount units.
• Self-learning firewalls that provide barriers to penetration.
• Plant floor encryption systems such as Virtual Private LAN Services (VPLS).
• Encryption technology migrating from the WAN to the plant floor, modified for industrial systems.
• The use of embedded IP-cameras on mobile equipment, for individual image-recognition before access is allowed.
Many companies struggle to justify what is seen as added cost to secure their operation. In today’s competitive, cost-cutting environment, using traditional return on investment calculations doesn’t seem to work. But consider this: If your system doesn’t have an “event,” then security is an added cost; if you do, it can be priceless.
>> Jim Pinto is a technology futurist, international speaker and automation industry commentator. You can email him at firstname.lastname@example.org or review his prognostications and predictions on his website: www.jimpinto.com.