The intersection of safety and security is gaining increased attention across industries because both issues represent potential threats not just to business, but to life and limb. As detailed in our recent feature article, “Cybersecurity Lessons from Safety,” these two disciplines are increasingly intertwined, as both are used to address threats that can never completely be eliminated.
While cybersecurity and safety must be addressed systemwide in a plant, viewing the issue through the lens of mobile device use in plants provides a concrete way to approach potential problems from a device-specific point of view.
To learn more about this, we connected with David Hoysan of Phoenix Contact, a supplier of multiple automation-related technologies, ranging from connectors and cables to HMIs and PLCs to sensors, power supplies, and industrial communication technologies, for a recent episode of the “Automation World Gets Your Questions Answered” podcast series.
But once you start connecting mobile networks and cellular networks in the plant, you have to start thinking about the broader safety and security aspects, Hoysan advised. And one of the biggest issues manufacturers face here is the lack of standardization around security.
“A lot of companies have a bring-your-own-device policy, and that can really be an IT administrator’s nightmare, especially if you're bringing different mobile devices like cell phones and iPads onto a network that’s also operating with a bunch of different manufacturers’ equipment using different security settings,” he said. “It’s important to really nail down access permissions so that, once a device is on the network, you can control what that device has access to.”
If you have technicians who need to support the entire network, Hoysan advises giving them the access they need. But if you have somebody who just needs to troubleshoot a particular machine, they should only have access to that machine.
“Ultimately it’s about following the principle of least privilege when it comes to security,” said Hoysan. “This is an especially big concern with cellular devices that have access to public cellular networks. You don't want to accidentally expose your entire operation so that a hacker could access the system and potentially shut down a process.”
There are many different ways to secure cellular connectivity by setting up private VPNs and networks with your cellular provider so that your operations are not accessible via the public cellular network. “You can even create your own private tunnel within the cellular network,” he added.
A two-department challenge
Because threats to industrial safety and security are continuously evolving, addressing new threats from a mobile device perspective can be particularly challenging. Part of the challenge around this for industrial companies is the fact that security initiatives typically come from IT, while safety comes from the control engineering department.
This means you're working with two different departments, and whenever you have mobile devices, you “forego a lot of the centralized control that you typically have with closed networks,” said Hoysan. “But this does not mean you cannot necessarily have a safe and secure environment. When you look at safety and security, technology is only one aspect of it. There are also people and processes involved. For example, if you look at the electric power industry, they follow a standard called NERC CIP. There are sections in that standard about physical security, training your personnel, implementing processes, and recovering from an event. So, if you think about it more holistically, you can have a safe and secure environment if you follow the right procedures.”
As a final piece of advice, Hoysan suggested focusing on the primary safety and security factors associated with mobile device use in plants:
- For safety, hazard and risk analyses of your operations are most important. If you're going to implement the use of any type of mobile device, you want to make sure that no new hazards will be created when those devices are added. This means you'll have to do a hazard and risk analysis on each of the individual pieces of equipment, as well as the entire system. “If you have one component or machine talking to another machine, make sure that, by adding a mobile connection, you're not going to increase any type of hazard or risk in the process,” he said.
- For security, the most important thing is to focus on defense in depth. “You can close down ports and put firewall rules in place, but it's really crucial to train employees on the correct process,” said Hoysan. “Putting physical security practices in place can be something as simple as locking the control cabinet so that random people in the plant don't have access to it. And once you've taken care of training employees and putting basic security practices in place, start looking at technological security factors like firewalls and access permissions.”