Webb, P.E., managing director of the Instrumentation, Systems and Automation Society’s (ISA’s) SP99 Committee, “Manufacturing and Control Systems Security.”
Webb, a San Carlos, Calif.-based automation and licensing consultant, believes security, like safety, must be viewed from a complete system perspective. He adds that cyber security often depends on good physical and electronic security. “Further, the most sophisticated systems are no better than the least-secure remote site or vendor modem.” He advises maintaining security systems like any critical equipment.
But protecting a network’s perimeter is very difficult, says Richard April, vice president of marketing for Dedham, Mass.-based Cyber-Ark (www.cyber-ark.com). To address that challenge, his company patented a secure data repository. To gain access, users must pass through multiple layers of security such as session encryption, firewall, authentication and access control.
Inside threats
And while security once meant keeping the bad guys out, manufacturers also now worry about internal security threats, says Lance Travis, vice president of research for AMR Research Inc. (www.amrresearch.com), in Boston. Travis counsels companies to ask: How do you isolate and segment your network(s) to minimize damage? One means is identity management, which is knowing who users are and understanding what they’re allowed to do. Another is automatic provisioning tools. These create a database record for employees, take that information and then allow authorized users access to certain applications.
Still, nothing is completely secure, says Bill Moore, vice president, strategic consulting services for Dedham, Mass.-based ARC Advisory Group Inc. (www.arcweb.com), who mentions two common security concepts. One is the M&M candy strategy, which he doesn’t recommend: Have a hard outer shell protecting everything within that is soft. Instead, Moore recommends the onion approach, in which security is layered. “Manufacturing has its own layer. You can even further divide manufacturing into separate zones,” he adds.
The onion approach, with the automation/manufacturing space at its center, is also Michael Bush’s recommendation. “We call it ‘protecting the jewels,’ ” says this manager of Rockwell Automation Inc.’s (www.rockwell.com) security business, located in Mayfield Heights, Ohio. Do a risk-based vulnerability assessment first, he says. Bush also recommends the manufacturing security layer be very well designed. “That security layer should be as thorough and as complete as the one that separates the Internet from the company.”
Any such sustainable security system is composed of security products, a security process and management, notes Roshen Chandran, vice president of research and development for Paladion Networks (www.paladion.net), with U.S. headquarters in Herndon, Va. Products could include any intrusion-prevention technology. The process incorporates any backup procedures. Management encompasses monitoring and review of products and processes, as well as risk evaluation and strategies development.
But success also requires learning and planning, ISA’s Webb emphasizes. “Realize that a pound of prevention now is worth tons of cure after a major event.” Follow ISA or other vetted guidance, he suggests. Also, perform or have an automation-system expert perform an assessment of your automation systems’ security.
Like Webb, Bush believes cyber security is analogous to safety. “Analyze the problem, understand the problem and then apply risk-reduction technologies,” he states. “You just have to do the best that you can and not be a target,” adds Moore.
C. Kenna Amos, [email protected], is an Automation World contributing editor.
