Strategies around the Industrial Internet of Things (IIoT) are creating new global manufacturing approaches and different conversations between machine builders and end users. The safety discussions that have become more commonplace between end users and OEMs will increasingly need to involve security as well.
IIoT adoption brings with it added security concerns—more opportunities for hackers to find ways into enterprises as more machines and devices get IP addresses and, in many cases, are connected to the cloud. They will become more susceptible to remote access Trojans, file-stealing malware, ransomware and any number of attacks.
According to a recent AT&T cybersecurity survey of more than 5,000 enterprises, 85 percent of respondents are in the process or are planning to deploy IoT devices; yet only 10 percent of the respondents feel like their security practices are in place.
“OEMs are looking to enable things like remote access to their machines,” says Keith Blodorn, director of ProSoft Technology’s wireless program. “And machine builders need to be able to demonstrate security of remote access connections for end users.”
But end users are still in the driver’s seat for security, according to John Kowal, director of business development at B&R Automation. B&R is a member of the IT/OT committee within the Industrial Internet Consortium (IIC), and is addressing key network security issues, such as remote access for diagnostics, machine monitoring and all things IIoT.
In the food industry, which is undergoing traceability operational changes brought on by the 2015 Food Safety Modernization Act (FSMA), some companies won’t allow machine builders to remotely diagnose their equipment due to enterprise IT security policies.
“Some [consumer packaged goods] end users are saying data has to be on a secure network and they just haven’t come up with a good solution,” says Erl Campbell, product manager at Aventics, a pneumatics supplier.
A mature safety culture is fully recognized in today’s industrial automation landscape. Safety standards have driven these companies to implement robotic cell assessments, supply chain requirements or machinery updates. In contrast, cybersecurity standards are moving slowly, resulting in less visibility for manufacturers and OEMs.
One reason for this situation comes from the lack of manufacturing security standards. In this case, the industry could learn from the advances that have been made in safety, including the development of machine control safety technology standards such as ISO 13849-1 and IEC 62061. There’s also ISO 12100 and its best practices for principle machinery safety standards for Europe and the U.S.
Security standards are beginning to follow suit through such bodies as the European Standardization Organizations, GSMA and the North American Electric Reliability Corp. (NERC), with its Critical Infrastructure Protection (CIP) cybersecurity standard for protecting power utilities.
|The evolution of risk management has resulted in higher productivity, while also helping to show the link between safety and security.|
The National Institute of Standards and Technology (NIST) released a voluntary cybersecurity framework for manufacturers that is proving popular, despite its detractors. In a March 2016 survey of more than 300 U.S. IT professionals, Tenable Network Security found a majority of organizations have at least one of these NIST security frameworks in place.
Half of the respondents to the AT&T cybersecurity survey feel high investment costs are a barrier to security adoption. Standardization could help those costs. “Without a clear international security standard to define everybody’s equipment and services features, OEMs have to show that they can comply with every specific end user’s internal requirements,” says Simone Gianotti, motion product manager for Schneider Electric’s Industry Business.
The conversation continues
Safety standards have created a continuous conversation between OEMs and end users and, in the process, productivity benefits have resulted through a number of industrial technology advances: mature network standards, integrated safety (PLCs), smart devices and drastically higher chip processing speeds.
“End users are providing machine builders hard safety specifications,” says Scott Stevens, global OEM technical consultant for Rockwell Automation.
Safety PLC advancements have helped suppliers reduce design work for machine builders with ISO 13849-1, which requires category and performance levels for each type of I/O. When designing a machine, OEMs can work around the 13849-1 statistical analysis of its machine if the technology already meets the required risk reduction with the safety controller.
Another reason for better productivity on the plant floor is network safety. “European OEMs are embracing networked safety, safe motion and open safety,” Kowal says. “North America needs to catch up with networked safety, especially safe motion as applied to machines and robots. There are huge productivity gains to be had by not shutting down production lines and setting to safe mode, such as safe torque, force, speed, position, direction and operating envelope.”
Joey Stubbs, EtherCAT technical marketing for Beckhoff Automation, points to his company’s success with TwinSAFE and Functional Safety over EtherCAT (FSoE) safety standard. “These technologies allow a machine builder or end user to implement a SIL 3-rated safety system that communicates on the same EtherCAT fieldbus as the motors, drives, I/O and sensors without a separate safety network,” he says.
Network and machine safety are increasingly linked to security. Cybersecurity of industrial control systems (ICS) is very much a safety issue, Blodorn notes.
“Manufacturers and OEMs are starting to see the relationship between safety and security in the context of risk management,” says George Schuster, senior industry consultant for safety at Rockwell Automation.
As machine builders and end users communicate more about their risk management approaches, security and safety will likely begin to overlap more. For now, though, most point to separate conversations and separate points of responsibility. As security matures, it will be instrumental to maintaining manufacturing productivity.