Byres’ experience reveals the problem is not one of “terrorists and kiddy hackers. This is a problem about organized crime and the safety of your systems,” he declares.
To combat those cyber-criminals, Byres suggests a multi-step process, beginning with problem identification. “Too many senior management don’t see this as a real issue,” he asserts. “The crown jewels of any company are its manufacturing assets. But people don’t give resources to the most important things in the company.”
Know the system
That failure derives from management’s lack of knowledge, he says, especially not understanding resources such as programmable logic controllers (PLCs) or, generally, controls systems. For instance, go into a company’s offices and check the receptionist’s desktop personal computer (PC), Byres suggests. “You will find it has anti-virus software, patch management, an encryption system and a firewall. The IT department will have that thing nailed to the floor.”
But walk out of the lobby into the manufacturing space and you’ll find something totally different, Byres predicts. “There’s a PLC running a major piece of equipment—and I guarantee you’ll find very little security protection,” he notes. Some of the better plants, such as those operated by major oil companies, will provide the same level of protection for plant-floor PCs as they do for the receptionist’s PC, Byres allows. But what he sees in many plants are PCs with no security on them, not to mention PLCs that are totally unprotected.
So how does the control system get exposed to attackers? One example he gives is having the control network connected to the business network, which then is exposed to the Internet. “Or someone working at home, doing [remote] maintenance via their home computer, like a VPN (virtual private network), and their machine is exposed to the network.”
What drives better security is manufacturing taking responsibility for itself, he thinks. But “without senior management support, you’re sunk.” With that support, though, what’s next? “Form a team with IT.” Next? “Know what equipment you have—and its vulnerability and risk,” recommends Byres, who defines vulnerability as weakness or flaws in system that cause risk, which he also defines as the probability a certain event with a certain consequence will occur.
Then lay out security targets. “What do you want to achieve?” While Byres believes 100 percent security is unachievable, he urges formulating what’s acceptable. Calling this network-security process “exactly the same as safety management,” he observes that, “if you can’t tell me what’s running on your control network, then there’s no way you can assure me you’ve got a safe, reliable plant.”
After setting targets, establish policies and technologies. “You have to change people’s behavior,” Byres remarks. Then comes implementation. And that demands that companies have to change security to make it work for people, not the other way around. “We have to change technology to make it understandable and accessible to the control engineers and technicians,” Byres says.
The last action is to close the control loop and monitor what’s been built, and then put that feedback into a continuous improvement loop. Why? “Hackers and virus writers are certainly continuously improving their product,” Byres observes, so manufacturers had better do the same.
C. Kenna Amos, firstname.lastname@example.org, is an Automation World Contributing Editor.