And if you’re a manufacturer, the risks of exposure through security lapses—both physical and cyber—can outweigh any benefits inherent in a shop-floor-to-top-floor communications pipeline.
In other words, the paybacks that can be achieved by networking manufacturing plants to business offices and remote personnel—through modems, Web browsers, intranets and the Internet—can be wiped out in one, single malicious attack.
How worried should you be? Many experts insist that the enemy is not at the gate, the enemy is through the gate and into our computer-based business and manufacturing platforms. Carnegie Mellon University, in its Computer Emergency Response Team statistics (CERT, www.cert.org), cites 137,529 total incidents reported in 2003, up from 3,734 in 1998.
In my travels these last few months to various industry events and user group meetings, I’ve heard automation professionals discuss their concerns about cybersecurity in manufacturing. While some are comfortable relying on the inherent security levels built into their distributed control systems, most are concerned with the risk of that one, open modem into the plant.
Open to threats
Much of manufacturing’s exposure to cybersecurity threats has come about with the increased use of open systems built on de facto standard platforms, such as Microsoft Windows, and Commercial Off-the-Shelf (COTS) technologies for computers and networks.
Bill Moore, vice president with ARC Advisory Group, in Dedham, Mass., spoke of these risks in his keynote address at the recent Yokogawa User Group conference, held in New Orleans in May. In the past, automation systems were built on proprietary architectures, and users could count on “security by obscurity,” says Moore. With COTS, that’s no longer the case.
And while open technologies have been employed in automation for more than 10 years, it’s the combination of COTS with the Internet that causes vulnerabilities. Paradoxically, it’s this same combination that holds the most promise for continued productivity improvements and better decision making in manufacturing. As Moore says, “There’s no turning back now.”
Moore advises manufacturers to contact several sources for advice on cybersecurity. One source is the international standards community, which develops standards such as the ISO 17799. The International Standards Organization (www.iso.org) calls it a “code of practice for information security management.”
A second source of information is industry groups, such as the Chemical Industry Data Exchange (CIDX, www.cidx.org). The CIDX cybersecurity initiative establishes best practices for the chemical industry and encourages technology and solution development.
A third source of information comes from national and international government organizations, such as the National Cyber Security Division (NCSD, www.dhs.gov), which was created under the U.S. Department of Homeland Security in June 2003.
It was a case of government meets industry when the Director of the NCSD, Amit Yoran, addressed chemical manufacturing professionals at the CIDX General Meeting, also held in New Orleans this past May. Yoran’s talk focused on near-term tactical methods the government has put in place—such as a national cyber alert system—and long-term research to change how the country approaches cybersecurity. “In the past, it’s been a cat-and-mouse game of catch-up and patches,” says Yoran. “We need to provide the private sector with the economic justification to invest in cybersecurity solutions.” Manufacturers already understand the economic justification. Let’s make sure we have the information security solutions in place to minimize vulnerability while maximizing the use of cyber tools to improve productivity and decision making.