IT in Manufacturing


Treating security like safety

October 2014 IT in Manufacturing

Safety and security work hand in hand in the manufacturing automation arena.

However, despite more and more sophisticated, frequent and costly cyber attacks, security still does not receive the same attention as safety. There is a growing need to elevate security awareness to the same level as safety – ensuring not only a safe, but also a secure manufacturing environment.

Security awareness

Let’s face it – security awareness today suffers from an identity crisis at manufacturing facilities across the globe. Big, small or anything in between, there is a general lack of understanding of security best practices.

With reported cyber attacks growing by 600% since 2010, according to NSS Labs, security awareness amongst manufacturing organisations needs to grow to the point where best practices end up ingrained in workers’ minds. That only makes sense as safety protects man against machines, while security protects machines against man.

Well-known within security circles, cyber security awareness in the manufacturing enterprise remains nascent and needs to bust out and go mainstream within each organisation.

But where does that awareness begin and how can a manufacturer get started on the journey toward security?

A decade ago when most systems and business networks remained isolated from one another security was relatively simple. The enterprise stayed connected to the Internet, but focused on keeping its network up, running and protected, while process control and safety systems remained isolated and really did not have to worry about web connections.

However, in the name of progress and efficiency, over time the two networks became interconnected – a true sensor to boardroom communication. By the early 2000s, and especially after September 11, 2001, security professionals saw that safety systems and the control network, previously unguarded from any kind of security measures, needed protection. But getting industry leaders to understand and grasp that concept was akin to rolling a boulder up hill.

Stronger safety emphasis

The idea of safety, on the other hand, generated a strong following especially after the disaster in Bhopal, India when a methyl isocyanate gas leak at the Union Carbide pesticide plant left 3787 dead and 558 125 injured.

In the years since Bhopal, process safety gained corporate importance and all manufacturers understood and respected all safety initiatives. Yes, manufacturers had to look at cost, but it was imperative that companies targeted safety. ‘Safety First’ initiatives began in full force.

Process safety programs focus on design and engineering of facilities, maintenance of equipment, effective alarms, effective control points, procedures and training. It was, and still remains, a vital area to protect a company, its people and the surrounding area from any kind of potential disaster.

When it comes to safety, in order to contain a complex process, a manufacturer must design and implement management systems to:

* Understand the risk, which involves predicting problems, including predicting the risk of possible accident/loss scenarios, establish the appropriate design and the right layers of protection to control risk to a tolerable level.

* Control risk factors every day, which involves controlling the original design by maintaining the established layers of protection and managing changes to the design using integrated management systems.

* Analyse actual problems and determine weaknesses in the system, which involves identifying weaknesses in design and management systems and weaknesses in risk understanding through root cause analysis of actual problems (losses and near-losses).

Lagging security adoption

At a basic level, security follows those same set of guidelines. Why, then, are more organisations not implementing security into their daily mindset as they are safety? Some of the top internal reasons are: people, training, no real corporate mandate and no business return on investment.

With security being the new kid on the block for process control, getting people to embrace how to integrate security into their everyday work life is an ongoing education process. Teaching workers not to plug a thumb drive into a computer before checking to make sure it is free of any virus is just one example.

To talk security, there must be a solid business proposition behind why a manufacturer would decide to make the investment. Bringing the idea up to the executive suite that security is more of a business enabler that keeps the network and system up and running and productive and not just an insurance policy is important to generate awareness and send a strong message out to the company. After all, security is going to be an ongoing expenditure, not a onetime expense. Initially, there needs to be a risk analysis; what do you need to protect, what is the cost, what is the risk? Then there needs to be a way to quantify those numbers to assess the true benefit.

One of the advantages safety has that is not as prevalent in security is the concept of levels. With safety you have a very clear definition of a safety integrity level. A system must meet SIL 1 where there is safety, but at a basic level, through SIL 2, SIL 3 to SIL 4, which is the most dependable. While with security, there is the security assurance levels (SL) but it is not as prevalent and not commonly used throughout the industry. Manufacturers are not yet demanding a security protection that guarantees an SL 3.

Essentially, SL 1 would protect against a casual or coincidental attack and SL 4 would protect against an intentional attack using sophisticated means and extended resources. There are several values of SL within a solution. There is a targeted SL, which is where the user wants to be. Then there is an actual SL which is the user’s current status based on the existing implementation. There is a maximum attained, which is the maximum attainable SL with your current technology. The ideal situation is your targeted SL and your actual SL end up equal. SL levels are a part of the ISA99 security standard specification, which the international industrial control committee defined and accepted.

The problem is an SL is harder to determine than a SIL because of the ever changing threat scenario. SL remains relatively new, however, and there will need to be some time for industry to let it marinate as the initiative becomes part of imbedded culture.

Raising awareness

Security protection is still in its infancy. But that does not mean the industry gets a free pass to ignore or hold off on securing its systems. The list of attacks and potential exposure goes on. Companies need to improve data security strategies against a greater variety of more sophisticated IT attacks or face an ever spiralling scenario of data losses, according to one KPMG report.

The risk is there for everyone, but by following a guide of best practices, mandatory personnel training and starting the task of undergoing risk assessments, manufacturers big and small can ward off intruders to keep their systems up and running so they can remain a profitable enterprise. The basic need for security is to:

* Increase plant safety.

* Reduce downtime.

* Reduce environmental and financial risk.

* Meet regulatory compliance.

* Connect the plant to the enterprise.

In the end, a manufacturer’s main goal is to make product and not deal with anything that throws them off track. That is why they have to demand security in the products they buy. They have to make those demands to force vendors to certify the products in an accepted standard, but be willing to pay extra for a more secure solution. After all, if a vendor invests in security for their products and no one will pay for it, then it will be a slow roll out. In safety, it is clear manufacturers will invest in higher safety compliant systems that have a SIL certified rating.

Security, like safety was, is a culture change. Technology must include security and people have to embrace it. Security must start at vendors and work its way through the product lifecycle and it has to continue once it gets up and running at the manufacturer. It is a huge job and the industry is moving in a positive direction, but there is a long way to go.

As Mike Baldi, chief cyber security architect at Honeywell Process Solutions says, “Safety requires investing in resources to achieve it. Security is exactly the same. Security takes money and people to manage it, to implement it and to verify it is working. It is an accepted practice for safety. It is becoming an accepted practice for security.”

For more information contact Boni Magudulela, Honeywell Southern Africa, +27 (0)11 695 8000, boni.magudulela@honeywell.com, www.honeywell.com





Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Bringing brownfield plants back to life
Schneider Electric South Africa IT in Manufacturing
Today’s brownfield plants are typically characterised by outdated equipment and processes, and face challenges ranging from inefficient operations to safety hazards. However, all is not lost, as these plants stand to gain a lot from digitalisation and automation.

Read more...
Faster access to device data
EPLAN Software IT in Manufacturing
Eplan eStock gives companies access to centralised device management in the Eplan Cloud, simplifying collaboration, and reducing coordination times and media discontinuities.

Read more...
Accurate and effective bearing replacement
SKF South Africa IT in Manufacturing
Each year, incorrect mounting is causing countless bearing failures. Overcoming this can deliver multiple benefits to owners and operators of rotating machinery, including reduced maintenance costs and fewer breakdowns.

Read more...
Comprehensive protection of the network
Phoenix Contact IT in Manufacturing
In recent years, the generation of data to create ever better transparency and control of production has become a decisive competitive factor. IIoT has also contributed to more manufacturing systems being connected to IT or cloud systems. This places higher demands on access security, which Phoenix Contact meets with the Secure Edge Box.

Read more...
Manufacturers should watch for these five trends
IT in Manufacturing
Over the last several years trends have emerged in manufacturing, realising significant advancements in machine-reliant assembly lines through to highly automated factories. As we look ahead, there are several key trends to watch.

Read more...
The role of technology in mining safety and environmental protection
IT in Manufacturing
Modern mining practices routinely integrate technology into workflows to improve operational efficiencies. AI can also play a role in managing employee health, decreasing safety risks, and managing the environmental footprint of mining and extractive industries.

Read more...
Design lubrication-free applications in seconds
igus IT in Manufacturing
igus has unveiled its point-and-shoot igusGO app, a cutting-edge solution that uses a mobile phone to photograph moving parts on equipment and immediately get information on a lubrication-free alternative.

Read more...
A guide to tackling your company’s e-waste challenges
IT in Manufacturing
In our digital age electronic devices are pervasive, and businesses cannot function without them. This has created a growing problem. When these devices reach the end of their lifespan, they need to be disposed of correctly, and not simply dumped into an ever-growing electronics graveyard.

Read more...
Machine safety, diagnostics and data security
Turck Banner Southern Africa IT in Manufacturing
Personnel safety systems on machines are often seen as a necessary evil. To function correctly, a safety device is required to be self-checking, which adds more complexity and costs compared to a non-safety device.

Read more...
SMOM – the future is here now
Iritron Editor's Choice IT in Manufacturing
In his presentation at the recent MESA Africa conference, Neels van der Walt, business development manager at Iritron, revealed the all-encompassing concept of smart mining operations management (SMOM), and why it is inextricably linked to the future of worldwide mining operations.

Read more...