IT in Manufacturing


Implementing industrial-grade cybersecurity

November 2023 IT in Manufacturing

Industrial automation platforms have moved beyond delivering basic functionality, and are now being tasked with significant industrial IIoT data aggregation and analytical functions. Every device is becoming smarter and more interconnected than ever before, and the available data is valuable, but must be available where and when it is needed. To realise maximum value, seamless and transparent connectivity is needed from the plant floor to the cloud. The internet and higher-level enterprise computing resources are instrumental in transmitting and processing data.

How we got here

Cybersecurity concerns surrounding industrial automation systems are exacerbated by the intersection of many past decisions. While digital assets have been implemented within industry for over three decades, only recently did cybersecurity become an equal or greater concern than basic functionality. In fact, when the earliest devices were deployed there really weren’t any cybersecurity practices in place. The greatest protection considered at that time was to isolate these devices, creating islands of automation that were relatively difficult to access from a physical perspective, and which lacked widespread accessibility via networking. This was a secure design approach at the time based on available technologies, but is unacceptable for meeting modern business needs.

While newer installations and retrofits have some opportunity to use more secure digital devices, the reality is that many older and insecure assets remain in service for decades without any security updates, and sometimes without any available support. Meanwhile, cyber-threats have accelerated in both quantity and sophistication. With wireless networks and USB devices, physical isolation is simply no longer feasible. Isolation is in direct conflict with the need for comprehensive and legitimate access to all types of industrial digital devices, especially as these devices gain significant intelligence and can supply valuable data.

Recognising the need for cybersecurity is imperative, but simply adding cybersecurity to existing devices is not a complete answer, because it is a bit like adding a locked steel door to a cardboard box to keep unwanted intruders away from the contents. Because many protocols and devices at the very fundamental levels of OT systems were designed without security in mind, and they lack the most basic of cyber-defence mechanisms, no amount of patching can fix them. Cybersecurity provisions must instead be built in to provide the necessary defence-in-depth.

Why some cybersecurity schemes are problematic

Efforts to incorporate cybersecurity have progressively improved over the years. Sometimes suppliers have tried their own tactics, but because the commercial IT arena maintained a significant headstart in the field, most of the best approaches have trickled down from this sector. In fact, custom or proprietary measures can be less secure than those based on open standards, which typically originated in IT.

In some cases, device vendors have implemented cybersecurity using a proprietary chipset associated with their own firmware. Proprietary elements are not open to easy inspection by industry experts, and remain at an ongoing risk of being compromised by malicious persons. Once in-house companies develop cybersecurity firmware, they must commit to curating and updating this firmware continually so that affected products remain secure. This means they must shoulder all the burden of finding vulnerabilities and fixing issues, without the community verifying solutions and providing assistance. Outdated hardware is nearly impossible to remedy without complete device replacement, and running with old firmware also introduces unacceptable vulnerabilities by failing to address the latest types of attacks.

Another more nefarious issue regarding proprietary cybersecurity provisions is that the provider must also establish protective measures when security updates are deployed. Even if the cybersecurity hardware and firmware plan is viable, attackers with sufficient skills can develop ways to create their own modified firmware, which becomes deployed and opens the door for hacking. In some cases, users are unable to trust any future firmware upgrades, but upgrades are needed to provide protection against newer threats. Although it may seem non-intuitive, open standards provide a more secure approach.

Open standards reduce risks

While some industrial suppliers have pursued proprietary hashing algorithms and other methods, a better solution for industry is to follow the proven and massively deployed best practices of the commercial IT sector. This has a far larger installed base of digital devices than the industrial world. OT designs can leverage the best of what the IT world has developed, and also learn from their mistakes.

For example, a few industrial suppliers offer all firmware and software applications via a curated repository, so qualified users have easy access. Each of these software packages is digitally encrypted and signed using industry standard strategies and open standards, including public and private keys. In this way they are utilising proven secure methods to deliver important updates to customers, leveraging the best of what has proved to work.

With open tools placed in the user’s hands, design and support personnel are set up for success. They can always download the latest software, confirm it is digitally verified, and install it on the target device or their computer. It is also possible to confirm that the proper digitally-verified version is on a target device like a PLC/PAC or an edge controller, so users can audit their site, instead of continuing to run on outdated versions for years because they fear updating their system.

Note that there is a difference between encryption and cybersecurity. Encryption in this case involves the delivery method, which serves to ensure the right firmware/software is obtained. Once this is in place, users can install it and benefit from having the latest secure version in operation. Cybersecurity is a much wider topic, with encryption as a subset.

Search out more defence layers

Users should look for industrial platforms that have incorporated other open and standard cybersecurity technologies as they pursue a complete defence-in-depth approach for their projects. For example, some industrial platforms use Trusted Platform Module (TPM), which has a dedicated microcontroller onboard to perform cryptographic and authentication tasks. This can address security at all levels, making things as secure as possible, while still providing the functionality customers need.

Secure Boot can also be incorporated into digital devices. This checks that the boot loader and all associated software images are signed with a cryptographic key authorised by the product vendor. Secure Boot is a security standard developed by the PC industry and used by the Unified Extensible Firmware Interface (UEFI) in conjunction with a device’s BIOS. It prevents devices from being hijacked by malicious actors, or modified to provide covert access.

Developers, and especially OEMs, will want to make sure their industrial automation and computing platforms offer encrypted passwords, and the ability to lock and encrypt applications developed on those platforms. This is partly to protect intellectual property and prevent unauthorised changes in the field; but effective passwords and application locking also serve as additional cybersecurity layers, preventing them from being modified by unauthorised individuals. Similarly, when automation products need to communicate amongst each other or with higher level computing resources, encrypted industrial communication protocols such as OPC-UA Secure are preferred.

Design practices and procedures represent an important aspect of cybersecure systems. Leading automation providers will test their products to ensure they can withstand cybersecurity threats. Designers should comply with widely accepted industry standards such as ISA/IEC 62443, which defines the requirements and processes involved with implementing and maintaining cybersecure industrial automation and control systems. Proactive users will audit their installations to confirm ongoing performance of their installations.

Achieving secure-by-design solutions

Secure connectivity from the plant floor to the cloud is no longer a nicety for industrial automation and data processing systems, it is an imperative. Traditional OT products simply were not built to deliver the level of cybersecurity which must accompany this expanded connectivity. Malicious actors are increasingly targeting OT environments for a wide variety of reasons, and industry must be prepared. Add-on cybersecurity, or worse yet, ineffectively created custom cybersecurity, leaves operational facilities vulnerable to attacks that can cripple production, cost a great deal of money, and even introduce safety and environmental hazards.

Open standards, especially those developed and leveraged from the large base of IT technologies, provide the best answer for the OT industry. Developers need to build their automation solutions based on these types of standards, using industry-leading products with key security features built in. Examples are digitally signed and encrypted firmware/software, secure boot, and encrypted passwords/applications. By following a robust, tiered approach, developers and OEMs can provide the best possible cybersecurity for their automation and IIoT solutions.


Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

SA Food Review
IT in Manufacturing
Food Review is a monthly trade journal for South Africa’s food and beverage manufacturing industry, for industry professionals seeking detailed information on trends, technologies, best practices and innovations.

Read more...
Keeping an eye on oil consumption with moneo
ifm - South Africa IT in Manufacturing
Manufacturing companies in the metal industry need oils and other fluids that are consumed by their machines. To make this consumption transparent and to establish a link to the ERP system, Arnold Umformtechnik relies on the IIoT platform, moneo, in combination with the SAP-based software solution Shop Floor Integration (SFI) – both from ifm.

Read more...
AI accelerates energy transformation
RJ Connect IT in Manufacturing
With the rapid expansion of generative AI applications, data centre power demand is reaching unprecedented levels.

Read more...
Revolutionising mining operations with MineOptimize
IT in Manufacturing
Now more than ever, mining and mineral processing companies need to boost productivity, ensure safety, and protect the environment. ABB’s comprehensive electrification, automation and digital solutions portfolio is ideally positioned to meet these challenges across all mining processes, from mine to port, transforming performance in a digital world.

Read more...
Buildings in Africa’s urban evolution
Schneider Electric South Africa IT in Manufacturing
Africa is now an urban continent. How does the continent mobilise to accommodate urban dwellers and maintain and implement critical infrastructure that allows for this expansion? Building management systems provide a tangible solution to optimise resource use, lower operations costs and ultimately contribute to a growing continent that also employs green practices.

Read more...
TwinCAT Vision functionality extended
Beckhoff Automation IT in Manufacturing
The image processing and camera integration capabilities of Beckhoff’s TwinCAT 3 Vision software have been expanded.

Read more...
Automation software to future-proof your operations
Adroit Technologies IT in Manufacturing
As the official partner of Mitsubishi Electric Factory Automation, Adroit Technologies empowers businesses with cutting-edge solutions that reduce costs, improve quality and increase productivity.

Read more...
Siemens automation portfolio, your bridge to the industrial metaverse
Siemens South Africa IT in Manufacturing
Step into the future with Siemens’ automation portfolio, your bridge to the industrial metaverse. Our cutting-edge solutions integrate AI, digital twins and real-time simulation, driving smarter, more efficient production.

Read more...
Transform your manufacturing efficiency
TransLution Software IT in Manufacturing
MÄDLER offers a wide range of gears in various materials, modules and designs, available directly from stock.

Read more...
Prevent cyber attacks
RJ Connect IT in Manufacturing
The EDR-G9010 Series delivers advanced industrial networking with multi-port secure routing, firewall/NAT/VPN, and managed Layer 2 switching.

Read more...