Large-scale networking for monitoring and control has resulted in significant productivity and quality improvements in process and manufacturing operations. But, complex networking brings vulnerabilities that can be exploited, causing malfunctions, production delays, safety issues, equipment damage and major loss of revenues.
Most automation products and systems, such as PLCs and RTUs, have been optimised for real-time I/O performance, not for secure networking. They typically have no isolation between different sub-systems; if a problem occurs in one area, it can quickly spread throughout the network. In many cases, operating personnel have few tools to isolate and identify the source of problems, which may lead to lengthy shutdowns. Often, new vulnerabilities are discovered at rates that make it hard for security developers to keep up.
In spite of apprehensions over the impacts of Stuxnet and similar security breach events, industrial cyber security has mostly been ignored due to the lack of understanding of solution costs. Beyond more news-worthy cyber attacks on commercial businesses, industrial incidence rates have been relatively low.
But the risks keep increasing, with growing threats from professional hackers, foreign based competitors and perhaps even foreign governments. For many, industrial security is still in the insurance policy category. Many simply elect to take the risk.
Here are some key cyber security questions to consider:
* Extended use of wireless equipment and mobile devices (laptops, iPhones, iPads) for network access creates new targets for smart snooping and security attacks.
* Virtualisation in industrial environments brings new vulnerabilities that have not been adequately addressed yet.
* Rapidly increasing use of cloud services with undetermined security issues.
* Social media information provides new mechanisms for network penetration. Outsiders can gain access into private systems by gathering company details to send e-mails that include malware attachments.
Suppliers’ perspectives
For automation and motion control suppliers, systems must be designed with cyber security in mind. They need to recognise that the objective of good security is not to anticipate every possible type of attack, but to make systems harder to compromise, particularly at entry points.
Excellent technology exists, but what is lacking is an understanding of cyber security as a competitive, revenue-generating advantage. Instead of including security technology in the cost of up-front product development that offers differentiated advantages and benefits, many suppliers consider cyber security as an after-the-incident service revenue generator.
On the international front, China is generating good growth and the automation majors are making security a priority in that market arena. However, some consider that security is not a problem because their systems operate with closed networks. This is simply avoiding the issue and typically a fix is offered after vulnerability is discovered.
More recently, standards are emerging. This drives many of the larger players into offering, at minimum, a firewall as an option. Many are starting to think about embedded solutions.
The mindset that security is just an add-on needs to be curtailed; it is not that simple. Security is a vital part of any manufacturer’s way of operating today.
Suppliers react to what customers want. End-users must demand that suppliers offer more security in their platforms; if they do not demand it, they will not get it.
Here are some security equipment trends:
* Cyber security technology embedded in network switches and routers, as well as in automation system vendors’ products.
* A wide range of hardware platforms for cyber security field devices, ranging in size from postage stamp dimensions to large rack-mount units.
* Self-learning firewalls that provide barriers to penetration.
* Plant floor encryption systems such as Virtual Private LAN Services (VPLS).
* Encryption technology migrating from the WAN to the plant floor, modified for industrial systems.
* The use of embedded IP cameras on mobile equipment, for individual image recognition before access is allowed.
Many companies struggle to justify what is seen as added cost to secure their operation. In today’s competitive, cost cutting environment, using traditional return on investment calculations does not seem to work. But consider this: If your system does not have an event then security is an added cost; if you do, it can be priceless.
Jim Pinto is an industry analyst and commentator, writer, technology futurist and angel investor. His popular e-mail newsletter, JimPinto.com eNews, is widely read (with direct circulation of about 7000 and web-readership of two to three times that number). His areas of interest are technology futures, marketing and business strategies for a fast-changing environment, and industrial automation with a slant towards technology trends.
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version