Rockwell Automation University 2017 was held at Emperors Palace from 17-18 May, just days after the massive coordinated ransomware attack that struck in about 100 countries around the world, hobbling organisations the size of England’s National Health Service. At the event press conference, we journalists were well primed then for the message from MD, Barry Elliot and business manager for control systems, Christo Buys, that cybersecurity awareness in an industrial context is no longer an optional nice-to-have – it is an absolute essential.
The root cause of the increased vulnerability is the convergence of the traditionally separate domains of information technology (IT) and operations technology (OT). While this can significantly improve operational effectiveness, each new connection brings with it a potential new threat – not just to the device, but also to the system with which it connects.
To counteract this, Rockwell Automation has devised a three-step approach for building an industrial security programme that extends from the enterprise level right down to the plant floor.
Firstly, a facility-wide security assessment must be conducted to define the risk areas and identify the potential threats. Once this is done, a multi-layered defence-in-depth (DiD) security approach should be considered, which establishes multiple tiers of protection across the plant. Thirdly, all the organisations’ automation vendors should be verified to ensure they are adhering to good security principles in the design of their products.
A DiD approach is recommended because these days, with the sophisticated hacking toolkits that are freely available, defeating a security strategy based on a single point of protection can be relatively easy for an experienced ‘black hat’. Therefore, the idea is to implement multiple layers of protection – physical, electronic and procedural – as separate instances in the facility, in order to apply the most appropriate controls for the different types of risk.
According to Buys, a good security programme is 20% technology and 80% process and procedure. “We think of industrial security as a layered model and seek to create a unified holistic infrastructure for our customers,” he explained. “Our approach takes into account the connections between network security, as well as the physical security and safety in industrial areas.”
Stuxnet was perhaps the event that catapulted the cyber threat to industrial facilities into the global spotlight back in 2010. And, while there has been nothing as sophisticated as that since, (leaving one to ponder on who could possibly benefit from the destruction of a uranium enrichment facility in Iran), there have been many other less sophisticated, but equally successful, incidents. The Night Dragon attacks, rumoured to have originated in China, which targeted the intellectual property of major oil and gas companies on a global scale is one that comes to mind.
“Now that it has started, the cybersecurity threat to industrial organisations will continue to evolve,” concluded Buys as the press conference drew to a close. “To keep pace, the response from the manufacturing sector needs to evolve even faster to stay ahead of the changing threat landscape. Following the three-step approach will assist organisations to establish a programme that can help protect intellectual property, facilities and competitive advantages as the era of interconnectedness that is Industrie 4.0 continues to unfold.”
An e-book outlining the three-step approach in more detail is available from Rockwell Automation at https://tinyurl.com/y9fe357a
Industry guide
Posted with the magazine this month is the 2017 edition of the Technews Industry Guide: Industrial Internet of Things. The Fourth Industrial Revolution, aka Industrie 4.0 or the IIoT, is the convergence of cyber and physical systems that in its entirety could impact many facets of manufacturing, operations and process management. Underneath all the marketing hyperbole that surrounds it, there are some very real benefits to be had. We trust this handbook will help you differentiate the fantasy from the reality.
Steven Meyer
Editor: SA Instrumentation & Control
| Tel: | +27 11 543 5800 |
| Email: | [email protected] |
| www: | www.technews.co.za |
| Articles: | More information and articles about Technews Publishing (SA Instrumentation & Control) |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version