Industrial organizations are operating in ways they scarcely could have imagined a few decades ago. They are converging historically separate information technology (IT) and operations technology (OT) systems, and using mobile, analytics and cloud connectivity to increase collaboration and information sharing. This significantly improves operations, but it also creates substantially more entry points for security threats. The challenge of security is compounded by the growing sophistication of the hacking community.
Rockwell Automation began its own security assessment last year, and they turned the result of their analysis into a plan for securing facilities from individual equipment up to the cloud connectivity. “In 2016, we began discussions about protecting our assets. We wanted to create a security office similar to what Boeing and Airbus have. The goal was to protect our customers and our assets,” Lee Lane, chief product security officer at Rockwell Automation, told Design News. “We looked at security from a network point of view, and then we realized that the network isn’t the only way to attack an industrial system. As a result, we looked at the entire system, from individual aspects up to the cloud.”
In creating a security plan, Rockwell developed a three-step approach for building an industrial security program that extends from the enterprise to the plant level, and helps mitigate risk across people, processes and technology. The three steps include:
Step One: Conduct a security assessment -- Conduct a facility-wide assessment to understand risk areas and potential threats.
On this point, Lane explained that facility managers need to assess the potential risks from a security breach and develop plans accordingly. “This should make sense to anyone in security. What are you’re trying to protect? It’s the most important step: what do you have and what do you need to secure?,” said Lane. “You have to classify your assets by how important each one is. If you have molten steel coming in and you have a security breach, you’d need to know where the breach is it and what kind of damage it could do.”
|Check out the session on Turning Data into Information Every Part of the Supply Chain Can Use at the Advanced Design & Manufacturing , March 29-30, 2017, in Cleveland. The coference offers a wide range of sessions on the latest developments in automation and control. Register today!|
Once the assets are identified and classified by risk, then the security solutions can be developed to specifically address each asset and its risk. “What type of security do you want around it? You want to secure everything, but you have to classify what it is and what type of action you would take if it were breached,” said Lane. “Plants practice what would happen if there were a safety problem, but they do little on the security side.”
Step Two: Defense-in-depth security -- Deploy a multilayered security approach that establishes multiple tiers of defense.
Lanes notes that security is more than just networks. Even air-gapped equipment can be breached when it’s connected to an employee’s laptop. “The multi-layered approach to security doesn’t comes just from Rockwell. It comes from the Homeland Security Department. You have to look at everything, including physical security. You have to look at it from the device level,” said Lane. “Disaster recovery needs to be part of it. What would you do if this or that were breached? You should know what you have to do before something happens. That’s the most important thing we ask during an assessment.”
Step Three: Use only trusted vendors -- Verify that your automation vendors follow core security principles when designing their products.
The vendor community can be a risk for industrial facilities. When a vendor deploys software, does the vendor also open a potential vulnerability? “We have to get people to start asking their vendors more questions about security. You have to measure vendors on more than just their ability to deliver throughput, quality, and up-time,” said Lane. “The vendor question is: do they have a product security officer? What does your vendor do when there is a security flaw? How often do they alert people?”
Understanding the vendor’s approach to security is critical to your facility’s security. “You can’t build a system nobody can get into. You want to work with a vendor that will work with you if something comes up,” said Lane. “Facility managers ask their vendors about whether there’s a firewall, but that’s not enough. You have to do the research on your vendors. One company was bragging about its air-gapped security. I asked how many contractors came by in a given week. There were dozens, and any of them could have used a laptop or stick to check equipment.”
Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.
(Images courtesy of Rockwell Automation)