Cyber-security enables more intelligent automation
Cyber-security is becoming increasingly prominent when it comes to automation. It is noteworthy that technical solutions can only remove 33% of all security threats and that two out of three attacks originate from within our own organizations. Firewalls cannot prevent an attack if malware is installed directly to the target on-site. How can and should cyber-security be handled and what does the future hold?
The cyber-security mind-set combines information security, continuity management, and societal crisis preparation. As a concept, it covers the so-called digital world, which is connected to physical world practices and society as a whole where individual actions and human error are an additional challenge.
Cyber-security can be divided into three different levels: strategic, operative and technical.
At the strategic level, the company creates a cyber-security strategy that defines the actions that have a significant effect on performance. Actions that are greatly cyber-dependent can then be identified. Resources can thereafter be allocated to secure these critical actions and ensure that the residual risk is acceptable. It will then, for example, be possible to insure the residual.
The operative level directs the strategy towards real actions, and the technical level implements the technical actions according to the strategy. It is, then, important that cyber-security is managed and influenced by corporate management as a strategy. Management needs to work closely with the ICT department and ICT solutions must be based on management-defined strategic goals.
Taking cyber-security into account in automation
In automation, cyber-security is created through the chosen solutions. Equipment must be reliable and from known operators. Cyber-security concerns all “intelligence” connected to the network or channel.
The creation of a new automation network, or the expansion of an existing one, must proceed in phases so that cyber-security is observed. Work must always begin with a risk assessment to determine the cyber-security risks of the automation system. After this, the company’s cyber-security strategy, if one exists, comes into play, along with how that strategy is taken into account in the design or expansion of the automation system.
For technical reasons, the network must be segmented correctly and sensibly (DMZ, isolated, etc.) while determining access to company and other (external) networks. Equipment security surveys are an important part of cyber-security. Inspections of equipment with or without network connections include their identifier, type, and explanation in addition to passwords. The passwords should be strong and the equipment password list must be kept in a secure location. In addition, the possibility of upgrading old devices with new ones must be investigated.
In many cases, industrial networks are completely disconnected from the Internet, which means they can only be accessed on-site. Even in this case, the risk of a virus being installed on an on-site computer remains, regardless whether done on purpose or by accident. This is where “hardening” a computer is helpful. Not all automation networks are, however, entirely disconnected from the Internet. Inspecting firewall configurations is integral to finding out whether unnecessary traffic has been blocked and default settings changed appropriately. For example, in a worst-case scenario, routers/firewalls may have been left in “nearly default” settings, and the connections to removed devices unrevoked.
In many cases, it is necessary to access an automation system from the outside. Remote access is provided with industrial-grade VPN equipment. The devices contain a firewall and a VPN server. A static IP address or dynamic DNS is required and the use of an Industrial VPN Appliance rather than a cloud-based remote connectivity service is recommended.
The design must also take physical information security into account, which entails limitations to access / disposal of sensitive papers / locking doors, etc. If necessary, a training session for proper use of the system can be held as a part of the delivery.
Usability is an integral part of cyber-security and also connected to physical information security. If a device becomes overly difficult to use due to security concerns it can in itself constitute a cyber-security risk. If a device’s user experience is poor, it is possible that it may be misused or used in a way that is less secure. An example of this would be writing down complicated, frequently-changed passwords on a post-it note next to devices.
Manufacturing execution systems (MES)
Manufacturing execution systems add intelligence to manufacturing execution and optimisation. Intelligent field devices that are connected to an industrial-grade system with remote access require a secure framework to ensure their functionality. There is a large amount of information that can be gathered from the manufacturing process and that creates the possibility for, among other things, industrial espionage.
When discussing mobile devices, the term “fleet management” is often used. Workstations maintain a connection to a server that gathers a host of information and creates reports on, for example, working hours, machine location and its working condition.
Storing information (Big Data)n
As MES and Fleet Management solutions become more common, it will be increasingly important to gather data. Over 99% of data is stored in digital format and the amount of stored data is constantly growing. As the Internet of Things (IoT) expands, intelligence is distributed ever further and linked via the Internet. Smart devices communicate with host machines, which increases the amount of gathered information. Raw data can be used to gather information and draw conclusions on cost efficiency, among other things. Some examples include actions related to preventive maintenance, such as measurements on bearing heat or abnormal vibrations in a device.
As the amount of data grows, more attention will certainly have to be paid to data integrity and confidentiality. In the future data, itself, and refining “raw data” into a useful format will become a commodity. As this happens, it is paramount that the information is correct and unmodified.
Author: Juhani Kääriänen