More connected operations can mean increased security threats. Learn how a holistic approach to industrial security can help mitigate risks.
Manufacturing and industrial facilities are operating in ways they scarcely could have imagined a few decades ago. Greater connectivity and information sharing is significantly transforming companies and their operations. They’re converging IT and operations technology (OT) systems and using new technologies such as mobile, analytics, cloud and virtualisation to do more than ever before.
However, just as the nature of manufacturing and industrial operations has changed, so have the security risks. More connected operations can create more potential entrance points for security threats. These threats can come in many different forms — physical or digital, internal or external, malicious or unintentional.
As a result, industrial security must be holistic. It should extend from the enterprise through the plant level and even out to end devices, and address risks across people, processes and technologies. It should also involve collaboration between IT and OT personnel. Both sides have vital roles to play.
A Holistic Approach
Three key pieces of a holistic approach to security include:
1. Security assessment: conduct a facility-wide assessment to understand your risk areas and potential threats.
2. Defence-in-depth approach: deploy a multi-layered security approach that establishes multiple fronts and tiers of defence.
3. Trusted vendors: verify that your automation vendors follow core security principles when designing their products.
Developing and implementing an effective industrial security programme requires that you first understand the risks and areas of vulnerability that exist within your organisation.
A security assessment will help you understand your current security posture regarding your software, networks, control system, policies and procedures, and even employee behaviours. It should be the starting point for any security policy.
At a minimum, a security assessment should include the following:
• An inventory of authorised and unauthorised devices and software
• Detailed observation and documentation of system performance
• Identification of tolerance thresholds and risk/vulnerability indications
• Prioritisation of each vulnerability based on impact and exploitation potential
The final outcome of any security assessment should include a documented and actionable list of mitigation techniques required to bring an operation to an acceptable risk state.
Industrial security is best implemented as a complete system across your operations, and a defence-in-depth (DiD) security framework supports this approach. Based on the notion that any one point of protection can and likely will be defeated or breached, DiD security establishes multiple layers of protection through a combination of physical, electronic and procedural safeguards.
A defence-in-depth security approach consists of six main components including: defined policies and procedures, physical security, network infrastructure, computer/software, application, and device authentication and identification.
Your automation vendors are just as integral to helping you meet your security goals as they are your production, quality and safety goals. Before selecting vendors, request they disclose their security policies and practices. Consider if they follow five core security principles for designing products used in a control system. These principles include:
- A secure network infrastructure: vendors can help keep information in the automation layer secure and confidential. For example, embedded technology can validate and authenticate devices before they are granted access to a network.
- Authentication and policy management: company policies dictate data access levels for employees. Automation products can support these policies using access control lists to manage user access to devices and applications.
- Content protection: intellectual property is the lifeblood of your operations. Your automation solutions can help protect it by assigning passwords to routines and add-on instructions, and by using digital rights management to limit users’ ability to view and edit device data.
- Tamper detection: built-in tamper detection can detect any unauthorised system activity and alert the right personnel. It also can log key details, such as where the attempted intrusion took place, how it occurred and if anything was modified.
- Robustness: a robust vendor security approach includes providing security training to employees, using design-for-security development practices, and testing products to global security standards. It also includes conducting final security reviews before products are released, verifying processes stay current with standards and technologies, and having a plan in place to address vulnerabilities.
Security threats aren’t relenting. They will only continue to evolve as the industry changes its security practices or implements new defences. Your risk management strategy must keep pace, and should be ongoing, and evolve with or ahead of the changing threat landscape.
With the continual evolution of operations toward greater connectivity, the vastness of today’s security concerns can be daunting. The approaches outlined here can help align your company with best industry practices for protecting intellectual property, facilities, assets, employees and competitive advantages.
Learn more about Rockwell Automation Industrial Security Solutions.
About Rockwell Automation
Rockwell Automation Inc. (NYSE: ROK), the world’s largest company dedicated to industrial automation and information, makes its customers more productive and the world more sustainable. Headquartered in Milwaukee, Wis., Rockwell Automation employs approximately 22,000 people serving customers in more than 80 countries.
Business Manager – Control Systems
T: +27 (0)11 654 9700