Industrial Technology - Linked-in Industrial Technology - Twitter Industrial Technology - News Feed
Latest Issue
Diary and Events

Advanced Engineering 2021

NEC Birmingham(B40 1NT)

03/11/2021 - 04/11/2021

Join us in our 12th and most important edition to date, as we invite engineers and management from all (more)

Tackling the cyber security threat through defence in depth

High profile viruses attacking industrial control systems, plus the ongoing discussion on the threat of cyber terrorism to vital utilities, have brought the issue of cyber security to the fore. But an integrated approach to security has to consider a far wider range of threats - both deliberate and accidental. We talk to Rockwell Automation Business Leader Mike Loughran about best practice for applying defence-in-depth security models.

From Stuxnet to Duqu, and Flame to Gauss, the numbers of malware programs leading targeted cyber attacks are undoubtedly growing, all with the potential to wreak havoc on industrial control systems. By any measure these viruses and trojans can cause problems - even if it's only in terms of downtime and the cost per hour of lost production. If it impacts on quality, then perhaps your brand could also suffer. For those in the water and power industries, as well as other utilities, any loss of output that impacts on service to the consumer could also result in hefty fines, putting the threat of deliberate hacking into context.

But these are far from the only threats on any manufacturing business - indeed, deliberate mischief from outside the organisation probably represents only 25% or so of the overall threat. Internal security breaches - whether deliberate or accidental - will never get the same headlines but are just as important, if not more so.

Suppose, for example, that you take your laptop home to finish off some work on a PLC program. Over the weekend the kids download a couple games from the internet, spend a few hours surfing the web, and transfer a few files via USB stick. When you come into the plant on Monday morning and hook up that laptop to the PLC, you can't really have any idea what viruses you may having unwittingly transferred to the control system.

If you download a PLC program from the internet and bring it in on a USB flash drive, can you be absolutely confident that the program is an authorised version from a certified vendor source, or merely something that looks right? And if you're not 100% sure, do you really want to plug it into the control system?

Then there are the times when people think they are helping out with a problem, perhaps by amending a few lines of code, only to cause another problem elsewhere in the system. Should those people have been granted access in the first place? You could probably even imagine conspiracy scenarios where such inflicted damage might be deliberate.

Even something as innocuous as connecting up a newly bought printer could cause issues. The majority of automation devices have fixed IP addresses. The minute you connect a device that doesn't have a fixed IP address, then you run the risk of an IP clash that could impact on control processes. Rockwell Automation Business Leader Mike Loughran comments: "In automation, unlike in the IT world, cyber security is a relatively new problem. Those tasked with implementing security for automation systems might think they have a sufficient 'air gap' around those systems, but the reality most likely is that there are multiple connections that they haven't considered, from open ports and network weaknesses to simply not controlling who has access to the control system. At the same time, you can't take a 'grey box' approach to cyber security, because that isn't going to work either. What is needed is defence in depth, with a layered security strategy."

Multiple layers of defence
The defence-in-depth methodology addresses both internal and external threats by forming multiple layers of defence which help to mitigate various types of risk. Employed as part of the industrial control system design and operation, it helps manufacturers by establishing processes and policies that identify and contain evolving threats in industrial systems.

"You start at the physical layer," says Loughran, "keeping out the people who shouldn't have access to the control system. That might be through gates, locks, ID systems, badges, etc. If someone doesn't have the authorisation to have access to the control system, then they shouldn't be able to gain access. Then you look at the network security layer, through the likes of firewalls. These are things that the IT world has been doing successfully for years and Rockwell Automation has also helped to address this between the plant floor and the higher level systems through its partnership with Cisco.

"At the computer layer, turn off USB ports and other unused ports so that unauthorised devices can't connect and infect the system.

"Of course, there has to be interaction with the control system software for programming, upgrades, maintenance and repairs," he continues, "but at this application layer there has to be authorisation in place so that only the people authorised to work within the system can do so. This also extends to the device layer, where devices should themselves be hardened with built-in security to prevent unauthorised access. An example would be a user trying to update the authorised program on a PLC with a copy downloaded from a website, and the PLC knowing that the download was not an authorised version and rejecting it."

All of this may sound restrictive, but actually Loughran takes the opposite view and believes it can actually empower users and operators. "If people are confident that they can't accidentally compromise the system, then they are more likely to be engaged in doing the tasks that they know they can do, so increased security can actually promote continuous improvement."

Adopting these layers and stages as best practice in design can play a huge role in mitigating the threat of cyber security. And the good news is that it doesn't have to be a major, all-at-once investment. "It's an ongoing process that can start small and build up over time, and it can be readily scaled according to how you assess the specific threats to your business," says Loughran. "Further, you may find that you already have many of the tools you need to implement effective cyber security. Rockwell Automation, for example, worked closely with Cisco on issues such as network security, and at device level implements FactoryTalk Security, which improves automation security by controlling user access to applications and devices, and provides user authentication and authorisation."

Emerging standards such as ISA99 and IEC62443 will also help, defining procedures for implementing electronically secure industrial automation and control systems. "We mustn't underestimate the importance of relationships with vendors, either," comments Loughran. "Reputable vendors will always inform on potential cyber security threats to products, and will quickly provide solutions. The last thing you want is a vendor who isn't aware of threats or, worse, just leaves you in the dark."

In the automation world, cyber security is a relatively new issue that manufacturing businesses are only just beginning to address. There is a lot to get to grips with, and certainly a lack of both training and knowledge. But with a properly managed, layered approach to security that focuses on defence in depth, businesses can be confident that they've put in place the most robust measures that they can to mitigate the security threat.
Download pdf

Other News from Rockwell Automation

New Allen-Bradley FLEX 5000 HART I/O saves design and maintenance time

Latest news about Machine Building

Additional Information
Text styles