Lock with computer security background
quote start So with the benefits well known and proven out in real operations, it must be asked: Why isn’t everyone on the IoT bandwagon? quote end

You’ve no doubt heard about the huge potential benefits of the internet of things (IoT) and smart manufacturing initiatives, like Industry 4.0.

Already today, early adapters have connected their operations to bring new products to market faster, improve quality, improve operational efficiencies and increase asset utilization, including reducing costly unscheduled downtime.

So with the benefits well known and proven out in real operations, it must be asked: Why isn’t everyone on the IoT bandwagon? 

The answer, at least for many, is that creating a converged information infrastructure comes with some big challenges to overcome. Many users face an unclear demarcation of network ownership, for example, and cultural differences often exist between OT and IT professionals. 

Perhaps the greatest challenge, however, is the additional security threats that come with connecting industrial assets. 

Very Real Risks

I’ve heard some OT professionals claim, “No hacker cares about our control systems.” But just look at the top headlines from a recent Google search on industrial security breaches:

  • “Attackers Alter Water Treatment System in Utility Hack”
  • “DHS Confirms U.S. Public Utilities Control System Was Hacked”
  • “Breaches on the Rise in Control Systems”

The last headline links to a SANS Institute report on industrial control system (ICS) security that mentions a 40 percent increase in breaches. 

These breaches aren’t making the national news, but they serve as evidence that we cannot ignore security in industrial operations anymore. Truly, it’s not a matter of if but when a breach will take place.

What Should You Do?

Simply put, security should not be implemented as an afterthought or bolt-on component.

It requires a comprehensive strategy and framework designed and implemented as a natural extension to your ICS and any smart-manufacturing initiatives. Security also is not the responsibility of any one person or group, but rather has to be thought of as a holistic approach, supported by all key stakeholders.

A comprehensive security strategy should cover physical, network, application, user, data, end point and device hardening, and procedures and policies. It should handle user and device authentication; broker communication between devices, systems, people and things; and handle data transfer, data storage and business logic, as necessary, for the end-user application. 

In addition, many smart manufacturing solutions will include applications accessed by users of various roles from multiple companies and organizations within those companies. Your security strategy therefore needs to be multi-tenant and matrixed, and it should adhere to the guidelines established by industry standards, like IEC 62443.

As you design your security strategy, make sure it has these six important steps:

  • Educate employees and build their security competency
  • Define a strong set of rules the system will adhere too based on a risk analysis
  • Design systems against the defined rules
  • Verify designs and test to industry standards
  • Maintain systems by regular assessments and updates
  • Respond to incidents and provide awareness to the key stakeholders

Where to Start?

There’s an abundance of information and guidance out there to help you to build your security strategy. Some key resources include:

  • The Department of Homeland Security paper “Seven Steps to Effectively Defend Industrial Control Systems” outlines strategies to protect against common weaknesses in control systems. NIST also has published a general framework for ICS cybersecurity.
  • Rockwell Automation and Cisco developed Converged Plantwide Ethernet (CPwE) reference architectures. These tested and validated reference architectures provide design considerations, guidance, recommendations, best practices and solutions.
  • ODVA recently released the white paper, “Cyber Security Model for Manufacturing.” It presents an ICS cybersecurity framework and further describes its mapping to manufacturing. In particular, it puts focus on how ODVA’s effort fits into the larger framework and how it can continue to influence and strengthen the ICS cybersecurity framework.
  • Industrial IP Advantage has developed online training courses designed to help IT and OT engineers make the most of their network connectivity.  The courses are developed based on validated reference architectures and will help drive design decisions from the equipment level to the enterprise network.
  • The coalition is also hosting a webinar on “The Power of Building a Secure Network Infrastructure.” Register for the webinar here.

There are no guarantees in life or in security. But with proper planning, deployment and maintenance of your security strategy, you can minimize the risks facing your organization – and put yourself on firmer ground when jumping onto the IoT bandwagon.