Unlike the security methods of old that rely on isolation, a properly designed physical security platform unleashes the value of the Internet of Things in aggregating information from people, processes, data and things. This unleashing brings a cascade of data from IP-enabled devices, machines and business systems connected via unmodified Ethernet.
In the years ahead, sensor-embedded, Internet-ready equipment and machines will become even more commonplace. This shift towards a connected infrastructure gives IT (Information Technology) and OT (Operational Technology) managers deeper visibility into work flows and offers unprecedented economic opportunities.
But tapping the full potential of smart, connected devices hinges on having physical security and access-control technologies and processes capable of protecting the vast new streams of industrial data. With the right technologies and processes in place, manufacturers can safeguard people, assets and operations, while deploying an end-to-end IP infrastructure that promises to advance productivity, operating equipment effectiveness (OEE) and innovation.
Worldwide, 25 billion devices will be connected by 2015 and 50 billion by 2020.1
With connected devices, 74 percent of manufacturers use Big Data for better decision making.2
The rise of smart, connected devices and the Internet of Things (IoT) gives manufacturers the ability to gather data and transform it into meaningful information. In fact, according to the Aberdeen Group, 70 percent of manufacturing executives are focusing on plant-floor data initiatives to drive operational and business excellence, faster time to market, and immediate access to data from machines on the factory floor.
The proliferation of connected devices also can create an environment prone to security breaches and cyberattacks, as it eases potential access to sensitive business data. Already, 50 percent of electric companies report finding malware in their control systems. And 80 percent of organizations in power, oil, gas and water industries have reported denial of service attacks.3
According to IHS, the risk factors for manufacturers will continue to rise, as wireless network connections in industrial automation components in global factories increase from 2.1 million in 2012 to 3.4 million by 2017.4
IoT technology and services spending will generate global revenues of $8.9 trillion by 2020, growing at a compound annual rate (CAGR) of 7.9 percent.5
While the advantages of IoT are too abundant to deny, the pervasive presence of IP devices requires an in-depth security assessment – beginning with an understanding of the exposure of a security breach.
Physical Security – Insurance and Assurance for Manufacturers
Attackers (employees, partners, customers) who can gain physical access to unauthorized areas of the plant can almost always take advantage of that access to further their ends. Merely getting access to a physical system, machine or production cell where a memory device can be plugged in is usually sufficient. Any device that is connected to the network must be protected to ensure it cannot be turned into an attack tool.
Measuring the ROI (return on investment) for physical and access security is like measuring the ROI for car insurance. You can’t assess the value until a breach occurs.
So the best way to plan is to calculate the cost of exposure. Depending on the type of breach, companies may lose revenue, competitive advantage, the health and safety of employees, and the environment or all of the above – including the company’s reputation. In severe cases, a breach could lead to the financial downfall of a company.
Consider Nortel Networks. Chinese hackers gained access to Nortel’s network and downloaded business plans, research and development reports, employee emails and other documents. Security experts within the telecommunications giant blame the security breach for its bankruptcy.6
To justify the cost of security upgrades and services, it is often necessary to assess your company’s risks. Consulting firm PricewaterhouseCoopers (PwC) recommends that companies determine what their most valuable information assets are, where they are located at any given time, and who has access to them. Crown jewel assets can be information, material assets or processes that, if stolen, would compromise the business or render significant hardship. Examples include product designs, operational guidelines, process recipes, new market plans and executive communications.7
After identifying information assets and processes, IT and plant-floor executives need to work together to assign a price tag to each. Then, consider citing analyst data and case studies about losses of other companies within your industry to help justify the cost of appropriate security tools and services.
For example, PGP Corporation, a global leader in enterprise data protection, and the Ponemon Institute, a privacy and information management research firm, conducted a study in 2013 on the U.S. Cost of a Data Breach.8 According to the study, data-breach incidents cost U.S. companies $204 for each compromised company in 2009, compared to $202 in 2008. Despite an overall drop in the number of reported breaches (498 in 2009 vs. 657 in 2008, according to the Identity Theft Resource Center), the average total per-incident cost in 2009 was $6.75 million, compared to an average per-incident cost of $6.65 million in 2008.
Another study conducted by the Ponemon Institute revealed that security threats are a global and multi-industry issue costing billions of dollars.9 Key takeaways from this research include:
- Cyber crimes continue to be costly. The average annualized cost of cyber crime for 56 organizations in the study was $8.9 million, with a range of $1.4 million to $46 million in 2010. In 2011, the average annualized cost was $8.4 million. This represents an increase in cost of 6 percent or $500,000 from the previous year.
- Cyber attacks have become common occurrences. The companies in the study experienced 102 successful attacks per week and 1.8 successful attacks per company per week. This represents an increase of 42 percent from the previous year’s experience.
- The most costly cyber crimes are caused by denial of service, malicious insiders and Web-based attacks. Mitigation of such attacks requires enabling technologies, such as security information and event management (SIEM), intrusion prevention systems, application security testing, and enterprise governance, risk management and compliance (GRC) solutions.
The study indicated that while security threats are impacting the bottom line of all companies, some are more affected than others. For example, here is the annual cost of cyber threats for several key industries:
- Defense – $21.77 million
- Utilities and energy – $19.86 million
- Financial services – $16.44 million
- Education – $8.9 million
- Healthcare – $5.44 million
Securing the Infrastructure
A connected enterprise means a higher number of entrance points onto the network. Because of this, it’s important to remember that the lowest layer of the OSI Model – the physical layer – should be included in any physical security plan.
This begins with design considerations – such as where to locate equipment and when it might make sense to use wireless – to ensure equipment is safe, secure and fully functional in a harsh industrial environment. Solutions providers can be used for the full range of advisory services – from assessment and design to deployment and management – to ensure a plant's physical infrastructure meets both operational and security needs.
Components, such as switches, routers and gateways, need to be secure – not only in their design but also in how they’re deployed and managed. For example, switches should be contained in separate lockable enclosures rather than in control panels. Also, protecting assets means they must be designed to survive in the environment and have the appropriate safeguards against intrusion, tampering or accidents, like misconnections.
Similarly, using hardware with identification and color-coding features can help prevent unauthorized mating. For example, keyed adapter panels can use color-specific keys and positive/negative keying features to help ensure the correct connections are made.
Another important step in improving infrastructure security is documenting the plant’s critical network assets and connections. Too often, plants have poorly documented networks with serious loopholes. These unauthorized connections or gateways can be an external threat vector or inadvertent bypasses of network segmentation that are internal mistakes waiting to happen.
Physical-infrastructure-management software can detect and document changes to physical connections and other physical asset attributes, such as power and environmental status. Network-monitoring software solutions provide the ability to discover network devices, and provide event trapping for changes to status that may indicate a security issue. Users of these tools not only improve their ability to secure their plant, but also see operational benefits from increased visibility and change control that reduce troubleshooting and network downtime.
Implementing Physical Security Best Practices
A common view in industry is that the main source of threats to IP networks is the Internet itself. It’s true; credible threats lurk on the Web. However, IP networks are vulnerable from the Internet right to the edge of the network. In fact, recent instances of nonvirtual attacks illustrate the significant need for physical security in industrial operations. Fortunately, it is simple to protect against these threats with defense-in-depth and a layered security model that encompasses robust logical and physical security technology and services.
Step 1. Secure unused ports.
Physical security practices begin with securing unused ports. Ports can be secured with inexpensive devices called LIBO (Lock In Block Out). They function to lock in critical connections or block out an unused port to keep it secure. Devices available in the LIBO category, for example, can be inserted into USB ports to prevent the unwanted removal of data and to block potential uploading of viruses. On the other hand, lock-in devices can be used to prevent the unauthorized removal of cables, networking equipment or other vital connections. These can help combat data-security breaches and potential hardware theft, while helping maintain network uptime.
Step 2. Establish a physical, as well as a logical DMZ between networks.
The simple act of patching the industrial network across the enterprise with the intention of “getting things up and running temporarily” can cause inadvertent problems. So establishing a physical and logical DMZ between the two networks is vital. The networks still converge and provide the information transparency we seek, but through the DMZ in a secure and orderly fashion.
Step 3. Consider location tracking.
Capabilities, such as physical security and location tracking, are often important components of an overall security program. Many of these capabilities can be implemented using intelligent networking technologies, such as integrated physical and virtual security and wireless location-based services.
Step 4. Secure the location where data is physically held.
The customer data of retail giant Wal-Mart was potentially put at risk when hard drives were stolen from Vudu – the company’s video service supplier. Vudu announced that thieves had broken into its offices, and stole hard drives containing personal information of users, such as their names, phone numbers, birthdates, email and postal addresses, account history and the last four digits of their credit card numbers.10
This was a physical security issue, not a cyber security issue. The good news: Vudu promptly reset the passwords of Walmart’s customers. But the breach showcases the need for securing the physical location where data is housed.
Step 5. Host employee training on security risks.
The Stuxnet virus that reportedly sent several centrifuges spinning out of control at an Iranian nuclear facility in June 2010 is a perfect example of why employee training is necessary. The virus was believed to have been transmitted into the plant’s system using a thumb drive that was physically inserted into a computer within the facility. That suggests a lack of physical security to monitor personnel access or to protect machine ports.
Similarly, Dutch chemical company DSM reported finding USB drives lying in the company’s parking lot in July 2012. Someone put the USB drives there in hopes that an employee would pick up one of the drives and insert it into a company computer. Investigators found the drives were infected with malware – a keylogger designed to send usernames and passwords to an external site.11
Innovation in Threat Detection and Monitoring
Surveillance systems have long been an important asset for plants, serving as both a real-time and archival security measure. Improved technology, combined with new network capabilities, is improving video surveillance – and not only for security.
High-definition video allows plants to improve the recording of events like product or material shipments. Previously, workers equipped with point-and-shoot cameras monitored and recorded incoming shipments for damages, defects or shortages. Now video surveillance systems with HD technology provide a higher level of detail and automate this process.
The cameras can even be connected to license-plate-recognition software to track any potential problem shipments back to their source, such as a supplier, shipper or logistics company. This has the potential to more quickly identify damaged shipments and reduce liability for product loss.
Video also can help optimize productivity on the plant floor. If a production line comes to a stop, for example, control data can be synchronized with the recorded video footage to help investigate the downtime event. This information can then be applied across one or several processes to weed out potentially systemic downtime issues.
With all of these new nonsecurity applications, it's time to start thinking of a video camera as another sensor that can help optimize your operations.
Extending Access Control
Access control systems are another security staple. They provide essential ingress and egress capabilities to guard your people, property and assets from harm, damage or theft. These systems are highly scalable, managing anything from a few facility doors to thousands of doors across multiple sites.
Now, thanks to the power of the connected enterprise, access control can be extended down to the cabinet, closet and control-panel levels. This helps ensure workers are only accessing the equipment for which they have the proper training, expertise and clearance.
Improving access control to these lower levels can help prevent mishaps during maintenance, upgrades and repairs, better protect machines and maintain uptime. Greater access control can also improve worker safety – particularly around electrical hazards – and better protect your overall operations. Moreover, any future equipment issues can be traced back to the worker who accessed the machine and at what time to more quickly identify the root problem.
The benefits of these and other technologies can be intertwined – either within one plant or across several sites – when your operations are connected using a standard, open network architecture. The result is a much more data-rich environment in which productivity, uptime and OEE can be monitored for potential improvements.
Innovation in Incident Response
The ability to detect and monitor security threats is only part of the equation. You also must be properly equipped to respond in real time and in an agile manner.
A radio-dispatching solution that can carry out mission-critical communications across many solutions is one example. Rather than being hampered by multiple communications across multiple channels, a single, IP-based dispatch solution can connect multiple communication frequencies (mobile, landlines, radio, IP, PC). It can then transmit any media (incident status, video, photos) to vastly improve and streamline urgent communications during security events.
Indeed, the power of IP-based technologies is re-defining incident response. Dispatch systems that increase communication interoperability also can be used to improve response times for downtime events. Likewise, video screens placed throughout a facility can deliver urgent messages to employees or inform technicians of machines issues that require immediate attention.
The connected enterprise enables systems, such as video surveillance and access control, to be layered on top of each other. If an unauthorized entry is detected, for example, an administrator can now be notified of the event and view that location in real-time for faster response.
Additionally, security systems can help you respond to nonsecurity situations. For example, video systems that are synced up with control data can provide maintenance technicians with more context about a halted production line. Visual data allows technicians to better understand the root of a problem, even before they approach it. Instead of wasting time investigating the problem, they can bring the necessary tools or equipment to the site without making a separate trip.
This visual validation of what occurred also can be sent to a group of dispersed people via a mobile device, speeding the recovery process and helping prevent similar downtime events in the future.
Intelligence at the Edge
IP-based networks will continue to increase the capabilities of security applications. Intelligence at the camera endpoints, for example, can now deliver advanced video-analytics capabilities.
In many facilities, security personnel are tasked with watching video screens for extended periods of time. A Sandia National Lab study found that an operator can watch a video monitor for 20 minutes before he or she starts missing relevant information. That’s not an encouraging statistic for manufacturers that have lives, machines and batches to protect.
Video-analytics solutions can augment safety and security monitoring by providing facial recognition, perimeter violations, thermal-risk identification and more. Horizontal or vertical planes can be drawn within a camera’s field of vision where the system can monitor for violations or suspicious events. Alerts then can be sent in real time to designated workers, such as plant managers or IT administrators.
For example, The Ferguson Group – a leading supplier of containers, accommodations and workspace modules for the offshore energy industry – was concerned about the standardization of physical security across its global bases. A particular concern was the provision of day-and-night digital surveillance on the large, valuable equipment in its ports and storage yards.
“For years, our headquarters in Scotland relied on an analog security system,” said Graham Cowperthwaite, director of operations at Ferguson Group. “That system wasn’t meeting our needs in terms of image quality and remote accessibility.” The Ferguson Group switched from an analog security system to an IP-based solution, which enables management to access and review video footage from mobile devices, and help keep employees safe.
In time, this kind of intelligence from a security system will also be delivering new capabilities for manufacturers in nonsecurity applications to make operations more efficient. It raises the question: Will today's security technologies even be known primarily as “security” systems in the near future?
Close All Trap Doors – Physical and Logical Security Converge
Despite the fact that physical and logical security depend on each other, a surprising number of companies still treat them as separate systems, from both a device and operational management perspective. Until recently, this modus operandi was justified because the technology to integrate physical and logical security wasn’t available.
Most manufacturers have at least three organizations responsible for security. The first two are primarily concerned with IP theft, malware, viruses and so on – Network Operations handles network security, while Information Security manages data at rest and data in transit. The third organization is responsible for physical security, which includes surveillance and access control.
But today, companies need to create a single governing body for security policies, procedures and deployments.
“As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one,” says Scott Borg, director of the U.S. Cyber Consequences Unit. “The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level.”
Before the convergence of applications, devices and services onto the IP network, security measures were largely separated:
- Video surveillance ran across dedicated analog connections.
- Physical access to buildings was managed entirely across an isolated network instead of the LAN, as it does today.
- Intrusion prevention happened at the firewall.
- Virus scanning and intrusion detection was done on the desktops.
- E-mail (spam) and Web security (acceptable use policies) were limited to users within the organization boundaries only. The risk was that an employee could bring in an infection from outside.
Physical and logical security technologies have matured to the point that they can now be integrated. The convergence of the IP network and the migration of legacy sensors and appliances to TCP/IP have helped drive this transformation. Cameras are now IP-based; card readers use the IP network instead of a proprietary network; and access lists, policies and procedures are stored and generated by computers.
The convergence of voice/video/data has brought the following changes to each of these areas:
- Voice (a.k.a. audio): In addition to traffic created by deploying voice-over-IP (VoIP) services, voice now refers to other audio sources, such as crowd monitoring, a gunshot in a high-crime area or noise detection in a building that is supposed to be vacant at night.
- Video: In addition to video calls, video-chat sessions and teleconferencing, video now also refers to video surveillance, traffic cameras, digital signage and streaming video.
- Data: Access to data isn’t limited to the intranet anymore. With the explosion of cloud services, access to data can be anywhere, anytime from any device.
- Network: Multiple heterogeneous devices are connecting to the network, such as smartphones with video, personal laptops and tablets, and so on. There is little distinction between a device and its specific purpose.
- Social media and enterprise collaboration also play a role in reporting security incidents, thus requiring the analysis of all sorts of data within the organization.
According to IMS Research, which tracks the installed base of Internet-capable equipment, the number of devices connected to the Internet worldwide surpassed the 5 billion milestone in 2010, and is expected to reach 22 billion by 2020. This surge reflects the explosion of personal devices, such as smartphones and tablet computers, and also includes all the sensors, cameras, and devices used in security that are now IP-enabled because of the convergence of the IP network.
This massive convergence can have a negative impact on the performance of the network if it has not been properly designed and deployed to handle this increase in traffic. Along with presenting new security challenges, the convergence of Internet-connected devices, voice, video and data also provides ways to integrate logical and physical security that were not possible just a few years ago.
Converge, Converge, Converge!
Manufacturers need to design a converged holistic network architecture. The Converged Plantwide Ethernet (CPwE) Design and Implementation Guide, a resource developed by Cisco and Rockwell Automation, was developed with this goal in mind. The design guide provides a framework for logical and physical security threats. This approach uses multiple layers of defense (physical and logical) at separate manufacturing levels by applying policies and procedures that address different types of threats. For example, multiple layers of network security protect networked assets, data and end points, and multiple layers of physical security help protect high-value assets.
Physical Security Considerations Bring IT and OT Benefits
From a physical security standpoint, the introduction of IP network infrastructures is having a significant impact. Plant security is transitioning from analog proprietary systems to IP-based systems deployed through the use of unmodified Ethernet. Video surveillance systems are being networked with IP cameras, helping merge data from multiple platforms into a single system that reaches across the enterprise.
This is all part of a larger convergence movement that’s happening between information technology (IT) and operation technology (OT). As a result, there’s a convergence of stakeholders. IT is stepping up as the owners of the security systems, but OT is also interested in leveraging the systems for achieving greater visibility into plant operations, analyzing downtime, protecting equipment, improving OEE and more.
Implementing physical security technology provides both IT and OT benefits, including:
So unlike security measures of the past, today’s physical security and access control technologies and processes can bring untold benefits to IT and OT managers who are willing to work together to protect people, assets and operations. Together, they can deploy an end-to-end IP infrastructure that holds the promise to advance productivity, OEE and your next wave of innovation.
Tips for deploying a “future-ready” physical security architecture:
- Deploy video surveillance
- Assess future bandwidth needs, based on exponential growth of video
- Evaluate QoS (with traffic)
- Consider deploying ring topology at the lowest levels versus redundant star
- Leverage dark fiber for scale
- Use cloud for data storage
To learn more about a defense in depth approach to system security, sign up for the Industrial IP Advantage industrial network design training here
1 Cisco infographic, http://share.cisco.com/internet-of-things.html
2 Cisco – How the Internet of Things Will Transform Industries
3 The report, "In The Dark: Crucial Industries Confront Cyberattacks," was released April 21. It was commissioned by McAfee and written by the CSIS (Center for Strategic and International Studies). The electronic survey was conducted during the last quarter of 2010. See more at: http://www.eweek.com/c/a/Security/CyberAttacks-Targeting-Power-Gas-Utilities-on-the-Rise-Survey-548133/#sthash.UrYUe9Ko.dpuf
4 IHS "Industrial Automation Sector Trends in 2014" white paper
5 International Data Corporation (IDC) Report, 2013
6 CBC News, February 2012 http://www.cbc.ca/news/business/nortel-collapse-linked-to-chinese-hackers-1.1260591