Safety and security risks are inherently linked in this new age. Increasingly, hackers target industrial control systems (ICS) to cause disruption or damage to physical product or assets, or to steal intellectual property. ICS attacks have increased dramatically in recent years.
In recognition of this new dynamic, security and safety standards are using similar language and referencing the risks each poses to the other. A security breach that effects physical assets can easily damage equipment, workers, and/or the environment.
Security planning begins with implementing basic security or cyber hygiene. These aren’t all easy to manage, but are ultimately important to maintaining security. This includes an inventory of assets, hardware and software on the company network, control of software updates and installations, password management and limiting privileges, and personnel training to identify phishing efforts.
It includes using equipment designed with security in mind, identification of vulnerabilities, patch management, and maintaining back-ups. It also includes network design and segmentation, and upgrading aging infrastructure.
Many of these practices have long been in place in the IT world, but rarely seen in the OT world. While most enterprises have a list of IT assets, far fewer have a comprehensive list of controllers and software revision levels, or a program to keep them updated during planned maintenance. In general, engineering needs to collaborate with IT in maintaining good cyber hygiene practices throughout the enterprise, including ICS.
As equipment is modernized or purchased, both safety and security risks should be assessed and appropriately mitigated. If the machine builder requires access to the machine, how will that access be limited? How will you confirm that the machine cannot be manipulated without placing workers in an unsafe condition? How will you protect intellectual property?
Proper cyber hygiene, design, assessments, and implementation help ensure that you achieve the benefits of a Connected Enterprise without compromising productivity, profitability, or reputation.
Contact your Rockwell Automation cybersecurity and safety experts to help with the development of your enterprise risk management plans and strategies.