Imaginations are running wild to transform what’s possible in industrial operations. And it’s all thanks to the merging of operational technology (OT) systems with IT systems to create connected, information-driven operations.
Now, securing these converged operations is top of mind for everyone. According to Cisco, nearly one-third of security professionals say their organizations have experienced cyber-attacks on their OT infrastructure.
Industrial security was a hot topic last month at Hannover Messe 2019 in Germany. Along with our Strategic Alliance partner Cisco, we met with several companies to discuss their security challenges and solutions.
Here are three key takeaways from those conversations to help inform your own industrial security strategy.
Close IT/OT Gaps to Achieve Holistic Security
We heard from many attendees who have been told they only need a single security strategy.
The truth is, a lone network, application or other security strategy isn’t enough. You need a comprehensive defense-in-depth strategy. One that uses multiple layers of protection to stop threats.
But remember: You can’t holistically address risks across your people, processes and technologies when your IT and OT organizational structures are siloed. There are cultural, procedural and technical differences that must be addressed.
Consider something like user authorization. Your IT and OT security policies should be integrated, so you can deauthorize users at every level of your company with a single action. If you have separate IT and OT policies, a worker may be deauthorized from the enterprise network but not the plant network. That can leave you vulnerable to an attack by a disgruntled former worker.
Patch management is another example. It’s a fairly minor consideration for IT, because they have standard operating systems throughout the enterprise, and delays for users are minor. But patching should be carefully managed on the plant floor, where different controllers have different operating systems, and even minor downtime can be costly.
We formed our Strategic Alliance with Cisco specifically to help companies conquer IT/OT convergence challenges, including security. Our alliance brings together the industry leaders in automation and IT, making us uniquely qualified to bridge IT/OT technical and cultural gaps to support holistic security.
Nowhere is our combined expertise more visible than in our Converged Plantwide Ethernet (CPwE) design guides. They provide guidance and best practices to help IT and OT teams collaboratively deploy scalable, robust, safe and secure industrial network architectures.
Leverage Security Standards
We continue to hear from companies who are looking to their industry allies to help them stay ahead of changing security threats.
For example, we can help you leverage the latest security standards.
The CIP Security protocol from ODVA uses the most proven security standard available. While only available today in a few select industrial devices, CIP Security helps make sure only authorized industrial devices can exchange information. It also prevents tampering or modification of communications or disclosure of data to help protect your production assets and intellectual property.
The right supplier can also provide you with products that have built-in security that meet accepted security standards.
One example is the Allen-Bradley ControlLogix 5580 controller. It’s the first controller on the market to be certified compliant with IEC 62443-4-2, today’s most robust control system security standard. Our security development lifecycle (SDL) approach has also been certified to meet IEC 62443-4-1. This can give you peace of mind, knowing your products are developed to the internationally recognized standard.
Manage Safety and Security Together
Safety and security risks are inherently linked – yet too often, safety takes a back seat to other security implications like data and productivity loss.
When we discuss this topic with companies, like we did at Hannover Messe, it can be a wake-up call for them.
A security breach that impacts physical assets can have dangerous, real-world consequences – like harming equipment, workers and the environment. To date, there have been several documented instances around the world where security breaches created safety risks.
This is why it’s important to stay current on safety and security standards – like IEC 60508 and IEC 62443 – that are evolving to recognize the relationship between safety and security.
Technologies can also help you ward off potentially dangerous security incidents. For example, anomaly-detection software can identify external threats, human errors and process-integrity issues that threaten safety. And asset-management software can help detect unauthorized asset changes that could impact production and safety.
Our discussions at Hannover Messe reaffirmed two things: Companies are eager to secure their operations, and they want the right partners to help them do it.
We can help you address any of your security needs. Our industrial security solutions and services can help protect your people, processes and intellectual property. And our connected services can help you plan, implement and optimize secure connected operations.