Systems with multi-layer protection, built-in security, and technologies that combine safety and security are essential for connected operations.
By Steve Ludwig, commercial programs manager, and Paul Brooks, technology manager, business development, Rockwell Automation
Imaginations are running wild in efforts to transform what’s possible in industrial operations thanks to the merging of operational technology (OT) systems with IT systems to create connected, information-driven operations. According to Rockwell Automation Strategic Alliance partner Cisco®, nearly one-third of security professionals say their organizations have experienced cyberattacks on their OT infrastructure.
So, protecting your network infrastructure is vital. These three key considerations can help inform and strengthen your industrial security strategy.
1. Close IT/OT Gaps to Achieve Holistic Security
Many companies still believe only a single security technology is needed. The truth is, a lone network, application or other security technology isn’t enough. You need a comprehensive defense-in-depth (DiD) strategy. One that uses multiple layers of protection to stop threats.
However, you can’t holistically address risks across your people, processes and technologies when your IT and OT organizational structures are siloed. You must address cultural, procedural and technical differences.
For example, consider user authorization. Your IT and OT security policies should be integrated, so you can deauthorize users at every level of your company with a single action. If you have separate IT and OT policies, a worker may be deauthorized from the enterprise network but not the plant network. That leaves you vulnerable to an attack by a disgruntled former worker.
Patch management is another example. It’s a fairly minor consideration for IT, because they have standard operating systems throughout the enterprise, and delays for users are minor. But patching should be carefully managed on the plant floor, where different controllers have different firmware revisions (sometimes for very good operational reasons) and operating systems, and even minor downtime can be costly.
The Converged Plantwide Ethernet (CPwE) design guides from Rockwell Automation and Cisco provide guidance and best practices to help IT and OT teams collaboratively deploy scalable, robust, safe and secure industrial network architectures.
2. Leverage Security Standards
To stay ahead of changing security threats, companies should look to industry-wide best practices and standards such as IEC-62443 IACS and NIST 800-82 CSF.
For example, to help leverage the latest security standards, the CIP Security™ protocol from ODVA uses the most proven security standard available. While only available in a few select industrial devices, CIP Security helps make sure only authorized industrial devices can exchange information. It also prevents tampering or modification of communications or disclosure of data to help protect your production assets and intellectual property.
The right supplier can also provide products, such as the Allen-Bradley® ControlLogix® 5580 controller, that have built-in security that is certified compliant with the IEC 62443-4-2 security standard.
3. Manage Safety, Security Together
Safety and security risks are inherently linked — yet too often, safety takes a back seat to other security implications like data and productivity loss. When we discuss this topic with companies, it can be a wake-up call for them.
A security breach that impacts physical assets can have dangerous, real-world consequences — such as harming equipment, workers and the environment. To date, there have been several documented instances around the world where security breaches created safety risks.
This is why it’s important to stay current on evolving safety and security standards such as IEC 61508 and IEC 62443.
The right technologies also can help you ward off potentially dangerous security incidents. For example, anomaly-detection software can identify external threats, human errors and process-integrity issues that threaten safety. And asset-management software can help detect unauthorized asset changes that could impact production and safety.
Developing a holistic security strategy without help can be intimidating. Look for qualified third parties that can help you take steps in a strategic direction. It’s also important to realize that security can and should be done in phases — not being able to do everything this year is no reason to delay what you can do today.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.