More connected operations can mean increased security threats. Learn how a holistic approach to industrial security can help mitigate risks.
By Daniel Deyoung, director, Market Development, Rockwell Automation
Manufacturing and industrial facilities are operating in ways they scarcely could have imagined a few decades ago.
Greater connectivity and information sharing is significantly transforming companies and their operations. They're converging IT and operations technology (OT) systems and using new technologies such as mobile, analytics, cloud and virtualization to do more than ever before.
However, just as the nature of manufacturing and industrial operations has changed, so have the security risks. More connected operations can create more potential entrance points for security threats. These threats can come in many different forms — physical or digital, internal or external, malicious or unintentional.
As a result, industrial security must be holistic. It should extend from the enterprise through the plant level and even out to end devices, and address risks across people, processes and technologies. It should also involve collaboration between IT and OT personnel. Both sides have vital roles to play.
A Holistic Approach
Three key pieces of a holistic approach to security include:
- Security assessment: Conduct a facility-wide assessment to understand your risk areas and potential threats.
- Defense-in-depth approach: Deploy a multilayered security approach that establishes multiple fronts and tiers of defense.
- Trusted vendors: Verify that your automation vendors follow core security principles when designing their products.
Developing and implementing an effective industrial security program requires that you first understand the risks and areas of vulnerability that exist within your organization.
A security assessment will help you understand your current security posture regarding your software, networks, control system, policies and procedures, and even employee behaviors. It should be the starting point for any security policy.
At a minimum, a security assessment should include the following:
- An inventory of authorized and unauthorized devices and software.
- Detailed observation and documentation of system performance.
- Identification of tolerance thresholds and risk/vulnerability indications.
- Prioritization of each vulnerability, based on impact and exploitation potential.
The final outcome of any security assessment should include a documented and actionable list of mitigation techniques required to bring an operation to an acceptable risk state.
Industrial security is best implemented as a complete system across your operations, and a defense-in-depth (DiD) security framework supports this approach. Based on the notion that any one point of protection can and likely will be defeated or breached, DiD security establishes multiple layers of protection through a combination of physical, electronic and procedural safeguards.
A DiD security approach consists of six main components (see illustration), including: defined policies and procedures, physical security, network infrastructure, computer/software, application, and device authentication and identification.
Your automation vendors are just as integral to helping you meet your security goals as they are your production, quality and safety goals.
Before selecting vendors, request they disclose their security policies and practices. Consider if they follow five core security principles for designing products used in a control system. These principles include:
- A secure network infrastructure. Vendors can help keep information in the automation layer secure and confidential. For example, embedded technology can validate and authenticate devices before they are granted access to a network.
- Authentication and policy management. Company policies dictate data access levels for employees. Automation products can support these policies using access control lists to manage user access to devices and applications.
- Content protection. Intellectual property is the lifeblood of your operations. Your automation solutions can help protect it by assigning passwords to routines and add-on instructions, and by using digital rights management to limit users' ability to view and edit device data.
- Tamper detection. Built-in tamper detection can detect any unauthorized system activity and alert the right personnel. It also can log key details, such as where the attempted intrusion took place, how it occurred and if anything was modified.
- Robustness. A robust vendor security approach includes providing security training to employees, using design-for-security development practices, and testing products to global security standards. It also includes conducting final security reviews before products are released, verifying processes stay current with standards and technologies, and having a plan in place to address vulnerabilities.
Monitor and Evolve
Security threats aren't relenting. They will only continue to evolve as the industry changes its security practices or implements new defenses. Your risk management strategy must keep pace, and should be ongoing, and evolve with or ahead of the changing threat landscape.
With the continual evolution of operations toward greater connectivity, the vastness of today's security concerns can be daunting. The approaches outlined here can help align your company with best industry practices for protecting intellectual property, facilities, assets, employees and competitive advantages.
Learn more about Rockwell Automation Industrial Security Solutions.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.