As technology and connectivity advance, industrial control system engineers face new security issues.
By Steve Ludwig, program manager, Safety and Security, Rockwell Automation
The growing use of widely available technologies in Industrial Control Systems (ICSs) and the growth of more connected, information-enabled enterprises inherently increases security risks, and with it the responsibilities of control-system providers and users alike.
Historically, ICSs used proprietary technologies and generally are segregated from the information systems at most companies. The systems largely were incompatible and the commercial technologies that were used in office spaces simply didn’t fit the requirements of control systems.
As commercial technologies advanced, they were adapted for use in control systems, improving costs, compatibility and ease of use. With these improvements, connectivity between systems became simpler and increasingly demanded by users.
Bringing together enterprise-level IT and plant-level operations technology (OT) into a common infrastructure creates more opportunities to improve operations, but without proper cybersecurity hygiene, may also provide increased opportunities for cyberattacks against ICS equipment. Such attacks, if successful, can have severe impact on worker, environmental and product safety, intellectual property, reputation and productivity.
These challenges are changing the way ICS providers and users work together, bringing increased responsibilities to each.
ICS providers have an increased responsibility to understand, detect, and remediate security vulnerabilities and to disclose them through patch and version management to users. While much of this is “old hat” to IT professionals — receiving regular announcements of vulnerabilities and patches to remediate them — it’s new to ICS engineers.
Unfortunately, the threat is real. Attacks on control systems have increased dramatically in recent years. It’s not just the infrastructure risk of attack from nation-states. Today’s threats include hacktivists, cyber criminals and disgruntled employees.
A comprehensive cybersecurity strategy includes cybersecurity hygiene — asset inventory to understand what you have, controlling physical and digital access, segmentation, system configuration and other actions. It also includes adoption of National Institute of Standards Technology (NIST) Cybersecurity Framework (CSF) to identify, protect, detect, respond and recover from cyberattacks.
It also requires that ICS providers, such as Rockwell Automation, constantly test products and review applications to identify and remediate vulnerabilities in products. Disclosing remediated vulnerabilities through patch and version management helps protect ICS users from cyberattacks.
It should be part of an ethical, comprehensive cybersecurity strategy to help verify end-user security and safety. While not actually new, the increased focus on security in recent years, and the more frequent disclosures may seem surprising to some.
To others that have worked closely with IT, it will seem natural and expected. To all, it should be welcomed as a clear focus on supporting the safety and security of industrial control systems.
For more information on security, check out the following resources:
- Product Security Vulnerabilities FAQ.
- Converged Plantwide Ethernet (CPwE) Design and Implementation Guide.
If Assistance is Needed
Rockwell Automation and companies in its PartnerNetwork™ program provide scalable, tiered-level assistance services based on the stage of the user in the cybersecurity risk management implementation. Use the following list of resources when requiring assistance:
- Rockwell Automation Remote Support Services provides technical assistance in finding product downloads and local support options.
- Product Security Office provides noncritical support and general information about the security vulnerabilities and mitigations offered. No customer-specific advice can be offered. Email them at firstname.lastname@example.org.
- Network and Security Services offers consultants for strategic and tactical industrial security services, such as security assessments and program development, asset inventory services, patch management and threat detection services.
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.