Protect control systems with a sound security strategy

At one time, the technologies that supported most manufacturing processes were self-contained, proprietary, and disconnected. Today much of that has changed. The instant connectivity brought about by the Internet and the emergence of open networks and operating systems onto the industrial scene is making the need to secure a company's automation and production systems more important than ever.

09/01/2006


At one time, the technologies that supported most manufacturing processes were self-contained, proprietary, and disconnected. Today much of that has changed. The instant connectivity brought about by the Internet and the emergence of open networks and operating systems onto the industrial scene is making the need to secure a company's automation and production systems more important than ever.

As security threats increase, manufacturers are beginning to take a closer look at ways to reduce their risk through new technologies and best practices. Although such dangers have historically been viewed as IT issues, more companies are finding that the plant floor is just as susceptible, and the impacts are often far worse.

Justifying cost

Perhaps the biggest challenge in the fight to ensure plant-floor security may be how to justify decisions for security spending. Shrinking IT budgets and the push to do more with less make demonstrating an ROI (also known as return on security investment or ROSI) an essential step in the process.

Demonstrating the value of security efforts requires presenting the return in such a way that converts technical features and process improvements into meaningful and tangible financial benefits. Many companies have focused on the “risk avoidance” aspect of security for so long that few realize there are often measurable business benefits to undertaking security projects.

By aligning plant floor and IT security initiatives with company goals and profitability, managers are in a better position to explain why investments make solid financial sense. Bottom line: if management doesn't fully understand risk reduction and the tangible benefits that security measures can have on the organization, it's less likely they will support new initiatives or additional expenses.

Executing a successful security strategy requires relying on critical departmental data and the ability to correlate anticipated results back to the underlying business drivers. For example, how will improving your network architecture help increase production uptime and reduce expenses related to lost production and scrap? More specifically, how does this impact the price-per-product ratio—an underlying management goal?

In many cases, there is simply no transparency to the losses incurred from unnecessary downtime or late deliveries, and no tangible returns attached to security's role in safeguarding production assets and ensuring consistent, safe and reliable control system operation. In other words, if you can't measure the value, it's difficult to make a convincing business case for the investment. Consequently, many companies grossly underestimate the overall effect security measures have on the company's bottom line.

Evaluating risks

Another key challenge is in knowing what to protect and how. Many risk managers rely on intuition and experience and assume their security processes are designed well enough to meet production goals. To avoid the blind spots of this assumption, a good first step should be to conduct a broad-based assessment of your IT and control network security, as well as any processes that involve system access and control.

The assessment process identifies security vulnerabilities and production risks, sets priorities for corrective actions that can be implemented through additional technologies or new security practices. Identifying valuable assets and examining possible weaknesses helps you understand what to protect and where to focus your security efforts. Additionally, this detailed analysis provides the critical documentation managers need to demonstrate the value of new and existing security efforts.

Risk assessment

By assessing the probability of a given threat and determining the level of toleration for the identified risk, security risk managers can begin to develop a clear plan of action. The plan should include compelling documentation that supports your business case and demonstrates clear, measurable benefits. It should effectively articulate what you intend to accomplish and how your activities relate to underlying business goals.

Once assessment is complete and assets and vulnerabilities are identified and prioritized, managers can determine the most cost effective and beneficial measures that will reduce security risks to acceptable levels and contribute to overall business objectives. This may involve a variety of risk mitigation technologies and processes, including limiting physical access to automation systems only to those with legitimate need, assigning user names and passwords to all personnel for equipment access, and tightening control of computers and software used on the automation network.

Ongoing maintenance is also essential to a sound security strategy. This includes auditing, monitoring, and re-evaluating the security system on an ongoing basis to search for new, unidentified vulnerabilities. A key component of maintaining the security solution is implementing a business continuity and recovery program to respond to severe business interruptions. It also is important to reinforce security policies and procedures to management and plant floor personnel.

Applying the right protection

At the heart of your plant floor security effort is deploying the appropriate risk reduction tactics. This includes implementing technology like firewalls, patch management strategies, business continuity plans, change management, intrusion detection systems, and software for user authentication and authorization, as well as defining policies and procedures for plant personnel. The most important systems should be protected by multiple defensive layers to guard against identified threats. Once in place, the system should be validated and tested for known security vulnerabilities.

While there are many technology options from which to choose, manufacturers have a tendency to implement what they're familiar with, which may or may not be appropriate for the environment. In many cases, what is acceptable in an IT environment may not be the best fit for the plant floor, and can even introduce more risk. That doesn't mean you shouldn't leverage available technologies to improve productivity. It is possible to build effective security systems that leverage contemporary IT technology, but applying it blindly without understanding the risks and consequences of the threats isn't a good business practice.

In general, you only need to protect the things that provide value to the business, and you should only apply protection in proportion to the risk and value. Installing excessive security can create unnecessary expenses and restrict accessibility from those with authorized access. On the other hand, the lack of security can put people, processes and profits at risk.

While security breaches occur daily in plants, many of them are simply the result of faulty procedures or poor personnel oversight. In other words, technology is not the limiting factor of security. People must know security processes and procedures and follow them. Continual training is necessary to keep employees informed and aware of what they must do to protect the plant and its information. This investment will reinforce a strong security program and offer the best return on investment.



ONLINE EXTRA

Achieving regulatory compliance

With increasing pressure from consumers and government bodies to ensure product authenticity and safety, companies need to consider security solutions that protect manufacturing processes and assets and help maintain regulatory compliance, as well. As new regulations are introduced, it’s important for manufacturers to stay educated and up-to-date on the legal ramifications of these requirements.

The key to achieving regulatory compliance is getting all business leaders involved. This means assembling an internal team involving all major business units that are touched by regulatory issues, including engineering, operations, risk management, safety, quality, legal, and IT. This will help everyone understand the issues, risks, and potential ramifications and put every organizational function working toward the same goals.

Achieving this alignment requires building a case for the importance of security in such a way that it motivates every level of the organization to become involved. If your company is not informed on security risks and compliance issues, enlist automation security experts who can help build an effective compliance strategy using advanced security technologies and best practices. In addition, organizations such as ISA– through its ISA-SP99 committee – are developing standards and best practices to guide manufacturers in implementing control-layer security.

Every company is unique in how it configures and manages the details of its systems and network applications. Therefore, it’s important that your security strategy is flexible enough to accommodate unique circumstances and implementations. At the same time, it’s important to view security as an ongoing investment. Technology, production processes, and people are constantly changing. To consistently maintain a secure environment, companies need to also evolve their security strategy and underlying tactical approach.

More information: ISA-SP99 committee
ISA-SP99 committee will establish standards, recommended practices, technical reports, and related information that will define procedures for implementing electronically secure manufacturing and control systems and security practices and assessing electronic security performance. The committee’s focus is to improve the confidentiality, integrity, and availability of components or systems used for manufacturing or control and provide criteria for procuring and implementing secure control systems.

For more visit ISA .


Author Information

Bryan Singer, CISM, CISSP, is chairman of the ISA S-99 Committee, Rockwell Automation


Achieving regulatory compliance

With increasing pressure from consumers and government bodies to ensure product authenticity and safety, companies need to consider security solutions that protect manufacturing processes and assets and help maintain regulatory compliance, as well. As new regulations are introduced, it's important for manufacturers to stay educated and up-to-date on the legal ramifications of these requirements.

The key to achieving regulatory compliance is getting all business leaders involved. This means assembling an internal team involving all major business units that are touched by regulatory issues, including engineering, operations, risk management, safety, quality, legal, and IT. This will help everyone understand the issues, risks, and potential ramifications and put every organizational function working toward the same goals.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Big Data and IIoT value; Monitoring Big Data; Robotics safety standards and programming; Learning about PID
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me