Securing a process control safety system
It used to be safety systems would go in the plant and they would operate uninterrupted for 20, 30, even 40 years. Tried and true for decades. Things changed, however, when people learned if you want to attack a critical infrastructure organization, that means taking out the safety system.
“People run safety systems for a long time, and that is good,” said Dr. Alexander Horch, vice president R&D and product management, at HIMA Group during a meeting at the ARC Industry Forum 2020 in Orlando, Fla. “But today, security needs to make you feel better about what you are doing. You have an old car and feel good, but you need to apply new technology to make you feel better in what you are driving.”
That means a company that focuses on safety systems also needs to learn and apply solid security protocols to ensure the system is as close to hack proof as possible.
“What we have put a lot of effort in is saying safety and process control systems need to be separate and we feel they need to be separate for functional reasons, but for security reasons as well,” Horch said. “We implement security in the best way we can. When we began we did not build security in from scratch because it was not thought of. Now it is. Now all the products work together seamlessly for efficient secure and safe automation.”
While the great debate over the years has been should safety and process control be separate or integrated, Horch said there are quite a few reasons that safety and process control need to be separate.
One reason is by having the two separate, they can run independent from one another. In addition, if the system does get attacked, if they are separate, it would be much more difficult to attack the two independent systems.
Another aspect why Horch has to think of security is no matter if the safety system is independent or integrated, there is some kind of connection to get data in and out of the system.
“We will continue to talk about securing the periphery,” he said. “Safety system and the process control need to be separate. Data needs to get out of the system. It needs to get out in a secure manner. You need to get into the systems as well. If you told me years ago and said we would need remote access into a safety systems, I would have said never. Today in 2020, I would have to revise that way of thinking.”
HIMA understands it needs security capabilities, but it also realizes it is a safety provider and not a security provider. That is why the German-based company teamed with a cyber security company called genua to secure safety automation networks and offer a comprehensive program to their users.
But make no mistake about it, Horch said, when it comes to a manufacturing facility, safety is a top priority.
“Safety is the dominating factor,” he said. “The ultimate goal is to make sure the plant is safe.
To ensure a safe and secure environment, the main factor always comes down to one word: Trust.
“In the end it all comes down to trust. Who would you entrust your plant to? Horch said. “The music plays where the security is.”