Advancing to IIoT means back to security basics

Manufacturers may see advantages to the Industrial Internet of Things (IIoT) and Industrie 4.0, but the backbone of their plant, the control system, wasn't built with cybersecurity in mind, and many companies aren't addressing this potentially serious issue.

02/14/2018


With the industry headed into digital transformation via smart manufacturing and Industrie 4.0 and the Industrial Internet of Things (IIoT), company leaders look at these initiatives as opportunities they need to jump on—and fast.

They can gain a competitive advantage through new service-enabled business models, disruptive new products, a more agile supply chain, and efficient operations. However, the systems that end up being the backbone of the manufacturing enterprise, the control systems, are not built with security in mind. On top of that, a survey released by Honeywell shows adoption of cybersecurity is low.

The survey, "Putting Industrial Cyber Security at the Top of the CEO Agenda," was conducted for Honeywell by LNS Research. It polled 130 strategic decision makers from industrial companies about their approach to the Industrial Internet of Things (IIoT), and their use of industrial cybersecurity technologies and practices.

Slow or low adoption could mean either manufacturers will move forward with the digital transformation and remain insecure, or they will be delayed in their movement forward and lose valuable time and potential revenues until they adopt a security program.

Either way, it appears companies at the vanguard of employing security already, have a leg up on any potential competitors. It can also mean more companies are still at the beginning of creating a security program.

"I think everyone knows they have a problem now, but they are not quite sure where to start," said Seth Carpenter, software engineer and cyber security technologist at Honeywell. "There is a long way to go. Awareness is a good first step. We can't do anything unless there is an agreement that something needs to be done. The next step is putting funding behind these programs. Sometimes it is not throwing money at it, it can really be building up the culture in the organization where you are thinking of security and putting responsible officers in there making sure they are reporting out on cybersecurity and it is going all the way up to the C-level and the board."

The survey's findings included: 

  • More than half of respondents reported working in an industrial facility that already has had a cybersecurity breach
  • 45% of the responding companies still do not have an accountable enterprise leader for cybersecurity
  • 37% are monitoring for suspicious behavior
  • Although companies are conducting regular risk assessments, 20% are not doing them at all

"One of the things I found interesting was when they were asked if they had a breach at their plant, most people normally don't want to talk about it, but here quite a few people admitted they had a breach," Carpenter said.

The survey found there has been low adoption of cybersecurity measures, however, awareness is through the roof, the question remains on when will manufacturers establish a timetable for adopting a security program.

"It is a combination of things," Carpenter said. "We know we should brush out teeth and take our vitamins, but sometimes you just say, I will go to sleep right now. It is hard without that driving factor or a really good business case behind it. We are at a point where there is a lot of awareness of what is happening. We see attacks in every industry like healthcare, banking, financial institutions, the awareness is there. I think that is the first part where people recognize something needs to be done. They might not know where to start. So, they say we need to do something about it, but that can be daunting. It is like eating the elephant, you have got to figure out the little bite I can take on this."

First step

Image courtesy: Ilya Pavlov/UnsplashA good first step for a manufacturer is conducting an assessment.

"There are really good cybersecurity maturity models users can map their processes to so they can get started," Carpenter said. "Sometimes the hardest part is taking the first step and think here is what we are going to get and here is where we want to be and putting together that plan."

Traditionally, security has been seen as a cost center, but in reality, it can end up viewed as a business enabler that keeps systems up and running by eliminating unplanned downtime.

"That is one of the trickiest parts of security," Carpenter said. "When I invest in a manufacturing line, I see I am producing 20% more product. That is tangible and I can put a dollar value on that. If I spend the same amount of money on a cybersecurity program how do I measure success? How do I show my boss and my bosses boss, 'Hey, we did a really good job here.' I think there needs to be a mindset shift to see this isn't a problem where we are dumping our money into because we have to, instead this is helping us maintain our machines and giving us the uptime numbers we need."

The report issued three recommendations:

1. Use an operational excellence model of people, process, and technology capabilities to enable digital transformation and build industrial cyber security capabilities into the model.

2. Focus on best practices adoption. Start with the basics like firewalls and access controls; over time move to more advanced topics like network architecture, risk management, and activity monitoring. Build a roadmap based on increasing people and process maturity that considers risk and equates safety with security. If people capabilities are limited to start, consider augmenting with external professional services that have information technology (IT) and operations technology (OT) experience.

3. Focus on empowering leaders and building an organizational structure that breaks down the silos between IT and OT. A common approach across these disciplines is critical for success in industrial cyber security and it can only be done by investing time and energy in the soft skills of change management.

"We know this is complicated, we are talking systems that have been up and running for years and years, let's face it if it is not broken, don't fix it," Carpenter said. "So, getting visibility into the assets can be difficult. You have to know what normal looks like."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See related stories from ISSSource linked below.

Click here to register to download the report.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me