"the UK's first dedicated journal focusing
on the fourth industrial revolution and
transforming to a smart manufacturing era"

Protecting against cyber attacks

24 October, 2016

As businesses seek to embrace Industry 4.0, cybersecurity protection must be a top priority for Industrial Control Systems (ICS). These attacks are financially crippling, reduce production and business innovation, and cost lives. Dave Sutton reports.

In years gone by, legacy Industrial Control Systems (ICS) were developed with proprietary technology and were isolated from the outside world, so physical perimeter security was deemed adequate and cyber security was not relevant. However, today the rise of digital manufacturing means many control systems use open or standardised technologies to both reduce costs and improve performance, employing direct communications between control and business systems. Companies must now be proactive to secure their systems online as well as offline.

This exposes vulnerabilities previously thought to affect only office and business computers, so cyber attacks now come from both inside and outside of the industrial control system network. The problem here is that a successful cyber attack on the ICS domain can have a fundamentally more severe impact than a similar incident in the IT domain. Indeed, cyber attacks cost British industry £34bn a year according to CEBR, so it’s clear that cyber protection needs to be a boardroom-level discussion that is given as much consideration as safety or high availability.

The proliferation of cyber threats has prompted asset owners in industrial environments to search for security solutions that can protect their assets and prevent potentially significant monetary loss and brand erosion. While some industries, such as financial services, have made progress in minimising the risk of cyber attacks, the barriers to improving cybersecurity remain high. More open and collaborative networks have made systems more vulnerable to attack. Furthermore, end user awareness and appreciation of the level of risk is inadequate across most industries outside critical infrastructure environments.

Uncertainty in the regulatory landscape also remains a significant restraint. With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system availability is vulnerable to malware targeted at commercial systems. Inadequate expertise in industrial IT networks is a sector-wide challenge. Against this backdrop, organisations need to partner with a solutions provider who understands the unique characteristics and challenges of the industrial environment and is committed to security.

Evaluate the threats

A Defence-in-Depth approach is recommended. This starts with risk assessment – the process of analysing and documenting the environment and related systems to identify, and prioritise potential threats. The assessment examines the possible threats from internal sources, such as disgruntled employees and contractors and external sources such as hackers and vandals. It also examines the potential threats to continuity of operation and assesses the value and vulnerability of assets such as proprietary recipes and other intellectual properties, processes, and financial data. Organisations can use the outcome of this assessment to prioritise cybersecurity resource investments.

Prepare for the evolving landscape

Existing security products and technologies can only go part way to securing an automation solution. They must be deployed in conjunction with a security plan. A well designed security plan coupled with diligent maintenance and oversight is essential to securing modern automation systems and networks. As the cybersecurity landscape evolves, users should continuously reassess their security policies and revisit the defence-in-depth approach to mitigate against any future attacks. Cyber attacks on critical manufacturers in the US alone have increased by 20%, so it’s imperative that security plans are up to date.

Educate your defence team

There are increasingly fewer skilled operators in today’s plants, as the older, expert workforce moves into retirement. So the Fourth Industrial Revolution presents a golden opportunity for manufacturing to bridge the gap and bolster the workforce, putting real-time status and diagnostic information at their disposal. At the same time, however, this workforce needs to be raised with the cybersecurity know-how to cope with modern threats.

In this regard, training is crucial to any defence-in-depth campaign and the development of a security conscious culture. There are two phases to such a programme: raising general awareness of policy and procedure, and job-specific classes. Both should be ongoing with update sessions given regularly, only then will employees and organisations see the benefit.

Global industry is well on the road to a game-changing Fourth Industrial Revolution. It is not some hyped up notion years away from reality. It’s already here and has its origins in technologies and functionalities developed by visionary automation suppliers more than 15 years ago. Improvements in efficiency and profitability, increased innovation, and better management of safety, performance and environmental impact are just some of the benefits of an Internet of Things-enabled industrial environment. However, without an effective cybersecurity programme at its heart, ICS professionals will not be able to take advantage of the new technologies at their disposal for fear of the next breach.

Dave Sutton is product marketing manager at Schneider Electric.

For more information please visit: www.schneider-electric.co.uk

Free subscription

Register today

To receive a FREE subscription to Smart Machines & Factories journal please click here.

View the latest issue here.

View the past issue archive here.

View the SMF Media Pack here.

Free subscription and archives

Latest Issue

View the latest issue here

View the past issue archive here

Poll

Will Industry 4.0 revolutionise industrial production?
Current Results