Industrial organizations are operating in ways they scarcely could have imagined a few decades ago. They are converging historically separate information technology (IT) and operations technology (OT) systems, and using mobile, analytics and cloud connectivity to increase collaboration and information sharing. This significantly improves operations, but it also creates substantially more entry points for security threats. The challenge of security is compounded by the growing sophistication of the hacking community.
Rockwell Automation began its own security assessment last year, and they turned the result of their analysis into a plan for securing facilities from individual equipment up to the cloud connectivity. “In 2016, we began discussions about protecting our assets. We wanted to create a security office similar to what Boeing and Airbus have. The goal was to protect our customers and our assets,” Lee Lane, chief product security officer at Rockwell Automation, told Design News. “We looked at security from a network point of view, and then we realized that the network isn’t the only way to attack an industrial system. As a result, we looked at the entire system, from individual aspects up to the cloud.”
In creating a security plan, Rockwell developed a three-step approach for building an industrial security program that extends from the enterprise to the plant level, and helps mitigate risk across people, processes and technology. The three steps include:
Step One: Conduct a security assessment -- Conduct a facility-wide assessment to understand risk areas and potential threats.
On this point, Lane explained that facility managers need to assess the potential risks from a security breach and develop plans accordingly. “This should make sense to anyone in security. What are you’re trying to protect? It’s the most important step: what do you have and what do you need to secure?,” said Lane. “You have to classify your assets by how important each one is. If you have molten steel coming in and you have a security breach, you’d need to know where the breach is it and what kind of damage it could do.”
|Check out the session on Turning Data into Information Every Part of the Supply Chain Can Use at the Advanced Design & Manufacturing , March 29-30, 2017, in Cleveland. The coference offers a wide range of sessions on the latest developments in automation and control. Register today!|
Once the assets are identified and classified by risk, then the security solutions can be developed to specifically address each asset and its risk. “What type of security do you want around it? You want to secure everything, but you have to classify what it is and what type of action you would take if it were breached,” said Lane. “Plants practice what would happen if there were a safety problem, but they do little on the security side.”
Step Two: Defense-in-depth security -- Deploy a multilayered security approach that establishes multiple tiers of defense.
Lanes notes that security is more than just networks. Even air-gapped equipment can be breached when it’s connected to an employee’s laptop. “The multi-layered approach to security doesn’t comes