To remain competitive in today's fast-paced, global environment, manufacturers are adopting newly designed, high-speed wireless networks to help take better control of plant operations. Engineers and operators are being armed with iPads, laptops and high-speed scanners running on these networks to bring their facilities up-to-date with instantaneous, real-time communication. For many, this is a critical investment to increase productivity, cut downtime and streamline operations for an unprecedented level of efficiency. Though these potential benefits sound tempting, they do come with a serious complication attached: cybersecurity.
Creating the kind of wireless networks needed to link up personnel across the manufacturing platform creates new vulnerabilities to cyber-attacks, says Jacob Kitchel, senior manager of security and compliance for Industrial Defender. Far more than the data-interception attacks expected in an administrative setting, unprotected wireless networks in the factory can lead to loss of control of plant operations, which can result in serious staff injury and equipment damage.
With these concerns, many manufacturers today are facing a tough choice: Do we focus on efficiency and communication or security and safety?
The Engine Behind Productivity
On the one hand, there are some serious gains to be seen by integrating wireless devices into plant operations. These can be anything from the added safety measures offered by remote cutoffs, to improved efficiency and monitoring along the assembly cycle, to the huge cost savings compared with non-wireless systems.
"We really see software and controls as the engine behind a very significant need for enhanced productivity," says Bernie Angers, general manager of control and communication systems at GE Intelligent Platforms. "We look at our industrial control technology as a way of driving productivity and developing better control of technology."
"The skill set of attackers has increased exponentially in the last five to six years."
Peter Van Hoof, electrical controls engineer at Nestle Nutrition, has seen such efficiency benefits from the wireless network he uses. "The flexibility you have now to walk up to a piece of equipment and tune it on your laptop is just priceless. You see all of the data right there in front of you without even having to think about it," he says. "This saves a lot of time and a lot of money. I don't know how we would do it differently."
But the increased visibility and control comes with new risks. "It can be very easy for attackers to get onto these wireless networks," Kitchel observes. "Networks remove the physical proximity requirement for attacks and allow attackers to work remotely."
These risks can be far more devastating than those to normal corporate networks, says James Phillippe, executive director of Advanced Security Center at Ernst & Young. "Attacks used to be for quick financial gain," he says, but adds they now can be anything from competitors stealing proprietary secrets on plant operation to terrorists attempting to take over operations to cause physical damage.
Kitchel says these denial-of-control attacks are the most threatening to operations. With these, "the attacker would find a way to directly communicate with a device or operations through existing wireless access and basically manipulate it outside of operational safety conditions," he says. This can hurt operations in two ways: financially by interfering with the manufacturing process, which would result in costly delays and product defects; and physically by, for example, accelerating turbines past their safety thresholds, which could hold potentially deadly consequences. "With these attacks, there is a real potential of physical harm of the people in the area," says Kitchel.
For some manufacturers, the potential security issues involved in adopting a wireless network are resulting in a very cautious implementation process. Michael Bastion, global controls manager at Ford Motor Co.'s Powertrain Division, recently spent 18 months working with his IT department to implement just one network. "We have really struggled getting through IT approval for wireless in the control space," he says. "To be honest, we probably are behind the industry a bit when it comes to wireless because of the security and interference issues."
Though common, this hyper-vigilance over cybersecurity may be a bit too much, says Kitchel. The potential for attacks that has been slowing this progress may not actually be quite as great as it seems. In fact, many of these risks can be mitigated simply by adopting existing security measures in a safe, sensible manner. There are only a few issues standing in the way.
The first is the use of inadequate safety tools. While there is a temptation to simply convert existing security systems into the operations network, Ernst & Young's Phillippe says, "You can't just replicate corporate IT into your OT [operational technology] environment and expect to be safe." He recommends using an industrial network system "designed specifically with security in mind -- built from the ground up to address these kinds of security concerns."
There is a host of wireless security specifically designed for the industrial environment, says Kitchel. "They generally rely on enterprise-grade wireless technology, which has been around for a while. This means it has had a lot of time to work out a lot of kinks and bugs, so it is pretty mature in that perspective." The biggest cybersecurity issue with it, he notes, is just that it "often gets deployed in a less than secure manner."
This leads to the second issue standing in the way of cybersecurity: a culture conflict between the OT and IT environments.
"OT networks traditionally are managed by operators and engineers rather than someone with an IT or information security background," Ernst & Young notes in a recent cybersecurity technical report. "As these individuals are trained to focus on safety and operating efficiency, cybersecurity awareness is often secondary -- it is not linked to its role in maintaining safety and process-operation effectiveness."
"OT has a real focus on safety and availability. In IT it is confidentiality, integrity and availability," Phillippe says about this conflict of expertise. "IT hasn't necessarily had to deal with the safety focus before. When systems go down, they haven't had to deal with people potentially getting hurt." On the other side, as OT and IT converge, he says, OT engineers will have to incorporate the confidentiality and integrity principles into their work.
"I want to see more IT working with controls," says David Wang, chief technology officer at Beet Analytics Technology. "With internet penetrating factory floors for the first time ever, there is a new playground for IT to apply IT technology." The systems they develop can lead to new standards for industrial security and create a network that will keep wireless operations running smoothly, efficiently and safely. With industry-wide standards, he says, many of these issues could be resolved.
Should manufacturers focus on efficiency and communication or security and safety? With thoughtful, informed and above-all careful integration of wireless networks and devices into operations, experts say, the answer really can be, "Both."