Reprinted with permission from "The Journal from Rockwell Automation and Our Partners," copyright 2013 by Rockwell Automation, Inc. and Putman Media, Inc.
Think about where your company manufactures or processes its product. In multiple countries? In remote locations? Regardless of where your information, recipes and manufacturing techniques reside, odds are those locations aren’t as secure as you hope.
According to Doug Wylie, CISSP and director of product security risk management at Rockwell Automation, with every new network connection, cyber risks expand and the attack surface available to threat actors seeking to damage, disrupt or steal something grows just a little bigger.
"It’s essential to recognize cyber security is not a one-time investment," says Wylie. "Millions of new devices and new users are becoming connected and interconnected around the world every day. Security is a commitment that commands vigilance and an ongoing investment in people, process, product and technology."
Whether it’s connected consumer products or industrial control devices, given the means, motive and opportunity, attackers can affect not only specific devices, but the systems to which these devices connect. This includes potentially affecting the availability, integrity and confidentiality of the information held within these devices and circulating within these systems.
So we all know we need to think more about information security. Fortunately, this exercise doesn’t have to be painful — and it’s even accompanied by numerous benefits. Most importantly, a good security strategy reduces the risk of a compromised process and helps protect assets along with information.
In addition, a great productivity opportunity exists with a secure infrastructure that allows the use of new technologies such as cloud, mobility, virtualization and smart devices.
With layered security and a defense-in-depth approach, leaders at industrial companies can better embrace, rather than fear, contemporary technologies and the open platforms they typically employ in building and operating their control systems. As the name suggests, a defense-in-depth strategy involves using multiple layers of defense (physical, electronic and procedural) at separate instances by applying the appropriate controls that address different types of risks.
Industrial security was a topic at the Rockwell Automation RSTechEd customer training event in June 2013 in San Diego. At one session, Kevin Zaba, vice president and general manager for the Rockwell Automation Control and Visualization Business, and Maciej Kranz, vice president and general manager of Cisco's Connected Industries Group, talked about the two companies' cooperative ventures in security.
Convergence of networks, devices and technologies is happening throughout enterprise networks, and now the concept will encompass factory and enterprise applications including security, Kranz pointed out.
"We're seeing a data flow between manufacturing, the enterprise and the cloud. Ten years from now, 27% of all devices connected to the Internet are forecast to be manufacturing devices. Security for devices is absolutely crucial to increase assurances for safety and operational integrity. The premise of separating the industrial network from the Internet is no longer sufficient," Kranz explains.
Both Kranz and Zaba agree that security controls and practices, when applied enterprise-wide, can help control access to business and industrial control systems, machines and industrial equipment, specific industrial control devices and key company information flowing within these systems. Furthermore, security best practices and overall good security practices can help protect specific operations that rely on the digital information used to control, configure and monitor both the enterprise and additional manufacturing and process systems.
Rockwell Automation and Cisco have identified three intersections of common interest around which they’re developing solutions: identity management of users, intellectual property, and trusted devices. The solutions include both products and strategies.
Identity management is knowing who you are and where you are, and managing roles and responsibilities of those who gain access to the network system. Kranz explains, "The access policy configured in the network infrastructure that governs identity is fundamental to protecting information and assets. It can ensure that a contractor, say, is granted access only from 8:00 a.m. to 5:00 p.m. and only from a certain floor of a certain building. Or that a regular employee can access the network only from the office or home — not from a WiFi network at a coffee shop."
Zaba emphasized the particular importance of such policies, saying, "Automation systems have a long life cycle — they’re installed and operational for years to decades. And there are many physical interactions with these systems: operators, maintenance engineers, contract workers — with some working in remote locations. You have to carefully control access for all of these people. In addition, you have to be able to change access dynamically, in real time."
A solution being offered by the two companies is based on Cisco's Identity Services Engine (ISE), which delivers enhanced security through consistent policy enforcement across wired and wireless networks. This technology, Kranz says, dynamically links to a user's profile to identify who the person is, what his or her job is, where the person is, what the time of day it is, and then grants or withholds access. "If an employee leaves, you can take that person's profile down immediately. And you can add a new employee or contractor just as quickly."
Rockwell Automation is including ISE capabilities in its Stratix 5900 security appliance, Zaba said. "The appliance is our first to deliver VPN and firewalling simultaneously, making it ideal for securing cell/area zones and connecting remote operations."
"It's estimated that 60% of digital crime is related to some form of organized crime," Kranz notes. Customers may be operating in any country, and supported to some extent locally, he adds. "It's crucial to protect intellectual property such as the recipes and manufacturing techniques for your products."
"Yet," Zaba explains, "we must carefully balance security management with usability." Flexibility helps ensure that the right people have authorized access to the right levels of the industrial control system, and that the access to these systems is planned for accordingly.
Cisco offers a network management suite called Cisco Prime that allows users to "manage assets, both network and other infrastructure devices including mobile devices, to troubleshoot, to handle security applications and data protection," Kranz says. "We're now working on integrating Cisco Prime capabilities with Rockwell Automation's Studio 5000 software environment. That's the roadmap."
"Industrial control devices are getting smarter and smarter," Zaba adds. "We don't want to restrict their capabilities in any way. We want to embrace them."
Security and integrity of automation systems is instrumental to helping leverage the utility of smart devices appropriately within these systems. Key control products such as programmable automation controllers, and network infrastructure components such as managed switches and security appliances, are enablers that can work together closely to help to enhance the overall control system’s security.
Building on capabilities of those in the Cisco ISE and Cisco Prime, Stratix 5900 security appliance, and Studio 5000 Automation Engineering and Design Environment, Kranz says, the secure environment can authorize new devices to use the company network and load applications onto the device.
Though all connected industrial control systems are exposed to security risks, use of contemporary technologies and industrial control products designed with security in mind can markedly reduce the success rate of many threats that affect these systems. And, since increased system uptime ultimately equates to greater company profits, the costs associated with control system security can prove an investment repaid in dividends measured by reliable production and better-protected company assets and information.
- Are You Managing Your Security Risks?
Engineers and IT professionals can protect intellectual property and operational integrity by following these best practices.
- What the Cloud and Security Means to You
Learn what security measures and best practices you can use to optimize mobile devices and cloud computing in industrial settings.
- Data at Your Fingertips [PDF]
OEMs can design and set up a secure remote access system to aid manufacturers by providing real-time s