Because smart manufacturing can't even leave the garage if it isn't secure, Jim LaBonty, director of global automation, Pfizer Global Engineering, led off the Life Sciences Forum at the 2016 Automation Fair event by detailing how Pfizer approaches cybersecurity.
"When we talk about security risks, it's not a matter of when, but rather how one contains and limits the impact of a cybersecurity risk to industrial manufacturing," said LaBonty. "Every challenge to devices, applications, computers, networks and physical facilities is serious, and needs to be considered when protecting plants and manufacturing sites.
“The key takeaway is that no single product, methodology or technology can secure today's manufacturing control system applications. We need to collectively work together on all aspects, such as patching software and running antivirus programs, to make sure we've established integrated layers of defense."
LaBonty reported that a war on automation infrastructures is underway, and that external intrusions and attacks have been ramping up for the past 10 years. However, he added that control systems can no longer rely on their historically physical isolation because so many now have links to higher-level enterprise systems and the Internet to get useful data out. Unfortunately, this creates security vulnerabilities that must be managed.
"Pfizer isn't perfect when it comes to cybersecurity, but we're working with our plant sites to establish these secure layers," explained LaBonty. "We're finding that they have different levels of security capabilities, but we also know this is continuous process for everyone. This is because intrusions and cyber attacks are growing increasingly sophisticated. In fact, the number of attempted cyber attacks on most manufacturing sites—including Pfizer's—are now in the millions per day, and so we've got to get cybersecurity infrastructures in place from our global networks down to the plant floor. Our initial cybersecurity designs were usually two network interface cards (NICs), Ethernet and servers, but we've been updating them to better designs."
More threats to controls
As if the existing security situation wasn't dire enough, LaBonty reported that traditional hackers are increasingly joined by nation-states bankrolling teams of attackers breaking into corporate networks down to their lowest levels, mostly to discredit and disrupt their brands.
"Control systems must establish defense in depth, but they can also look at sending network logs and data back up to users for inspection," said LaBonty. "This can be very helpful because it lets users see if anything has changed or gone wrong at the control level, which is a huge advantage. Defense-in-depth strategies can also define authorized traffic, so at Pfizer, we use a series of firewalls as our network goes down to the controls level, where there are more secure zones. Firewalls aren't too costly, and they can pay for themselves quickly. We're also using software to analyze network traffic patterns, which gives good indications when something or someone is trying to transgress, and a proactive indicator of what to investigate."
Share and aware
Beyond these technical fixes, LaBonty reported that manufacturers, system integrators, suppliers and contractors must share their cybersecurity knowledge, so they can develop and present a unified response to probes, intrusions, threats and attacks.
"Awareness by everyone is the key because we're only as secure as our weakest link," said LaBonty. "Our older networks just had one firewall between IT and the production levels below, but behind this castle-and-drawbridge, there was a free-for-all of data going everywhere. So, we've rigorously added another layer with secure zones protecting each business asset from the others. These secure areas are divided by purpose-built firewall gateways, such as the Allen-Bradley Stratix 5950 security appliance from Rockwell Automation. We also segmented a lot of older equipment away from our newer systems and devices."
Similar to physical networks, LaBonty noted that cybersecurity also requires users to decide on and establish clear demarcation lines between their site automation teams and their IT counterparts.
"It’s good for security to establish clear roles and responsibilities, and it also helps when different players need to talk to each other," added LaBonty. "This demarcation is also important because Pfizer outsources a lot of IT, and they're not familiar with our individual sites. So, we definitely don't want them trying to manage any production because they don't know the ramification of their actions."
Finally, personnel and organizational issues like these are the most important cybersecurity issues for process control and automation users and suppliers to solve, according to LaBonty. "The easiest and most popular ingress for cyberattack is spearphishing, which tricks people into opening emails and clicking on links that download malware," he said. "So educating workforces on policies and procedures to protect against these threats is also crucial."
This article was originally published on ControlGlobal.com.