For obvious reasons, security is one of the key topics in any digital transformation program. It is even more so for industrial production– and operation– systems.
In this case, the cybersecurity challenge is two-fold:
- First, you are usually planning to send a massive amount of your production data to the cloud provided by your IoT platform supplier. Since most of this data used to never leave your shop floor, making the leap may have new security ramifications, which need to be pondered.
- Secondly, for this data to be extracted, you will have to make your industrial devices – machines, industrial robots, automation, measurement and instrumentation systems – much more interconnected than they used to be. Therefore, the exposure of these systems to cyberattacks of any kind will increase dramatically if you do not take the appropriate steps.
1- Security of your industrial data in the cloud
The security issues linked to using an external cloud for your industrial data are very similar to those encountered when using the cloud for corporate IT applications. The initial homework you have to perform is to inventory the data you plan to send to the cloud, and assess its criticality, and its confidentiality (business-confidentiality, or for personal data, sensitivity from a privacy-regulation standpoint). Then, the issue boils down to answering a few questions:
- Can you trust your supplier to keep your data secure (from thefts), safe (from accidental losses and disasters), and available? If your supplier is one of the big players, the odds are that their capabilities in these areas are actually greater than those of your own internal IT.
- Can you trust your supplier to recognize your intellectual property and not reuse your data for himself? Answers here are contractual.
- If your cloud supplier is not located in your home country, do you comply with the cross-border regulations that apply to you: export regulations if your business handles sensitive technologies, and privacy regulations if your cloud handles any personal information (employee information, individual customer information …)? Answers here are legal and regulatory, and they are amongst the most difficult (for instance, the complexity of transnational privacy regulations cannot be overstated).
- And finally, for industries exposed to industrial espionage, did you check that no industrial secret hides in the data you plan to send to the cloud? Alternatively, if you need to send your industrial secrets to the cloud, can you obtain guaranties that your supplier will keep your data in your home country or in another trusted country?
2- Security of your industrial devices (machines, robots, automation systems)
When it comes to securing industrial computers, machines and automation systems, the issues, as opposed to the previous section, are substantially different from those of corporate IT security. As a matter of fact, machines, instruments and automation systems, present some unique and specific challenges with regard to cybersecurity:
- The nature of the risk is different: incidents may have consequences in the physical world (interruption of the fabrication process, damages to a machine, or even industrial accident)
- A number of technical security vulnerabilities are specific: unsecured standard communication protocols, mix of recent and older systems (typical lifecycle of industrial systems is twenty to thirty years), lack of consideration for security in the design of most off-the-shelf software and hardware components (despite recent improvements from main automation manufacturers, the majority of products used today have been designed more than five years ago)
- The operation constraints are specific: numerous standard IT-security best practices are often impractical in industrial environments, such as regular security patching, or interdiction of generic/anonymous logins
The first steps to address those challenges are organizational: identify the business risks on the shop floor, the business-critical industrial control systems, and define the risk management processes from the operations in the plant up to the executive board.
Protection comes next: define the overall security architecture of computer and industrial networks, by identifying security zones of various criticalities, and by defining the protection technologies to be used inside each zone as well as at the zone boundaries. Methods and technologies will somewhat differ from those used for the protection of corporate IT systems, for instance – as mentioned above – automatic security patching is often impractical on mission-critical industrial systems.
Detection of – and reaction to – incidents and abnormal events is the indispensable last step of an all-around cybersecurity approach. Once again, methods and technologies dedicated to industrial systems have to be used, for instance intrusion detection probes with a capability to dissect and analyze standard industrial control protocols.