Cybersecurity at the heart of the Fourth Industrial Revolution.

08/02/2017
Ray Dooley, Product Manager Industrial Control at Schneider Electric Ireland examines the importance of maintaining security as we progress through Industry 4.o.
Ray Dooley, Schneider Electric Ireland

Ray Dooley, Schneider Electric Ireland

A technical evolution has taken place, which has made cyber threats more potent than at any other time in our history. As businesses seek to embrace Industry 4.0, cybersecurity protection must be a top priority for Industrial Control Systems (ICS). These attacks are financially crippling, reduce production and business innovation, and cost lives.

In years gone by, legacy ICS were developed with proprietary technology and were isolated from the outside world, so physical perimeter security was deemed adequate and cyber security was not relevant. However, today the rise of digital manufacturing means many control systems use open or standardised technologies to both reduce costs and improve performance, employing direct communications between control and business systems. Companies must now be proactive to secure their systems online as well as offline.

This exposes vulnerabilities previously thought to affect only office and business computers, so cyber attacks now come from both inside and outside of the industrial control system network. The problem here is that a successful cyber attack on the ICS domain can have a fundamentally more severe impact than a similar incident in the IT domain.

The proliferation of cyber threats has prompted asset owners in industrial environments to search for security solutions that can protect their assets and prevent potentially significant monetary loss and brand erosion. While some industries, such as financial services, have made progress in minimising the risk of cyber attacks, the barriers to improving cybersecurity remain high. More open and collaborative networks have made systems more vulnerable to attack. Furthermore, end user awareness and appreciation of the level of risk is inadequate across most industries outside critical infrastructure environments.

Uncertainty in the regulatory landscape also remains a significant restraint. With the increased use of commercial off-the-shelf IT solutions in industrial environments, control system availability is vulnerable to malware targeted at commercial systems. Inadequate expertise in industrial IT networks is a sector-wide challenge. Against this backdrop, organisations need to partner with a solutions provider who understands the unique characteristics and challenges of the industrial environment and is committed to security.

Assess the risks
A Defence-in-Depth approach is recommended. This starts with risk assessment – the process of analysing and documenting the environment and related systems to identify, and prioritise potential threats. The assessment examines the possible threats from internal sources, such as disgruntled employees and contractors and external sources such as hackers and vandals. It also examines the potential threats to continuity of operation and assesses the value and vulnerability of assets such as proprietary recipes and other intellectual properties, processes, and financial data. Organisations can use the outcome of this assessment to prioritise cybersecurity resource investments.

Develop a security plan
Existing security products and technologies can only go part way to securing an automation solution. They must be deployed in conjunction with a security plan. A well designed security plan coupled with diligent maintenance and oversight is essential to securing modern automation systems and networks. As the cybersecurity landscape evolves, users should continuously reassess their security policies and revisit the defence-in-depth approach to mitigate against any future attacks. Cyber attacks on critical manufacturers in the US alone have increased by 20 per cent, so it’s imperative that security plans are up to date.

Upskilling the workforce
There are increasingly fewer skilled operators in today’s plants, as the older, expert workforce moves into retirement. So the Fourth Industrial Revolution presents a golden opportunity for manufacturing to bridge the gap and bolster the workforce, putting real-time status and diagnostic information at their disposal. At the same time, however, this workforce needs to be raised with the cybersecurity know-how to cope with modern threats.

In this regard, training is crucial to any defence-in-depth campaign and the development of a security conscious culture. There are two phases to such a programme: raising general awareness of policy and procedure, and job-specific classes. Both should be ongoing with update sessions given regularly, only then will employees and organisations see the benefit.

Global industry is well on the road to a game-changing Fourth Industrial Revolution. It is not some hyped up notion years away from reality. It’s already here and has its origins in technologies and functionalities developed by visionary automation suppliers more than 15 years ago. Improvements in efficiency and profitability, increased innovation, and better management of safety, performance and environmental impact are just some of the benefits of an Internet of Things-enabled industrial environment. However, without an effective cybersecurity programme at its heart, ICS professionals will not be able to take advantage of the new technologies at their disposal for fear of the next breach.

@SchneiderElec #Pauto #Industrie40


The internet of zombies.

27/06/2016
Last year, a Radware report stated more than 90 per cent of companies surveyed had experienced some sort of cyber attack. However, the term internet of zombies describes a more advanced kind of attack. Here, Jonathan Wilkins of EU Automation discusses the internet of zombies and how companies can prepare for the outbreak. 

Since Dawn of the Dead was first released in 1978, the possibility of a viral outbreak that will turn us all into night crawling, flesh-eating zombies has become a worry for many and a very prolific Hollywood theme. While it’s unlikely this will ever happen, industry has recently started facing an epidemic across IT systems that companies should be aware of. The internet of zombies won’t result in the end of civilisation, but it does put your company’s confidential information at risk. 

Internet_ZombiesThe term internet of zombies, was coined by cyber security solutions provider, Radware in its Global Application and Network Security Report 2015-16. The concept refers to the rise of an advanced type of Distributed Denial of Service (DDoS) attack, named Advanced Persistent Denial of Service (APDoS). This type of attack uses short bursts of high volume attacks in random intervals, spanning a time frame of several weeks.

In 2015, more than 90 per cent of companies surveyed by Radware experienced a cyber attack. Half of these were victims of an APDoS – up from 27 per cent in 2014.  The report by Radware suggested 60 per cent of its customers were prepared for a traditional attack, but not an APDoS.

Typically, APDoS attacks display five key properties: advanced reconnaissance, tactical execution, explicit motivation, large computing capacity and simultaneous multi-layer attacks over extended periods. The attacks are more likely to be perpetrated by well-resourced and exceptionally skilled hackers that have access to substantial commercial grade computing equipment.

Hackers use virtual smoke screens to divert attention, leaving systems vulnerable to further attacks that are more damaging, such as extortion and theft of customer data.  While the financial services sector is most likely to be targeted, almost anyone can fall victim to the highly effective attacks.

This type of attack is becoming increasingly common in retail and healthcare, where data is considered to be up to 50 per cent more valuable. As IT systems across different sectors become more automated, cyber security specialists are predicting these persistent attacks will happen even more frequently.

Businesses need to find new ways to fight the internet of zombies and can prepare for the outbreak by ensuring they’re equipped to make decisions quickly at the first sign of a hack. Combining several layers of virtual protection with skilled professionals should be the first line of defence for information security.

Paying for additional capacity when developing a website can make the process costly; so many companies scale their system to match a predictable peak. However, in an APDoS attack, sites can experience ten or 20 times more traffic than their usual maximum so it makes sense to allow a healthy margin of error when developing a system.

Having a response plan in place will also improve the chances of restoring a system before any major damage is done. The plan should include preparing contact lists and procedures in advance, analysing the incident as it happens, performing the mitigation steps and undergoinga thorough investigation to record the lessons learned.

It’s likely that zombie films will be as popular as ever in 2016, with another instalment of Resident Evil on the cards. Let’s make sure that the internet of zombies doesn’t rear its head as well by preparing ourselves for the outbreak of APDoS that’s heading our way.

@euautomation #PAuto #Cybersecurity @StoneJunctionPR

Food & Pharmaceutical Futures.

21/03/2016

ISA’s first international symposium outside of North America is adjudged a success.

centreview

From the time it was firsted mooted for Ireland in 2015 the planning for the 3rd ISA Food & Pharmaceutical Symposium was embraced with enthusiasm by the local Ireland Section. This was in Philadelphia early in 2015  and since then the ISA’s Food & Pharma Division under the able directorship of Canadian Andre Michel has ploughed forward overcoming setbacks and the not inconsiderable distances between North America and the capital of Munster. Chair of the symposium and former Ireland Section President, Dave O’Brien directed a strong committee charged with ensuring the this, the first such international symposium organised by the ISA outside of North America would be a resounding success.

And it was.

Venues were assessed, speakers recruited and the various minutiae associated with organising an international event were discussed, duties asigned and problems solved over many late night transatlantic telephone conferences. Using the experience of the ISA staff in North Carolina and the many years experience of organising table-top events and conferences in Ireland by the Ireland Section a very creditable event was staged at the Rochestown Park Hotel. With some justification the Symposium Chair could state before the event started “We have assembled a truly outstanding program this year, featuring some of the world’s most accomplished experts in serialization, process optimization, cyber security and alarm management to name a few. These experts will speak on the vital issues affecting food and drug manufacturers and distributors. We are delighted to have the opportunity to bring this event to Ireland for its first time outside of the United States!” Indeed upwards of 200 registrands attended the two day event and it was notable that the bulk of these stayed until the final sessions were completed.

• All through the event highlights were tweeted (and retweeted on the Ireland Section’s own twitter account) with the hashtag #FPID16. See also the ISA official release after the event: Food & Pharma symposium almost doubles in size!

day1e

ISA President Jim Keaveney (3rd from right) with some of the speakers ath the FPID Symposium

Technology and Innovation for 2020 Global Demands
Two fluent keynote speakers, Paul McKenzie, Senior Vice President, Global Biologics Manufacturing & Technical Operations at Biogen (who addressed “Driving Change Thru Innovation & Standards”) and Dr Peter Martin, VP and Edison Master, Schneider Electric Company (Innovation and a Future Perspective on Automation and Control) may be said to have set the tone. The event was also graced with the presence of ISA Internationa President for 2016 Mr Jim Keaveney.

We will highlight a few of the sessions here!

Serialization:
The important subject of serialization which affects all level of the pharmaceutical business especially in view of deadlines in the USA and the EU. From an overview of the need and the technology to a deep dive into the user requirements, this session provided the latest information on the world requirements and helping provide the solution needed in each facility. Speakers, as in most sessions, were drawn from standard, vendor and user organisations as well as state enforcement agencies.

Track & Trace:
In the parallel Food thread of the symposium the role of track and trace technologies were examined. Product safety, output quality, variability and uniqueness of customer requirements manufacturers are facing increasing demands on the traceability of raw materials, real-time status of manufactured goods and tracking genealogy of products throughout the value chain from single line to the multiple sites of global manufacturers. The evolution of data systems and technologies being offered means greater benefits for Industry and presenters Vision ID and Crest will show these solutions and the advantage of modernization.

 

day1a2Both threads came together for much of the event mirroring the similarity of many of the technologies and requirements of each sector.

Digitalization:
Digitalization in industry shows what bringing the worlds of automation and digitalization together provides true and advanced paperless manufacturing with more complex devices and interconnected data systems. This is an enabler to integrated operations within industry. Using MES as a core concept to create a Digital Plant and optimized solutions with data driven services was explained. And a practicale example of a plant was discussed showing the journey to paperless manufacturing and a real pharmaceutical strategy of integrating automated and manual operations.

 

eric_cosman

Eric Cosman makes a point!

Cybersecurity:
Of course this is one of the key topics in automation in this day and age. Without implementing the proper preventative measures, an industrial cyber-attack can contribute to equipment failure, production loss or regulatory violations, with possible negative impacts on the environment or public welfare. Incidents of attacks on these critical network infrastructure and control systems highlight vulnerabilities in the essential infrastructure of society, such as the smart grid, which may become more of a focus for cybercriminals in the future. As well as threats from external sources steps ought to be taken to protect control and automation systems from internal threats which can cripple a company for days or months. This session highlighted the nature of these threats, how systems and infrastructure can be protected, and methods to minimize attacks on businesses.

 

Automation Challenges for a Greenfield Biotech Facility:
These were outlined in this session in the pharmaceutical thread. Recent advances in biotechnology are helping prepare for society’s most pressing challenges. As a result, the biotech industry has seen extensive growth and considerable investment over the last number of years. Automation of Biotech plants has become increasingly important and is seen as a key differentiator for modern biotech facilities. Repeatable, data rich and reliable operations are an expectation in bringing products to market faster, monitor and predict performance and ensure right first time delivery. This session provided the most topical trends in automation of biotech facilities and demonstrated how current best practices make the difference and deliver greater value to businesses.

Process Optimization and Rationalization:
Meanwhile in the Food & Beverage thread incremental automation improvement keeps competitiveness strong. Corporate control system standardization leads to constant demand for increases in production and quality.

Industry 4.0 (Digital Factory: Automate to Survive):

Networking

Networking between sessions

The fourth industrial revolution is happening! This session asked how Global Industry and Ireland are positioned. What did this mean to Manufacturer’s and Industry as a whole? The use of data-driven technologies, the Internet of things (IoT) and Cyber-Physical Systems all integrate intelligently in a modern manufacturing facility. Enterprise Ireland and the IDA headlined this topic along with the ICMR (Irish Centre for Manufacturing Research) and vendors Rockwell and Siemens.

OEE and Automation Lifecycle: Plant lifecycle and Operational Equipment Effectiveness

Networking2

More networking

Worldwide today many of the over 60 Billion Euro spend in installed control systems are reaching the end of their useful life. However, some of these controls, operational since the 80’s and 90’s, invested significantly in developing their intellectual property and much of what was good then is still good now. Of course some aspects still need to evolve with the times. This requires funding, time and talent. For quite some time now there has been a skilled automation shortage at many companies leading organizations to outsourcing, partnerships and collaboration with SME’s to help manage the institutional knowledge of their installed control systems. With corporate leadership sensitive to return to shareholders, plant renovation approval hurdle rates are usually high when it comes to refreshing these control systems. In many manufacturing facilities, engineers and production managers have been asked to cut costs and yet still advance productivity. To solve this dilemma, many world class facilities continue to focus on driving improvements through the use of automation and information technology. Some are finding that using existing assets in conjunction with focused enhancement efforts can take advantage of both worlds. Here we were shown great examples of where innovation and such experiences are helping to create real value for automatio modernization.

 

day1b2

Alarm management:
And of course no matter how sophisticated systems are Alarms are always require and neccessary. DCSs, SCADA systems, PLCs, or Safety Systems use alarms. Ineffective alarm management systems are contributing factors to many major process accidents and so this was an importan session to end the symposium.

The social aspect of this event was not forgotton and following a wine reception there was a evening of networking with music at the end of the first day.

Training Courses:
On the Wednesday, although the symposium itself was finished there were two formal all day training courses. These covered, Introduction to Industrial Automation Security and the ANSI/ISA-62443 Standards (IC32C – Leader Eric Cosman, OIT Concepts ), and Introduction to the Management of Alarm Systems (IC39C – Leader Nick Sands, DuP0nt). These, and other, ISA courses are regularly held in North America and the Ireland Section occasionally arranges for them in Ireland.

All in all the Ireland Section and its members may feel very proud in looking back on a very well organised and informative event which in an email from one of the attendees, “Thank you all, It was the best symposium I attended in the last 10 years!”

Well done!

day1c

#FPID16 #PAuto #PHarma #Food

The 2017 FPID Conference is scheduled for Boston (MA USA) for 16-17 May 2017.


Complacency significantly raises risk of damaging cyberattack worldwide!

19/12/2014
Inadequate training and a culture of complacency among many owners and operators of critical infrastructure are significantly raising the risks of highly damaging cyberattack throughout the world.

That’s the viewpoint expressed by Steve Mustard, an industrial cybersecurity subject-matter expert of the International Society of Automation (ISA),  an European registered Eur Ing and a British registered Chartered Engineer and consultant with extensive development and management experience in real-time embedded equipment and automation systems.

Mustard, fresh off a trip to the Caribbean where he delivered a presentation on industrial cybersecurity to industry officials in petroleum and petrochemical operations, says that despite greater overall awareness of the need for improved industrial cybersecurity, not nearly enough is being done to implement basic cybersecurity measures and reinforce them through adequate staff training and changes in corporate culture.

cybersecurity“Everywhere I go I see the same issues, so this is not so much a company-by-company issue as it is an ‘industry culture’ issue,” maintains Mustard, an ISA99 Security Standards Committee member and an important contributor to the development of the ISA99/IEC 62443 industrial cybersecurity standards. “So much work has been done in the IT world on security that many believe they have mitigated the risks.

“For example, most security experts at the NIST (National Institute of Standards and Technology) meetings on the US Cybersecurity Framework could not understand why we were still discussing the most basic security controls, but yet a visit to almost any critical infrastructure facility will reveal that while there may be established policies and procedures in place, they are not properly embedded into training and the operational culture. Too many owner/operators I meet believe that because they have not seen a cybersecurity-based incident themselves that it will never happen. This sort of complacency is why there will be a major incident.”

He points to the steady flow of cyberattacks on industrial automation control systems (IACS) and supervisory control and data acquisition (SCADA) networks being tracked by the Repository of Industrial Security Incidents (RISI).

“There have been many incidents in the past 10-15 years that can be traced back to insufficient cybersecurity measures,” he says. “There are many every year, most of which escape public notice. In fact, it’s widely believed that there are many more that are never reported,” he discloses. “The RISI analysis shows time and again that these incidents are generally the result of the same basic cybersecurity control failures. It is often only the presence of external failsafe and protection mechanisms that these incidents do not lead to more catastrophic consequences. Many use these protection mechanisms to argue that the concern over the consequences of cyberattack is exaggerated, and yet incidents such as Deepwater Horizon should teach us that these protection mechanisms can and do fail.”

Emphasis on security seldom matches emphasis on safety; security influenced by significant reliance on third-party workers
While the need for safety is well understood in facilities such as offshore drilling rigs, attention to security is often minimal.

“This is partly because these facilities are usually so remote (i.e. 50 miles offshore) and/or appear to be secure (It’s not possible to just walk into an offshore or onshore facility without having the appropriate clearance.) and also because there is little or no experience of cybersecurity-related incidents, whereas there is usually some direct or anecdotal experience of safety-related incidents.

“Another issue is the very significant reliance on third parties to install and support IACS equipment,” Mustard continues. “This creates two issues—in-house staff often lack complete understanding of the equipment needed to provide reliable on-site support and there is a continuous flow of third-party staff in facilities. Although security is generally tight in these facilities, there is a lot of reliance on third parties to ensure their own contract staff are correctly vetted, and yet third parties may not be as thorough as owners and operators.

“Furthermore, third-party employees will have their own computers and removable media. The owner/operator may rely on the third party to scan their devices for malware before they are connected to the IACS equipment, but there is no guarantee that this is the case.”

USB flash drives and other USB devices continue to pose serious cybersecurity threats
“Use of USB devices still remains one of the most common ways an industrial control network can be infected. There are a number of factors at play. Many, or even most, IACS equipment runs without anti-virus software. Rarely, is the equipment ‘security hardened’ and very often default accounts and passwords are either hardcoded or not removed/changed before go-live.

“In addition, the operating systems and applications are often not patched at all or if they are, they are not patched regularly. This creates a whole host of vulnerabilities that can be exploited by malware. While most standards recommend the elimination of USB removable media devices and that all ports be locked down, this is rarely the case. Since machines are usually not connected to the Internet, removable media is often the only way to transfer files. And while IT policies might enforce virus scanning of such devices before and after use, this often does not get enforced in IACS environments.

thumbI heard recently anecdotally that a major oil and gas company detected the Stuxnet virus on its networks, and was found to have originated from an infected USB drive. This company has relatively good cybersecurity controls in place so you can imagine how easily this can happen in other organizations that have not yet grasped the importance of cybersecurity.”


Three in four across 10 countries fearful Cyber Attacks could damage their country’s economy.

16/11/2014

Three quarters of surveyed adults (75 percent) across 10 countries say they are fearful that cyber hackers are carrying out attacks on major industries and sectors of the economy in their countries, according to the results of a study announced recently by Honeywell Process Solutions.

cyberbugMany survey respondents (36 percent) indicate they do not believe that it is possible to stop all the cyber attacks. A similar proportion (36 percent globally) report they don’t have faith in their country’s ability to keep up with cyber attacks because they feel that governments and organizations are not taking these threats seriously enough, particularly those respondents in India (61 percent), China (48 percent), and Mexico (47 percent).

“Cyber attacks are a clear and present threat to every industry, in every country throughout the world,” said Michael Chertoff, co-founder and executive chairman of the Chertoff Group, and former head of the U.S. Department of Homeland Security. “This threat is real and industries need a proactive and coordinated approach to protect their assets as well as their intellectual property. We have seen a number of attacks to critical industries in areas like the Middle East and the U.S. and these have had major impacts on their operations.”

The British government estimates that cyber security breaches at British energy companies alone cost those companies about 400 million pounds ($664 million) every year. In the United States, the Department of Homeland Security said that more than 40 percent of industrial cyber attacks targeted the energy industry in 2012, the last full year reported.

Methodology
These are findings of a poll conducted by Ipsos Public Affairs Research, September 2- 16, 2014. For the survey, a sample of 5,065 adults across 10 countries was interviewed online. This included approximately 500 interviews in each of Australia, Mexico, Russia, Brazil, China, India, Japan, the United Arab Emirates, Great Britain and the United States. Results are weighted to the general adult population ages 16–64 in each country (or in the U.S. 18–64). A survey with an unweighted probability sample of 5,065 adults and a 100% response rate would have an estimated margin of error of +/- 1.4 percentage point, 19 times out of 20 of what the results would have been had the entire population of adults in the participating countries been polled. Each individual country would have an estimated margin of error of 4.4 percentage points. All sample surveys and polls may be subject to other sources of error, including, but not limited to coverage error, and measurement error.

“These survey results are not surprising in light of the recent cyber attacks that have made headlines in several areas around the world,” said Jeff Zindel, leader of HPS’ Industrial Cyber Security business. “The impacts of these attacks, as well as others that have not been publicly reported, have cost companies and governments billions of dollars through operational issues and loss of intellectual property.”

For more than a decade, HPS has developed and delivered cyber security technology and solutions to industrial customers around the world through its Honeywell Industrial Cyber Security organization. This team has delivered more than 500 industrial cyber security projects integrated with its process automation solutions which are used at sites such as refineries, chemical plants, gas processing units, power plants, mines and mills.

In December 2014, HPS will establish the Honeywell Industrial Cyber Security Lab near Atlanta (GA USA). The lab will expand the company’s research capabilities and will feature a model of a complete process control network which Honeywell cyber security experts will leverage to develop, test and certify industrial cyber security solutions. This lab will help accelerate proprietary research and development of new cyber technologies and solutions to help defend industrial facilities, operations and people.

Among other findings of the survey:

• Four in ten (40 percent) survey respondents are not sure about how well their government or private industrial sectors are able to defend against cyber hackers, including 10 percent who are not at all confident.
• When asked about the vulnerability of nine critical industry sectors (which have varying degrees of computer and internet security systems in place to guard against cyber hackers), majorities of respondents globally see all sectors as being vulnerable to cyber attacks. Industrial sectors likely to be perceived as vulnerable to such attacks include oil and gas production (64 percent), medical/health care/pharmaceuticals (64 percent), power grid (63 percent), chemicals (61 percent) and aerospace/defense (59 percent).
• Those in India (92%) and Japan (89%) are most worried about cyber attacks, whereas Russian adults (53%) express the lowest level of overall concern.
• Among those who are relatively unconcerned about cyber hackers (“not very fearful” or “not at all fearful”), no single factor stands out as a primary justification. Many (31 percent) say that this is because they believe the risk of something major actually happening is really quite low, particularly in Australia (52 percent).

Other reasons for lower levels of concern include:

• Cyber hackers would have already done something big if they actually had these capabilities (25%),
• Computer and Internet security has been able to counter or block almost all of the threats (24%); or,
• Governments and its intelligence and armed forces will not let this happen (24%).


Securing automation systems – a step by step approach

25/10/2014

Prof. Dr. Frithjof Klasen, the writer of this presentation, is a member of the Managing Board of the PROFIBUS Nutzerorganisation e.V. (PNO), Director of the Institute for Automation & Industrial IT (AIT) at FH Köln, and Director of AIT Solutions GmbH in Gummersbach.

Prof. Dr. Frithjof Klasen

Prof. Dr. Frithjof Klasen

The big problem when it comes to security for automation systems: there are no simple solutions.

A system is only safe if the threats are known. Typical security threats in production include infection by malware, unauthorized use (both intentional and unintentional), manipulation of data, espionage and related know-how loss, and denial of service. The consequences can be loss of production, reduced product quality, and endangerment of humans and machines.

In order to evaluate threats, the properties and possible weak points of devices and systems must be known. After all, a property that is useful from the automation perspective – for example, the ability for a programming device to access a controller without authentication – is seen as a possible weak point from the security perspective. It is necessary to distinguish these weak points in order to assess risks, develop security solutions, and take appropriate measures:

  • Weak points that arise due to incorrect implementation (for example, faulty device behavior).
  • Conceptually planned and accepted properties. These include all features that can also be exploited for attack purposes. An example here would be an integrated web server in an automation device.
  • Weak points that are caused by organizational measures or lack thereof.

Field devices not only contain communication technologies for transmission of process signals (real-time communication) but also standard IT technologies, such as FTP services. In addition, field devices also operate as network infrastructure components (switches) and therefore have services and protocols that are needed for network management and diagnostic purposes. The fact of the matter is that most communication protocols at the field level have no integrated security mechanisms. Devices and data are not authenticated and, consequently, within the scope of a possible attack, systems at the field level can be expanded at will and communications can be imported. Even the transferring of PLC programs often takes place without use of security measures such as user authentication and integrity protection.

There is no panacea

Ideally, users would like to have a tool, certification, or system that promises them long-term security. The difficulty, however, is that such solutions don’t provide lasting security. In order to develop secure systems, users must not only implement technical measures but also conceptual and organizational measures. And everyone will know from their own experience that processes can be implemented in technologies much faster than in the minds of people.

However, conceptual and organizational weak points can be more easily overcome when they are described in guideline documents. For example, PI developed a Security Guideline for PROFINET in 2006 and published a completely revised version of this guideline at the end of 2013. This guideline specifies ideas and concepts on how security solutions can be implemented and which security solutions should be implemented. The subject of risk analysis is covered, for example. This analysis estimates the probability of a damage event and its possible consequences, based on protection goals, weak points, and possible threats. Only on the basis of an analysis of this type can appropriate security measures be derived that are also economically feasible. A series of proven best practices are also given, such as the cell protection concept.

Making devices more secure
Another measure concerns the device security. After all, robust devices are the basis for stable processes and systems. They are a basic prerequisite for security in automation. Weak points due to incorrect implementation can be eliminated only through appropriate quality assurance measures and certifications. In large networks, system availability matters the most. To achieve this, devices must respond reliably to various network load scenarios. In systems with many devices, an unintended elevated broadcast load can occur on the network during commissioning, for example, when the master attempts repeatedly to access all devices even though only a few devices are connected. The available devices must be able to handle this abnormal load. It is difficult for operators to predict such scenarios since the probability of a high data volume is dependent on the system. The reason is that the data traffic is determined by cyclic and acyclic data exchange as well as the event-driven data volume.

With the help of the Security Level 1 Tester developed by PI for certification of PROFINET devices and free-of-charge to member companies, such network load scenarios up to and including denial of service can be simulated already in advance. The field devices are tested under stress conditions to simulate an unpredictable load and, thus, to reduce device failures. Uniform test specifications have been defined for this, which can be systematically applied by the test tool. In addition, various network load-related scenarios have been developed that take into account various frame types and sizes as well as the repetition period and number of frames per unit of time, among other things. The network load-related test is already being required by various end users such as the automotive industry. This test is already integrated in the device certification testing according to the latest PROFINET 2.3 specification and must therefore be passed in order for a device to be certified. Users that purchase such a certified device can rely on having a correspondingly robust device.

By no means are all problems solved
Only those who know their devices can protect them. Still, not all manufacturers provide comprehensive information about the utilized protocols and services and communication properties of their devices. Another problem: in spite of security, users must still be able to handle and operate systems. No maintenance technician wants to be looking for a certification key for a failed device at 2 AM in order to bring a system back online. Future-oriented concepts therefore master the tightrope walk between usability and security.

Securing_Automation_Systems• PI has been dealing with the issue of security for years. For example, one PI Working Group is concentrating continuously on security concepts. A product of this is the PROFINET Security Guideline, which can also be downloaded free of charge by non-members. Moreover, further development of the Security Level 1 Tester is being advanced here. In so doing, it is important to all participants that the described and recommended procedures are sustainable and practicable and ultimately also accepted by users. Only in this way can protection concepts be truly successful.


The US cybersecurity framework for implementation!

14/02/2014
A unique, public-private partnership effort now turns to the plan’s implementation

The official rollout of the US Cybersecurity Framework, recognized this past Wednesday in an announcement delivered by President Barack Obama, represents the completion of a successful partnership effort among The White House, the Automation Federation and its founding organization, the International Society of Automation (ISA). Now, the second phase of the partnership—working together to implement the framework—begins.

US President Obama

US President Obama

The US Cybersecurity Framework, the result of a year-long initiative to develop a voluntary how-to guide for American industry and operators of critical infrastructure to strengthen their cyber defenses. is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in his 2013 State of the Union address.

During the past year, representatives of the Automation Federation and the International Society of Automation (ISA) have been assisting the US government—at the White House’s request—to help develop and refine a draft of the US Cybersecurity Framework. Both organisations were sought out as essential government advisors given their expertise in developing and advocating for industrial automation and control system (IACS) security standards. The ANSI/ISA99, Industrial Automation and Control Systems Security standards (known internationally as ISA99/IEC 62443), are recognized globally for their comprehensive, all-inclusive approach to IACS security.

ISA’s IACS security standards are among the framework’s recommendations because they’re designed to prevent and mitigate potentially devastating cyber damage to industrial plant systems and networks—commonly used in transportation grids, power plants, water treatment facilities, and other vital industrial settings. Without these defenses in place, industrial cyberattack can result in plant shutdown, operational and equipment impairment, severe economic and environmental damage, and public endangerment.

A significant step forward in protection
President Obama, in his statement released on last Wednesday in Washington, DC, said that “cyber threats pose one the gravest national security dangers that the United States faces. I am pleased to receive the Cybersecurity Framework, which reflects the good work of hundreds of companies, multiple federal agencies and contributors from around the world.”

The 41-page framework takes a risk-management approach that allows organizations to adapt to “a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner,” according to the document.

Though the adoption of the framework is voluntary, the Department of Homeland Security (DHS) has established the Critical Infrastructure Cyber Community (C3) Voluntary Program to increase awareness and use of the Cybersecurity Framework. The C3 Voluntary Program will connect companies, as well as federal, state and local partners, to DHS and other federal government programs and resources that will assist their efforts in managing their cyber risks. Participants will be able to share lessons learned, receive guidance and learn about free tools and resources.

Automation Federation Chairman Terry Ives

Terry Ives, Automation Federation Chair

Attending the Wednesday launch event in the nation’s capital was a contingent of Automation Federation officials, including Michael Marlowe, Automation Federation Managing Director and Director of Government Relations; Terry Ives, 2014 Chair of the Automation Federation; and Leo Staples, a past Chair of the Automation Federation who serves as leader of the Automation Federation’s Cybersecurity Framework team.

“Given that the risk of cyberattacks targeted to industrial automation and control systems across all industry sectors continues to grow, it’s important that the Automation Federation and ISA have been actively involved in the development of this national cybersecurity initiative,” said Ives. “The Cybersecurity Framework provides an effective, comprehensive approach for industry sectors to determine their vulnerability to these kinds of attacks and the means to mitigate them.”

Moving forward to implementation 
“Now that the Cybersecurity Framework has been officially launched by the Obama administration, we have been asked by The White House and the National Institute of Standards and Technology (NIST) to assist in the framework’s implementation,” reports Marlowe. “We are actively underway in planning a series of implementation seminars throughout the US and as far away as London.”

In fact, the first implementation seminar is to be conducted  on Friday, 21 February 2014 in Birmingham (AL USA). The seminar will be sponsored by the Automation Federation and the Alabama Technology Network, a Working Group of the Automation Federation.

At the seminar, representatives from the White House, NIST and leading cybersecurity subject matter experts will outline the provisions and details of the Cybersecurity Framework, and will illustrate why IACS security standards are such fundamental components of the plan and its implementation.