The industrial landscape is rapidly evolving to address the challenging economic environment facing Australia today. Organisations need to become more efficient and flexible to maintain competitiveness and improve productivity.
This evolution has seen a significant increase of Industrial Ethernet technologies being applied to control systems. A single Ethernet network can be used for standard control, as well as safety, motion, process, visualisation, and asset management.
This allows for significant reductions in the costs and time associated with installation and maintenance of networks when compared to the traditional approach of using multiple fieldbuses. By providing a scalable platform that can accommodate multiple applications, Ethernet-based automation systems can help increase flexibility and accelerate deployment of new applications, providing companies with a future proof network that can help them achieve their productivity goals.
Additionally, Industrial Ethernet adoption across a plant or factory provides for far easier information sharing by creating a link between the plant and business systems, helping industry achieve operational improvements.
Ethernet networks allow for easy access to critically important, real time data. A well designed, robust, secure Ethernet network, can now allow real time data to be accessed securely from anywhere in the world. Operational dashboards and reports provide increased visibility into current plant operations.
However, this increased level of connectivity also brings inherent security risks that need to be addressed. As the convergence of manufacturing and IT relies on standard Ethernet networks, these infrastructures are increasingly exposed to new security risks and active cyber threats. Addressing these risks poses many challenges for business; though mitigating the risks will help companies benefit from the many advantages that networked operations bring.
Exposing process networks to a wider audience raises valid security concerns. Due to their isolation, traditional fieldbuses inherently brought some level of security; although accessing data on these networks could be difficult. As industry moves toward a converged Ethernet network, security becomes a prime concern.
However, commercial Ethernet technologies have for the past two decades, been working on alleviating risks associated with viruses, unauthorised access, remote access and external attacks. Leading control system vendors are increasingly collaborating with traditional IT companies to design reference industrial Ethernet architectures utilising current best practices.
Industrial network security is multifaceted; it is essential that all variables that introduce risk be proactively identified, tracked and addressed in order to help facilitate a safe and reliable industrial process. No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications.
Protecting IACS assets requires a defense-in-depth security approach which addresses both internal and external security threats. This approach utilises multiple layers of defence (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats.
A balanced industrial network security framework must address both technical (electronic technology) and non-technical (physical, policy, procedural) elements. This industrial network security framework should be based on a well-defined set of security policies and procedures, leveraging established IT processes, while balancing the functional requirements of the IACS application itself.
This has led to a cultural change where IT and engineering are becoming closely aligned. In the past, industrial applications were maintained solely by engineers, but now the line between traditionally separate IT and engineering departments is becoming less defined. Engineers are becoming more familiar with IT technologies, and conversely, IT is fast learning the intricacies of industrial Ethernet.
Researchers are predicting an explosion of end devices connected to Ethernet, and as power over Ethernet becomes accepted within industry, more and more devices are expected to be shipped 'Ethernet ready', highlighting the importance of having secure industrial networks.
Risk and security assessments are the starting point for any security policy implementation. Security assessments should look at your specific situation from technologies to policies, procedures to behaviour, and give you a realistic picture of your current security posture (current risk state) and what it will take (mitigation techniques) to get to where you need to be (acceptable risk state).
Rockwell Automation recommends the formation of a multi-discipline team of operations, engineering, IT and safety representatives to collaborate in the development and deployment of your industrial security policy based on your risk assessment.
Rockwell Automation and Cisco have also collaborated to develop Converged Plantwide Ethernet (CPwE) reference architectures to help address the industrial network security framework. This comes in the form of design considerations, guidance, recommendations, best practices, solutions and services to help companies to successfully design and deploy a scalable, robust, secure and future-ready plant-wide/ site-wide network infrastructure.
The CPwE Industrial Network Security Framework is aligned to industrial security standards such as ISA/IEC-62443 (formerly ISA-99) Industrial Automation and Control Systems (IACS)Security and NIST 800-82 Industrial Control System (ICS) Security in regards to a defence-in-depth security approach.
Manufacturers and automation vendors will continue to take advantage of investment and innovation in compatible commercial Ethernet technologies, and adapt these innovations to the industrial environment while integrating a holistic approach to industrial security.
[Robert Hicks is Product Manager, Rockwell Automation. Hicks will be presenting at the IICA Cyber Security Seminar on October 30, 2013 in Sydney; email firstname.lastname@example.org or call 0410 334 333 for more information.]