Smart Factories FEATURE NEWS

Security Game Plan for Smart Factories

By Special Guest
Megan Ray Nichols, Science Correspondent
January 16, 2018

Smarter, more efficient factories are coming, and that means AI, automation, machine learning and IoT hardware will become commonplace, where it isn’t already. There’s just one concerning element of all this: cybersecurity. Yes, IoT and smart factories mean elements are better-connected, but if the security of integrated systems and hardware is not a priority, they can also mean more vulnerabilities.

The adoption of IoT and “connected” systems means modern factories can be uniformly monitored, automated and made absolutely efficient. In turn, this boosts profits to a maximum, thanks to the creation of a well-oiled machine, so to speak.

But smart factories and IoT devices are considered “connected” and “smart” because they are tethered to a network, other systems and hardware — and it’s an open network, no matter how secure. Since this is a relatively new concept to the industry security is still pretty undeveloped.

So, how can we beef it up?

1. Physical Security
Believe it or not, physical security is a major concern even with modern systems. Hackers and cybercriminals who are able to gain access to factory and plant buildings can wreak havoc. Furthermore, theft can also be a problem, especially in automated plants where there are little to no human workers onsite for extended periods.

One way to combat this is to bolster physical security and surveillance on top of installing smart sensors and monitoring tools. Collectively, these systems don’t just allow remote monitoring of live video feed. They can also interface with the property and related hardware. Doors, for example, can be opened remotely after verifying the identity of the personnel requesting access, simply by pressing a button. Sensors and alarms can send alerts to security teams if they detect movement on property when no one should be there, or in unauthorized areas. Crash barriers are also a great way to keep out physical intruders or unauthorized parties.

2. Establish a Risk Management Process
One of the initial steps in Information Technology and cybersecurity plans is to come up with a risk management process, including proactive and reactive strategies. Preventing access to open networks with secure firewalls, advanced authentication and activity monitoring are all recommended. But in the event of a breach or attack, you want to take action as soon as possible. This means locking down the network from outside access, preventing further damage and even blocking the offending users.

It’s a process that needs to be deployed and followed across an entire organization, too, however. Employees and personnel must understand IT and security policies, and they must be educated on how to protect themselves and their systems. They must also adhere to limitations. Even something as simple as properly securing a property access card or authentication key can be crucial to strong security. Should that key fall into the wrong hands, an inordinate amount of damage can be done.

3. Lock Down Industrial Control Systems
ICS or industrial control systems are designed to interact with the physical world, and the information is relayed to plant hardware and machines. Due to the nature of their inner workings and what hardware they have access to, an ICS most always be secure. In fact, this is one security element that should become a priority for all organizations, especially over the coming years.

Ransomware has become rampant in the digital world, and it’s certainly capable of not only locking down critical plant systems, but also damaging or severing data connections that can keep entire processes operational.

Follow standards set forth in NIST SP800-82, ISA-00, or IEC 62443 to improve security and maintain its reliability.

4. Manage IoT Devices, Embedded Systems and Data Access
The industrial internet will soon take hold, which means smarter more connected devices for you. Unfortunately, there are few regulations in place — or security reports — to help ensure this new form of technology is protected, further increasing the risk for cyber attacks and threats.

To make matters worse, many of these devices and systems are considered non-standard, which means they cannot be integrated with standard computer security software. Sensors and pumps for embedded systems are a great example of devices that cannot be conventionally secured.

To combat this, organizations will need to adopt a PKI or public key infrastructure which relies on device certificates for communication and data transfer. The system itself is designed at its core, to authenticate, configure, communicate and control connected devices. Anything that lacks integrity can be dealt with accordingly, if not automatically through the monitoring system.

5. Involve Business Partners
Most of the security measures are handled locally and internally, which makes sense. But there’s another source of potential damage that is completely out of your hands: your business partner(s). Manufacturing data will need to be transferred and accessed across the supply chain, which means third-parties and various teams will need to be trusted with it. Since data sharing is most often facilitated through cloud-based applications and storage these days, security is a monumental concern.

The solution is to adopt and utilize encryption, advanced identity and authentication, and context-based controls with a reliable form of monitoring and reporting on the backend. This provides all the resources a security team needs to identify, communicate and take action against infringing parties.

6. Plan Damage Control Now
No business, open system or network is invulnerable. In fact, it’s likely that you will be attacked or see a network breach at some point. The question then is not “if” but “when.” That’s why you should have a damage control plan in place, now, before anything happens. Once an attack or breach has been detected, you need to lock down your systems, data and machines. You also need to be able to identify corrupted channels, and you must have some way to prevent the spread or increase of damage.

In a majority of cases, this will involve taking entire systems — maybe even an entire location — offline  to conduct maintenance and damage control. Is there a way you can segment this process so that parts of your plant still remain operational? Are there things you can do to mitigate the spread of an infection or attack? Do you have controls to purge user access and regain control of your network(s)? These are all things you need to consider, and then some.

7. Reduce Capex and Opex With Remote Security
Chances are your plants or factories are sparsely located across a wide area. You could go about deploying a security team for each individual property, but that would balloon your capex (capital expenditures) and opex (operating expenses) considerably. This also makes it difficult to facilitate collaboration and communication between said security.

The solution is to rely on a single, remote security team with the proper tools and equipment to monitor your plants from one central location. One leading oil and gas company — spread across more than 70 global sites — was able to reduce costs by as much as $700,000 per site, over five years, by deploying remote security teams.

8. Enable Device Profiling
BYOD, or bring your own device, is prevalent today because, while it does introduce security risks, it helps alleviate costs for a company or organization, eliminating the need to supply work-centric devices. This allows personnel and employees to bring their own tablets, phones and mobile devices to work and tap into a secure network. This also has the bonus of making it extremely difficult for IT and security teams to control, review and identify users — at least, not without the proper systems in place.

Device profiling needs to be implemented and enabled to control and secure a network. Related systems can identify devices and users to monitor their activity, authenticate certain actions and even remove them from the network entirely. Think, laying off or firing an employee, without taking away their network and systems access — it could be incredibly damaging later.

This is also true of third-parties or outside contractors that come to work or visit a plant. They may need temporary access to the network, but this does not necessarily mean they should be unfettered. You’ll want to make sure they are confined to the appropriate systems and software, and they’re not doing damage. Remember, it’s possible for negligent users to inadvertently cause damage through an infected system they were completely unaware about.

9. Zone Defense
As per the ISA IEC 62443 standard, an industry best practice is to configure zones or segments and isolate sub-systems. This is done using something called a DMZ or demilitarized zone, which can be used to link information and communicate between zones, while blocking them off and keeping everything separate from major components and systems.

10. Educate and Maintain Compliance
Finally, it’s important to remember that many security issues arise due to user or personnel negligence. This can be solved by educating and training your workforce on proper security, and by walking them through what’s required on their end of the process.

A bigger concern, however, is making sure you stay on top of your workforce and personnel as time stretches on. This means continuing to train and maintain their knowledge and security familiarity, especially when newer systems are deployed, or older tools are updated.

Reliable Systems Security Is a Never-Ending Process
By following and deploying the security tips discussed here, you can better prepare your plants and factories for the coming technology boom — if you haven’t already adopted many of the systems discussed. It’s crucial to recognize reliable and successful security is not something that is ever fully complete or achieved. That is, security as a whole is a never-ending process that continually needs to be updated, maintained, monitored and measured. That’s true of your hardware and software, but also of your personnel, partners and third-party contacts.

It’s only when you truly understand that security must be followed day-in and day-out that you will see your plants and systems better protected.

Edited by Ken Briodagh
Related Articles

Locus Technologies Improves Environmental Data Management

By: Chrissie Cluney    10/16/2018

Locus Technologies has announced that Hudbay Minerals, a mining company, will use Locus EIM to improve their environmental data management for field a…

Read More

Mobility and MIOTY: As Cars Become Smarter, Car Factories Become Smarter Too

By: Cynthia S. Artin    10/11/2018

Capgemini reported earlier this year that the automotive sector could benefit from up to $160 billion in annual productivity gains by 2023 by adopting…

Read More

IoT Time Podcast S.3 Ep.35 SAS Analytics ABB Robotics

By: Ken Briodagh    10/3/2018

On this episode of IoT Time Podcast, Ken Briodagh sits down at the SAS Analytics Experience in San Diego with Srinivas Nidamarthi, Digital Leader (Glo…

Read More

Emerson Introduces Roadmap to Overcome Biggest Barrier to Digital Transformation

By: Ken Briodagh    10/2/2018

Emerson recently announced a Digital Transformation Roadmap with consulting and implementation services to help companies develop and execute a tailor…

Read More

Tacton Introduces Salesforce App for Manufacturing Industry

By: Ken Briodagh    9/25/2018

Tacton, a company offering CPQ solutions for the manufacturing industry, announced at Dreamforce that its complete CPQ solution is now available on th…

Read More