A misconception promulgated over the years that safety systems were immune from cyber attacks, but that mindset came screeching to a halt when a safety system was hit a few years back. At that point all bets were off.
If that safety system didn’t shut down that facility like it was supposed to do, who knows what unimaginable destruction could have occurred.
“Safety and security is about risk mitigation,” said Luis Duran, global product line manager at ABB in a talk entitled, “The rocky relationship between safety and security” during the ABB Customer World in Houston. “In safety, we want to prevent something bad from happening to people, facility and environment. In cybersecurity, the goal is to prevent illegal or unwanted penetration into a system. There are similar ideas behind risk management, but the ways to go about it are different.”
Along those lines, Duran mentioned there are three myths that need to be broken:
- Security is an IT item
- Air gaps
- Product certification.
“Air gaps do not resolve cybersecurity issues or address industry best practices,” he said. “A safety system is not connected to anything? How do you program it? It is connected to a system. Is it Windows-based? These were not designed with cybersecurity in mind. Safety systems are exposed to cyber threats. They are isolated from process control systems, but it is connected to other systems. Air gaps are not the answer.”
“Certification is important first start, but not the end of the journey,” he said.
Companies need to “define security policies that work over the plant lifecycle by collaborating with suppliers across IT and OT. A collaboration of minds is about what is best for the installation,” he said.
Safety and security are similar but there are differences. Safety will keep man protected from machines, while security will protect machines from man. Either way, if one element goes bad, it can lead to a safety issue.
“Cybersecurity awareness is ongoing,” Duran said. “It is important; attacks are happening and they are real. Cybersecurity can lead to system failure and when a system goes down, it affects the safety system because it is the system of last resort to protect against a catastrophic event.”
Duran mentioned some well-known cases of cyber attacks in the industry:
- 2010 Stuxnet attack against an Iranian nuclear facility
- 2014 blast furnace attack in Germany
- 2015 and 2016 blackout in Ukraine
- 2017 Triton attack against refinery in Saudi Arabia.
In a SANS survey, respondents pointed to their primary business concerns and 67% perceived severe or high levels of threat to control systems, which was up from 43% in 2015.
To get to a point of some point of security for safety and for control systems, users need to apply basic best practices like following international standards like IEC 62443. There are multiple parts to the standards where various parts focus on specific areas of concern.
In addition, users need to apply a defense-in-depth approach. “Segregate layers to prevent a delay of attacks on systems. A flaw in one layer can be mitigated by other layers,” Duran said.
In addition, Users need to follow cybersecurity for the product lifecycle:
- Secure by design
- Secure by default
- Secure in deployment
“Security doesn’t start in the design,” Duran said. “It starts before you write the first line of code. At the end of the day, the security of the whole installation has to come into play.”
Security as the enterprise backbone
Here we are living in the present and planning for the future and the digital world is staring the manufacturing automation sector square in the eye. Benefits abound, productivity gains can be rampant, and connectivity is abundant and plentiful.
Make no mistake about it: security is the backbone that enables and protects the entire enterprise.
“The world is changing, and ABB is riding the future, and we are shaping the next phase in the world in a positive way,” said Ulrich Spiesshofer, chief executive at ABB during his keynote address. When we look at a fast changing world we must change again to stay in the forefront of the industry.”
Spiesshofer talked about three actions ABB is looking at moving forward:
- Focus on digital industries through divestment of power grids
- Simplify our business model and structure
- Shape four leading businesses
The goal, Spiesshofer said, is to simplify the company and put resources in the right place and put the company under four business leaders. “There will be better customer focus, higher speed and less interfaces.”
The four business lines Spiesshofer mentioned are:
- Industrial automation
- Robotics and discrete automation.
In terms of the robotics area, Spiesshofer showed a video of an ABB robot conducting an orchestra.
“It is impossible people would have said 10 years ago having a robot conduct an orchestra, but we did it,” he said. “Technology is amazing and artificial intelligence (AI) is an amazing thing. I never thought a robot could learn to conduct an orchestra in 17 hours.”
Bringing collaborative robots and humans together will allow companies to help drive a more competitive environment in the U.S.
“The U.S. still only has 40,000 installed robots, so there’s a big opportunity to have them help with reshoring and bringing manufacturing back to the Americas,” Spiesshofer said.
One of the issues companies are facing is 75% of data is at the edge, he said, but only 6% of the data is being utilized.
“People who can act with speed and agility around the data will be the winners,” said Antonio Neri, president and chief executive at Hewlett-Packard Enterprises (HPE). “Customers want to advance their business. We need to drive an architecture that is edge to cloud. That connectivity needs to be secure. The enterprise of the future is evolving: Edge centric, cloud enabled, data driven.”
See additional cybersecurity strategy stories including:
Six reasons why centralized cybersecurity doesn’t deliver value to OT
Five questions every CISO should ask about OT cybersecurity
Original content can be found at www.isssource.com.