Over the past decade or more the need for cyber security in industrial automation and control systems has been accelerating at an ever increasing rate. Adoption of the benefits of commercial off-the-shelf and open technologies, awareness of the systems, exposure of the systems and precedents set by previous attacks have all contributed to the increase. The advent of the Industrial Internet of Things (IIoT) pushes this even further with the increased uptake and reduced cost of powerful computing technologies like cloud, virtualization, shared networks and so on.
While cyber security can be seen as both a barrier or an enabler to the adoption of IIoT, depending on your point of view, what is clear is that no discussion on IIoT is complete without the mention of this topic. And it has to be a comprehensive mention. You know the phrase “You’re only as strong as your weakest link.” Well, this is just as applicable for football teams as it is to industrial automation and control systems. And with industrial automation and control systems it’s not just the weakest link that needs to be secured, it’s also the highest potential risks that need to be planned for and mitigated.
Just as openness and standards in automation technology are essential in realising the promise of IIoT, so too is the adoption of certified industrial security standards. These standards must be robust and take into account the security not only of individual assets but also of the larger systems and systems of systems. Adherence to the certifications will mean that the elements of a system hold the key security building blocks, the elements are combined in a secure way by security certified teams and finally operated as a secure system by security trained operators.
Cyber security standards
Worldwide the IEC62443 series of security standards covers all elements of security from product development through to product features, system features, delivery and operation. Complementary to the IEC62443 security standards, existing industrial standards are also evolving to be more secure. DNP3 has evolved to DNPV5 to add security, OPCUA offers significant security enhancements, Modbus is evolving to Modbus Secure, EtherNET/IP is becoming EtherNET/IP Secure. In addition many IIoT systems are adopting security features coming from existing IT standards such as HTTPS, Certificates, Encrypted/Authenticated protocols etc.
Elements of a secure system in the IIoT age
Network security has been carried over from the IT and early OT adoptions of security where the network is segmented and access is restricted and monitored between zones. This is sometimes called a Defense in Depth approach. A truly secure system in the IIoT age is made up of many elements and needs to go beyond Defense in Depth.
- Increased network security – to include options for encryption, greater emphasis on application security and access control to define what devices can be connected to the network and what permissions those devices have
- Protocol security – more and more OT protocols will need to incorporate security features and IIoT-enabled devices will need to support secure IT protocols
- Application security – not only do devices and software need to implement certified security features but these features need to be consistent for users to ensure easy, but still secure, operation of the system
- Supply chain security – coding of products, manufacturing, delivery, installation, maintenance and disposal will all become a key parts of maintaining system security
- Security services – to assisting customers in adopting the new security system and continuing to maintain it securely
The ultimate goal of a cyber secured system is to ensure that the system operating at the end user site is delivered and operates securely while meeting business requirements. Opening the door for collaboration between suppliers, vendors and end users to share knowledge and educate each other will become increasingly important if we are to successfully tackle cyber security in the IIoT age.
How do you view IIoT and cyber security – as a barrier or an enabler?