Plant Automation Security
Industrial Computer Systems (ICS) are increasingly coming under attack as hackers are realizing the economic and reputational benefit of a successful operations technology system compromise. Organizations seeking to exploit their plant automation systems to drive business processes are deploying communications paths to their ICSs and raising the risk profile of their organizations.
1 Management Summary
Plant automation systems are undergoing significant change in the current digital transformation environment. Two of the main drivers for this change are:
Increasing hacker activity seeking out industrial computer systems as the ‘holy grail’ of hacker targets. Hacker categories are:
- Recreational hackers seeking kudos associated with successfully infiltrating a protected facility;
- Institutional hackers seeking to steal valuable assets or information for economic benefit or industrial advantage;
- Nation-state hackers seeking control of sensitive infrastructure in a potential enemy’s environment.
Increasing realization that access to plant automation systems can be a major competitive advantage for companies
- Access to real-time data, such as production volumes, can enable better customer service and new business opportunities;
- Access to control devices can potentially enable new business processes and, for instance, allow custom orders to be entered directly into the production schedule.
It’s important that plant automation systems are no longer considered as discrete systems but as part of a supply chain that starts with a sales forecast providing input into production schedules which advise production management on the supply side, to logistics management, production reporting, inventory management and accounting on the output side. Seen in this light the plant, automation system should no longer be an isolated system without connection to the company’s information technology systems; it is actually an integral component of a manufacturing company’s business process.
In the past, plant automation systems have been considered ‘special’ and outside the normal governance processes for acquisition and management of technology systems. The focus has been on safety and high availability, with little attention placed on security and confidentiality.
Now the time is right for a more holistic framework to be adopted; one that leverages a plant automation system for competitive advantage while at the same time addresses both the safety and security aspects of operational technology. A useful model is the CIA model:
- Confidentiality is important because the production data is very valuable to an organization and decisions are made based on it. This means that the plant automation system must be protected from compromise and the data being provided to the business process owners must match the user’s requirement. For instance, if production data must be shared with a business partner, it must be adequately secured.
- Integrity means there must be a high level of confidence in the data being provided by the system. Data from a sensor, for instance, must be identified as from the sensor it’s purported to be from. Ideally, some form of digital signing or encryption is required to ensure its integrity.
- Availability is essential for a plant automation system. Infrastructure must be in place to ensure availability levels and speed of access to control facilities meets operational requirements. This extends to the provision of data from the plan automation system to the business process owner, if the required data is not readily available the business process will suffer and the company will lose competitive advantage. This in turn means that the production process extends to adequately collecting, analyzing and storing production data.
Companies that can leverage their plant automation infrastructure to drive business will significantly benefit from current technology trends such as OT/IT network integration and Internet-of-things disruption in the sensor/actuator market. Those that can’t are likely to be victims of digital transformation.