Connectivity with the outside world is still relatively new in many industrial installations, so the need for safeguards has been far less than in information technology fields. But that’s changing rapidly as manufacturers and utilities move to use the cloud and Web-based strategies.
Industry 4.0 and IIoT describe ways that facilities can become more efficient by using the Web to link factories to management, suppliers and customers. That’s straining companies that need to integrate complex security strategies into their business plans.
“There’s a lot of uncertainty among our customers about what to do,” said Sherman Joshua, global portfolio manager for Rockwell Automation Connected Services. “Companies are having difficulty finding skilled resources, so a lot of them are asking for help setting up their security architectures and processes.”
Facility managers and others often turn to outsiders so they can get up to speed quickly. Suppliers and consultants who have already hired security specialists are busy helping these companies set up protective architectures before they’re compromised. The demand for people who know security and understand the nuances of industrial applications is high.
“There just aren’t enough people with working knowledge of cybersecurity,” said Katherine Brocklehust, senior director for the cybersecurity division at Belden. “Every technical person I know in this field is being bombarded by recruiters.”
The base of products that must be protected is expanding rapidly. Security has undergone a transformation over the past few years. Industrial sites once used a range of specialized networks that were protected largely by obscurity. A shift to Ethernet changed that, but firewalls largely protected industrial sites from attacks begun elsewhere in corporate networks, so many security plans got little more than lip service.
A growing number of attacks on industrial equipment prompted a number of equipment makers to start adding protective strategies to their development projects. The shift to cloud computing and broadening links to the Web are forcing even more manufacturers to increase the safeguards built into their equipment.
“Most industrial robots have IP addresses that could be hacked, but they’re typically behind firewalls that prevent that from happening,” said Bob Graff, senior sales manager for education at Yaskawa America’s Motoman Robotics Division. “That will change as more cloud-based systems come on board. The cloud is in a different realm, things are really exposed.”
Most equipment makers and users now realize that attackers have gotten more sophisticated and more industrial networks are directly linked to the Web, making security a necessity. Many vendors and users now say that security is rapidly being elevated to a status similar to quality and safety. It plays a role from the earliest stages of product development.
“No longer is security being taken as an afterthought, it is being designed in from the start of product concept,” said Alan Cone, product marketing manager at Siemens Industry Inc. “We are employing people with cybersecurity skill sets to help with this development and to stay on top of current trends in security. We are looking at a large number of people over different divisions so a good mix of age and background is available.”
He added that Siemens and its customers are all figuring out where to deploy security experts. Some of these specialists are being tasked with developing broad, corporate-wide security strategies, while others are working with product development teams to focus on the minutia of equipment design.
“Teams are being formed that have security personal that spread across the organization (to look at total company needs), as well as people dedicated to certain product development teams that work with security and other product aspects,” Cone said.
Incorporating security personnel into the overall development hierarchy requires strategies that vary depending on many factors. Some products can get by with comparatively light security, while those that are more exposed must incorporate more safeguards. A corporation’s experience level is also a determining factor for staffing. The companies that are just starting out will typically adopt different tactics than those who have already built a solid security program.
“Often the way cyber security is integrated into design teams comes down to the maturity of the overall cyber security program,” said Ian Williams, vice president of human resources for Tripwire. “More advanced organizations tend to need dedicated resources and often have small teams of highly skilled security personnel working in their network or security operations center.”
One of the biggest hiring challenges is find personnel who can understand the special requirements of rugged production sites. Industrial systems are quite different from their front office counterparts, making it difficult to hire the right types of personnel. The majority of college graduates are trained in corporate networks. If nodes on IT networks see brief slowdowns while security operations are performed, there’s usually far less impact than if a real-time production line doesn’t execute every operation on time. A one-second delay is minor for email, but major when pharmaceutical ingredients are being mixed.
“Many industrial organizations have a gulf of separation between the IT teams and the industrial control system (ICS) teams because these two groups have differing priorities,” Williams said. “ICS engineers and plant personnel are most concerned with reliability, availability, and not allowing operations to be disrupted; whereas, IT-focused cyber security teams want to enforce good security. Some security hygiene has the potential to be disruptive.”
This puts industrial facilities at a disadvantage when they’re hiring security personnel, which has prompted many companies to focus on training skilled people in industrial controls.
“It’s very difficult to find the combination of cybersecurity skills and industrial system design knowledge,” Williams said. “When possible, we’d rather hire a security engineer and train them on the industrial system design requirements. Our experience has shown that this approach delivers a faster fit.”