Today we welcome guest blog author Greg Conary, senior vice president at Schneider Electric, a Belden partner. Originally posted on Schneider’s blog, the article offers expertise we think you’ll find valuable.
Over the past decade or more, the need for cyber security in industrial automation and control systems has been accelerating at an ever-increasing rate. Adoption of the benefits of commercial off-the-shelf and open technologies, awareness of the systems, exposure of the systems and precedents set by previous attacks have all contributed to the increase. The advent of the Industrial Internet of Things (IIoT) pushes this even further, with the increased uptake and reduced cost of powerful computing technologies like cloud, virtualization, shared networks and so on.
While cyber security can be seen as either a barrier or an enabler to the adoption of IIoT, depending on your point of view, what is clear is that no discussion on IIoT is complete without the mention of this topic. And it has to be a comprehensive mention. You know the phrase “You’re only as strong as your weakest link.” Well, this is just as applicable for football teams as it is to industrial automation and control systems. And with industrial automation and control systems it’s not just the weakest link that needs to be secured, it’s also the highest potential risks that need to be planned for and mitigated.
Just as openness and standards in automation technology are essential in realizing the promise of IIoT, so too is the adoption of certified industrial security standards. These standards must be robust and take into account the security not only of individual assets but also of the larger systems. Adherence to the certifications will mean that the elements of a system hold the key security building blocks, the elements are combined in a secure way by security certified teams and finally they are operated as a secure system by security trained operators.
Worldwide the IEC 62443 series of security standards covers all elements of security from product development through to product features, system features, delivery and operation. Complementary to the IEC 62443 security standards, existing industrial standards are also evolving to be more secure. DNP3 has evolved to DNPV5 to add security, OPCUA offers significant security enhancements, Modbus is evolving to Modbus Secure, EtherNET/IP is becoming EtherNET/IP Secure. In addition, many IIoT systems are adopting security features coming from existing IT standards such as HTTPS, Certificates, Encrypted/Authenticated protocols, etc.
Network security has been carried over from the IT and early OT adoptions of security where the network is segmented and access is restricted and monitored between zones. This is sometimes called a Defense in Depth approach. A truly secure system in the IIoT age is made up of many elements and needs to go beyond Defense in Depth.
The ultimate goal of a cyber-secured system is to ensure that the system operating at the end user site is delivered and operates securely while meeting business requirements. Opening the door for collaboration between suppliers, vendors and end users to share knowledge and educate each other will become increasingly important if we are to successfully tackle cyber security in the IIoT age. How do you view IIoT and cyber security – as a barrier or an enabler?
To read more content from Greg, visit Schneider Electric’s blog here: http://blog.schneider-electric.com/author/gconary/.