The proliferation of Internet-enabled devices and the deployment of standard Ethernet across control systems have the potential for delivering tremendous benefits. What Rockwell Automation calls the Connected Enterprise allows substantive collaboration among people, plant-floor systems and enterprise applications. The connections facilitate collaboration to improve overall productivity and sustainability.
But as the historic disconnect between enterprise and production networks is bridged, manufacturers, producers and utilities need to better understand potential security risks and the best practices needed to develop a more secure environment.
In a morning session at today's Automation Perspectives media event leading up to the Rockwell Automation Automation Fair, presenters aimed to help media and analysts better understand the importance of protecting industrial control and information systems and key elements in implementing an effective security strategy.
"When we speak to our customers about moving a Connected Enterprise forward, it's not unusual for them to raise two concerns: cost and security," began John Nesi, Rockwell Automation's vice president of global market development. "So as we discuss this, we have to realize that the vision of the Connected Enterprise includes value creation."
That value opportunity comes directly from the technology opportunity. "We're in the middle of an amazing technology transition that has a big impact on business," said Rob Soderbery, senior vice president and general manager of the Enterprise Networking Group at Cisco. Soderbery oversees the strategy, engineering and marketing direction of the company's networking technology for the enterprise, and his organization is responsible for the core technologies critical to business customers.
That transition is influenced by three big macro trends, Soderbery said. "It's the economics of the growth of emerging vs. developed countries; it's energy consumption and what the demands and sources will be moving forward; and it's social demographics of hyper growth in emerging markets, and declining workforce and aging population in developed countries."
Productivity, he added, will be at the heart of solutions dealing with these issues. "The next wave of productivity will come out of the Internet of Things (IoT)." By 2020, we'll have 50 billion connected things connected to the Internet.
"But the big impact, the stunning opportunity here, is in industry. When you can connect things, processes and data in the cloud, you can create new real-world applications in logistics, in segments that are upstream in the supply chain."
Cisco says there's $14.4 trillion in increased value to be realized in the private sector over the next 10 years in this Internet of Everything. "That value will come from benefits in innovation expansion, enhanced customer experiences, asset utilization, employee productivity, and supply chain and logistics improvements," Soderbery said.
These opportunities are there across all the big verticals. "We tend to find a ‘killer app' in each segment that is so powerful that it makes other initiatives more feasible and achievable," Soderbery explained. "BT Hydro in British Columbia is an example of this. They're concluding a smart meter project that will provide a $100 million savings by pulling the meter readers off the street. And there are other opportunity areas that will increase that number. That's one application in one utility, in one province in one country. These numbers add up very quickly."
Soderbery believes that once you've built an application like this, you've basically built a new infrastructure: You've connected the systems you're capable of monitoring; now you can do predictive maintenance, traceability, mobile control rooms, wireless machines, supply chain and other applications.
Soderbery said some $1.95 trillion of that $14.4 trillion he noted will come in the manufacturing sector.
Security at the Fore
There clearly are many challenges to all this, from converging and merging disparate networks, to harvesting distributed intelligence by pushing analytics out to the data sources, to ease of use, but the one that trumps them all, Soderbery said, is security.
Unless you address those concerns, you can't get started.
So why is IoT security different? One of the reasons is the ‘attack surface.' "Those are places where an attack can be initiated," Soderbery explained. "The attack surface of a factory is large and complex. Remediation also is different. What do you do if you're under attack in the process industry? Shutting down is not a practical or easy response."
Soderbery presented a few simple building block ideas for IoT security. "Access control is more than a firewall," he stated. "You have to be aware of the content on the network through tools like deep-packet-inspection engines. A second thing is the context. What's the device, what data does it produce, is it where it says it is? You can draw some conclusions through the combination of content and context."
All this contributes to improved threat awareness and an understanding of the threat landscape, Soderbery said. Who are the bad guys, what are they trying to do, what actions have they taken or are they taking now?
Mike Assante is advisor and director for the National Board of Information Security Examiners. He currently is the SANS Institute project lead for industrial control system (ICS) and supervisory control and data acquisition (SCADA) security.
He mentioned that the desire for analytics isn't just restricted to the manufacturer and its supply chain. "Companies such as the equipment and machine builders themselves want access to the equipment they sold you and want to better understand the operating envelopes of those machines to help optimize those machines and perform more safely," he said.
Expanding on Soderbery's security remarks, Assante pointed out that the threats in industry are becoming more targeted and structured. "We aren't the only ones investing," Assante reminded the audience. "The cyber underground has been doing it for years, some say to the tune of several billion dollars."
Assante reported that up to 94% of those targeted attacks aren't discovered by the victim until they learn about it through a third-party or learn that some of their information was found on someone else's server. And the mean time before that discovery was a whopping 416 days of what Assante calls ‘free time' for intruders to travel around through that business system.
"In all these reported cases, the companies were up-to-date with their anti-virus solutions in place and used industry security practices, but still were compromised," Assante reported. "It tells us that our conventional security approach isn't working for that type of threat."
So it's time to adapt, Assante proposed. "We're at an inflection point in the effectiveness of traditional defenses."
He said we have to secure our people first. "Automation engineers have to work with cybersecurity personnel and vice-versa to cross-educate their strengths and needs. We don't want to turn automation engineers into security professionals. But this can lead to new approaches to better security. We're setting up guidelines to help do that."
Designing for Security
Frank Kulaszewicz, senior vice president for Architecture & Software, Rockwell Automation, followed by reporting that less than 14% of U.S. manufacturers have tied their machines' intelligence to the enterprise network. As a result, there will be plenty of opportunities for increasing value. But, as we connect, potentials for threats will rise as well.
Kulaszewicz explained the strategic partnership that Rockwell Automation shares with Cisco, which leverages the expertise of both companies to help enhance security going forward, particularly at the device level.
"We're changing the way we do development and we've created a Design for Security process," he said. "Before any Rockwell Automation product leaves our doors it has to be compliant with these Design for Security standards." These include clearly defined specifications and an audit process to identify gaps in performance. They allow us to enhance and improve our products that will help customers evolve their systems to a safer, more secure environment."