Connectivity requires cybersecurity to exist and succeed. All the promised benefits of The Connected Enterprise—faster time to market, lower total cost of ownership, improved asset utilization and enterprise risks management—can't and won't happen without effective security.
"One of the key sticking points in moving forward in The Connected Enterprise is cybersecurity, but a lot of collaboration and skills will be needed to make it happen, and none of us can do it alone," said John Nesi, vice president of market development, Rockwell Automation.
The good news is that many useful software and other tools are emerging to aid cybersecurity efforts. The bad news is, it's difficult in real-world applications, facilities and organizations to find the time, money, labor, cooperation, expertise, training and commitment to implement them.
"It's difficult to talk about cybersecurity without trivializing its breadth and scope, but the truth is that cybersecurity is an extraordinarily non-trivial challenge," said Tyler Williams, global technology leader for industrial cybersecurity, Shell Global Solutions. "We've been working on cybersecurity since 1993, and we've had a lot more 'uh-oh' moments than 'aha' moments. We understand the value of connectivity, applying analytics, cloud computing and augmented reality, and the challenge with cybersecurity is people want it done today, but it's really a long-term journey.
"Our problem is that everyone is talking about the cloud, but we're still trying to patch Windows 3.1 software in some locations. We appreciate that it's important to invest in new technologies, but many of them don't yet work with how we're operating at our 137 plants. We're trying to do traditional, labor-intensive patching from 30 suppliers, so let's get automation blacklisting protection done before we try to protect against advanced persistent threats."
To bridge this gap and find the security that connectivity must have to survive, Rockwell Automation and several of its expert partners came together for a panel discussion, "Securing Industrial Control Systems in a Connected Enterprise," on Nov. 17 at its Automation Perspectives media event, just before the opening of Rockwell Automation Fair 2015 at McCormick Place in Chicago.
The participants included Williams and Nesi, who moderated the panel, as well as Jeff Jones, principal cybersecurity strategist at Microsoft; Maciej Kranz, vice president of the corporate strategic innovation group at Cisco; Tyler; and Frank Kulaszewicz, senior vice president of architecture and software at Rockwell Automation.
Basic outlook and rules
"It's important to remember that cybersecurity is not an overlay or add-on. It must be embedded in all systems at the architectural level," explained Kranz. "The good news is we're not starting from scratch. Cisco has been solving cybersecurity challenges for the past 30 years, and now we're working on securing infrastructures before intrusions, responding during attacks and minimizing impacts afterwards. The beauty now is all these efforts are collaborating. We've been working with Rockwell Automation to being IT-based security tools into the automation world, and combine the best practices of both."
Kulaszewicz added that it's still useful to think about and approach cybersecurity with a layers-of-protection perspective, but then cooperate with a widening circle of customers, contractors, suppliers and associated parties.
"Users have progressed to expecting their machines and production systems to be more reliable, safer and now secure as well," he said. "As a result, Rockwell Automation has changed how we develop products to embed security from the beginning, test them for robustness and resilience, and meet safety and security certifications."
More links need better shields
Beyond offering basic protections for connected applications, several panelists added that improved cybersecurity will be even more crucial as the Internet of Things (IoT) links more device ever closer in the future.
Kranz reported that the feeble security measures of a few years ago, such as putting one firewall in front of a PC on a plant floor, have been replaced by architectural approaches with jointly coordinated firewalls, intrusion detection and prevention solutions, and security procedures that handle whole applications and entire facilities.
"Today's cybersecurity is more policy-based, such as defining specific actions that users can and can't take, and includes differences rules for what they can do when they're on the plant floor or when they're working from outside," he said. "This is the foundation users can then employ to require better security from the services they receive, and then they can help their own customers migrate, too."
Kranz added that Cisco recently acquired Sourcefire Inc., which is enabling it to centralize more cybersecurity capabilities in cloud-based computing services, and gives it advanced model prediction capabilities. "This means that users can focus on any strange traffic or devices that are uploading any unusual data, which can indicate an intrusion or attacks, and deal with them more effectively," he said.
Jones reported that cloud-based computing and services are allowing developers and users to design in cybersecurity capabilities from the beginning, and maintain and expand them going forward. "What's required to do this is trust," added Jones. "When a supplier becomes a trusted steward of a user's data, then that's a different model. Fortunately, there's a lot more focus on serviceable software now, and this can be leveraged on the security side, too."
Williams agreed that the cloud can aid cybersecurity, and reported that Shell will get to it, but he cautioned that it can't be done overnight. "You can't throw all this onto 55-year-old engineers at once," added Williams. "We must be allowed to do basic cybersecurity first, and not be bombarded by sales calls about the latest shiny tools. Right now, there's a chasm between our business model and all the cool tools, but we're going to have cybersecurity solutions in place in five years that will be improved by an order of magnitude. It's just important to appreciate the time it takes to operationalize security before the next bolt-in product arrives, and then show what business benefit it actually has."
Collaboration and community response
Williams explained that making true progress on cybersecurity begins with another philosophical shift. "Cybersecurity needs to be seen as a business case," he said. "Then, it needs to be addressed and maintained by a unified community and ecosystem of collaborators, who have established a common language and framework. We have a thousand suppliers, but they all need to collaborate on security."
Shell has cooperated with Rockwell Automation on a joint Global Industrial Cyber Security Professional (GICSP) program that had already trained and certified about 1,000 participants, Williams said. "I think Shell has been helped the most by allying cybersecurity with process safety. Most of our success is judged by financial results, but being a leader also means getting our staff home safe at the end of the day. So, we've learned not to treat security and safety as different, and that's winning hearts and minds, too. There's still a lot of fear, uncertainty and doubt about cybersecurity, but that's an ineffective way to motivate people, and doesn't give them the common business model it needs. Cybersecurity is an opportunity, and implementing it can help users reduce costs."