Marathon of Security
Securing Device-by-Device Will Elevate Cyber ProfileBy Gregory Hale, editor/founder ISSSource
Running in a marathon can be an intimidating task where the erstwhile and eager participant starts off ready to go, but quickly realizes 26.2 miles is a very long way to run. What can get the intrepid marathoner through the entire process is focusing not on the overall target, but in breaking it down in mile-by-mile increments.
Cybersecurity in the manufacturing realm is very similar where users need to commit to starting a program, but understand that this is a step-by-step process and not a one-time installation.
The catch is, manufacturers need to jump in on the race because watching from the sideline could be a costly experience.
Just last year, the average consolidated total cost of a data breach was US$3.8 million, up from US$3.5 million the previous year, which is a 23 percent increase in total cost of a data breach since 2013, according to a study by the Ponemon Institute.
"When people think about cybersecurity they think about people wearing masks hacking into and stealing credit card information and stealing intellectual property," said John Boville, Marketing Manager for Process Automation at Schneider Electric. "They are not thinking of cybersecurity issues on the plant floor. What about a memory stick found in the parking lot and someone coming in and plugging it in and affecting the programming software and altering the program on your automation hardware? What about somebody inadvertently changing a program by accidentally downloading the wrong program to a device and wreaking havoc with how a machine works?"
That is why taking security as a step-by-step approach and ensuring secure devices and then elevating to the next level is a smart idea.
Along those lines if a user has a secure PLC, and the network ends up breached, the device can still remain tight.
How can a user take these modern elements and
make them work with legacy devices
How can a user take these modern elements and make them work with legacy devices?
"You have to tighten up that trust boundary and you have to pull some of that allocated functionality down to the device," Kling said. “In the case of the for example, we are bringing Level Two functionality to our Modicon M580 ePAC. We are essentially putting authentication functions into our Ethernet-enabled programmable automation controller securing the protocols to the device."
If the user is in a situation where one PLC has to talk to another PLC and one has encryption technology and the other doesn’t, the only choice is to go to the lowest common denominator. “To move forward we say you have to upgrade your workstation software and upgrade your PLCs and upgrade your network technology to all participate in this greater cyber security story,” Kling said.
in an era with budgetary restraint, how can a user justify this
movement toward security and away from antiquated legacy devices?
"We have to continue to educate people about how cybersecurity incidents cause downtime and safety issues," Boville said. "One example is the Turkish pipeline explosion where hackers caused a pipeline to blow up and they were able to prevent (operators) from seeing it was burning."
The Turkish pipeline explosion occurred Aug. 5, 2008, when attackers shut down alarms, cut off communications and super-pressurized the crude oil in the line. The high pressure caused an explosion felt for miles.
Be it terrorism, an error in judgement or an inside attack, that one particular event cost the 11 owners of the pipeline, including oil giant BP, US$1 billion.
From a financial perspective, every company has to look at the loss of intellectual property and damage to machinery, but the cost of downtime is huge, too.
"Large enterprises are facing a US$1.8 million risk each year for the cost of recovering from a cyberattack," Boville said. "That is real money and that is a real financial risk."
The only risk today is standing on the side and watching the race go by. Instead, users can take a device-by-device approach that will eventually build up into a solid security program over the course of the marathon of security.
For related information, click on any of the links below:• M580 ePAC, the IIoT ready, Ethernet enabled Programmable Automation Controller
• Industrial cybersecurity services
• Cybersecurity in the connected enterprise
• Lesson Learned: IT-OT Convergence