Cyber security is probably the single greatest shared concern among manufacturing companies around the world. While most manufacturers were already well aware of security threats, the Stuxnet virus in 2010 served as a general wakeup call for industrial companies to become more proactive in their approach to cyber security. But security is a broad topic made up of not just products, but also processes, policies and services. Leading automation suppliers, such as Rockwell Automation, have made significant efforts to be able to assist their industrial clients in all three areas, including:
- Helping clients assess the vulnerabilities of their legacy industrial control systems
- Helping clients take a holistic view when developing security concepts and solutions
- Offering comprehensive cyber security services
Brownfield Plants Still Vulnerable
Existing manufacturing plants face a host of challenges around cyber security. A large portion of the installed base of industrial control systems was never designed to withstand contemporary security threats. Many are vulnerable due to the industrial networks they use, including legacy networks that predate modern security requirements. Most have been "patched" with simple fixes like firewalls, but this is not a viable long-term solution.
When a new plant is built today, security is designed into the architecture from the start. Existing brownfield plants, on the other hand, typically have a variety of security fixes in place, but many lack a comprehensive security concept with clear strategies and goals. Developing one can be difficult because of the technical challenges of "hardening" a wide variety of disparate legacy systems.
Specific security needs vary greatly by world region. In Europe and North America, many plants run legacy industrial control systems dating back 20 years or more. These systems are the most vulnerable as they were never designed with security in mind. The sheer variety of aging technologies makes adapting modern security concepts to legacy systems difficult. In Asia and other emerging markets, plants tend to be newer, but that fact alone does not guarantee a higher level of security.
Enterprise versus Manufacturing
Industrial companies are often divided along organizational lines into two separate domains: manufacturing and enterprise. The enterprise side uses modern, commercially available IT hardware and software to run the business. In the past, the manufacturing side was disconnected from the enterprise side due to the use of specialized, proprietary technologies. But the introduction of modern IT concepts in manufacturing in the past decade has led to a more unified IT landscape across both domains. The problem is that despite the use of similar technologies, enterprise and manufacturing domains have fundamentally different requirements and priorities. In terms of IT, in the enterprise domain, the top priority is data confidentiality, while for manufacturing, availability is the most important aspect. However, many companies have not yet realigned their organizations to acknowledge and address this conflict.
Security Solutions: What Manufacturers Need
A cyber security solution is the sum of all processes, procedures, and products designed around a defense-in-depth strategy. This strategy assumes that any single point of protection can be defeated. The architecture is set up with multiple defensive layers addressing different types of risks. Instead of preventing an attack, this strategy delays progress of an attacker to give an organization time to detect and ward off the attack before critical systems can be reached and compromised.
Manufacturing companies need a rock-solid, secure by design concept; taking into account both enterprise and manufacturing domains and addressing the needs and priorities of each without compromising either. For the manufacturing domain, architectures should be scalable and the concept should protect production assets and ensure their availability without interfering with productivity. Finally, security solutions should allow for secure remote access – a requirement of many manufacturers seeking to reduce operational costs.
Taking a Holistic View
Cyber security covers a broad set of topics ranging from products to best practices to services. No single aspect can fully address security issues. For this reason, sound security solutions take a holistic view of the needs of a whole plant or enterprise rather than trying to solve individual security problems.
Many industrial companies don't have in-house staff trained to assess the current security situation in their manufacturing facilities and develop a new security concept. This is an area where outside consultants or service providers with the right skills and experience can add a lot of value by employing a standardized, holistic approach to assessing security needs. An outside expert offers the sum of all his previous clients' experience and will be more familiar with the latest technologies, solutions, and best practices. There is a big difference between designing and implementing a security concept, and maintaining one on a daily basis.
Rockwell Automation Network and Security Services
As ARC learned in a recent briefing with company executives, Rockwell Automation offers a broad portfolio of products and solutions for cyber security, including some co-developed with its alliance partner Cisco Systems. In addition to hardware and software products to protect and manage networks, the company offers a host of services known as Network & Security Services (NSS) to help customers develop security concepts, define best practices, and deploy comprehensive security solutions. These services are designed to deliver value by helping customers assess and reduce risks for the entire lifetime of manufacturing assets – skills that are needed only for a short time and that manufacturers often don't have in-house.
On-site assessment, defense-in-depth security evaluation
Plant wide converged Ethernet from the industrial demilitarized zone through hardening of end node assets
Procurement, configuration, installation, testing, start up, transition to support
Audit current architecture compared to governing body (ODVA, IEEE, ANSI, TIA, ISA-95)
Diagnostics and troubleshooting, remote monitoring, knowledge management systems, administration
Network & Security Services (NSS) Offerings from Rockwell Automation
Starting with Assessment Services, Rockwell Automation provides experts to assess a customer's current security needs. The assessment takes into account networks and endpoint devices as well as recognized industry standards and company policies, and reports overall findings with a prioritized list of critical issues and specific recommendations.
The Design Services dig deep into the necessary details by defining functional requirements and listing specific topologies and products. This includes all network relevant information including a bill of materials for all parts, access and distribution layer topology, physical layer drawings, cabling, an addressing schema, redundancy concepts, configuration information, and provisions for remote access.
Implementation Services include procurement, configuration, installation, testing and start-up, as well as assistance to help the user transition to offering its own internal support.
Validation Services consist of an audit of the current architecture vis-à-vis recognized standards such as IEEE, ASNI, ODVA and ISA95, as well as a security audit in accordance with NERC CIP, IEC 62443, NIST 800-53 and NIST 800-82.
Finally, Managed Services rely on sophisticated network technologies from Rockwell Automation and its partners, such as Cisco Systems, to provide remote, online support for infrastructure administration as well as asset security monitoring.
ARC believes that Rockwell Automation's Network & Security Services offer a compelling value proposition. These services complement the company's security products well and go beyond what some other automation suppliers offer. Having outside expert advice to set up a comprehensive security solution for new or legacy industrial control systems is of particular value.
Cyber security solutions for manufacturers contain many facets and should be designed with a holistic view. While most manufacturers have already addressed security, many existing plants with legacy control systems are still vulnerable. In addition to its portfolio of security products, Rockwell Automation offers a variety of complementary security services. These services provide expert advice on the assessment, design, implementation and validation of security concepts, and round out the offering with ongoing remote managed services that augment the manufacturers own operational staff.
All signed-in ARC Advisory Group clients can view this report in pdf format at this Link
If you would like to buy this report or obtain information about how to become a client, please Request ARC Info
Keywords: Cyber Security, Security Services.