Ensuring security for industrial devices

19 April 2022

Key questions about factory-floor and industrial cybersecurity, as IT and OT communication networks rapidly converge, are addressed in a whitepaper from HMS Industrial Networks.

Cybersecurity is a critical issue as industrial technology (IT) and operational technology (OT) converge, general factory floor automation and many industrial applications need to be prepared for cybersecurity threats. Where things are going and what security measures will be needed are the big questions. And often the magnitude of the potential threats is hard, if not impossible, to estimate due to the simple fact that the threat landscape is constantly evolving. 

Manufacturing industries today are undergoing a significant digital transformation as Information Technology (IT) and Operational Technology (OT) communication systems rapidly converge, thanks to smart industrial automation devices that are designed to provide more useful information than ever before – in many cases through the use of networks like OPC UA and MQTT transferring data to IT domains, combined with existing industrial Ethernet networks, that in their turn also evolves, adding features and TSN capabilities. The result is that a larger range of data is being made available and collected from the factory floor, across local enterprise IT functions, on-site storage, and into the external cloud – to give companies new competitive advantages.

The IT/OT convergence, encompassing aspects of Industry 4.0 and the Industrial Internet of Things (IIoT), allows new interconnected communication which helps factory OT equipment create greater value out of data shared with local IT applications or via a manufacturer’s IoT Platforms. This cross-shared data can offer many benefits in terms of enhanced levels of production, quality and profits. It will also provide industrial processes with much better possibilities to enable predictive maintenance and analysis.

Cybersecurity needs attention
At the same time, however, these advances make industrial communication networks and manufacturing processes vulnerable to intrusion and attacks. Attacks and intrusions are happening at industrial plants at an increasing rate. 

To improve security, IT security requirements for industrial communication standards and development processes need to be carefully considered – to make sure that they are protected, today and in the future.

Five key questions about factory-floor and industrial cybersecurity include:

• How widely might the factory floor of the future be connected to higher level systems?
Extracting information from devices, machines and production lines, and passing it on to other IT systems, is a process that has been going on for some time. A common way of achieving this is to only use selected points of entry at certain places in a plant/factory. However, the trend and evolution is clearly going in a direction where these will open up more.

While some factories or installations will continue to be tightly closed but the advantages interconnectivity can bring, and driven by Industry 4.0, the market is striving to connect industrial machines to the IT level to enhance maintenance, analysis and production effectiveness.

The result is that a fast-growing number of industrial machines will no longer be isolated from the outside world. Going forward, a factory needs to consider opening selected entry points on different levels. There will most certainly be a transition period as this opening up occurs; what remains to be seen is how fast and how costly it will be.

• Aren’t factories closed systems, meaning that outside access is denied?
Not necessarily, but it depends on how we define ‘closed’. If there is absolutely no connection to the internet, then yes it has a higher protection from external threats. However, a factory owner needs to consider security on different levels. For example, even if it is closed to the internet, people allowed inside the factory can make security ‘mistakes’ that need to be considered. Examples might be:

1. An external maintenance person connects their laptop to a machine for diagnostic purposes. This connection may expose the factory to unnecessary risks and threats – such as viruses or access to internal confidential documents and data
2. A PC being connected to an unused network port on an industrial Ethernet network, where only the machine communication is allowed. 
3. Incorrect firmware being downloaded to a machine. 
4. An employee making unintentional configuration changes, through tools, web or other environments that do not require authentication. 
5. Someone, either an inside employee or outside contractor, bringing a non-secure USB memory stick containing a virus into a factory. Upon connecting to an internal computer or port, the virus itself enables its installation. 

The increasing complexity of production machines is pushing local engineering teams to interact with their suppliers through remote access solutions that, if not fully secured and managed, will create additional entry points to the factory. This trend will clearly continue and accelerate.

• Who will have responsibility to ensure that an installation is secure?
Everyone will eventually have to consider security aspects in both new and old installations, and then build systems in different levels by segmenting various parts of a factory to create a higher security level. There will also be a need to accommodate co-existence with older products/installations using older networks. In addition to the question stated in the headline, another interesting question is: Can device manufacturers rely on someone else’s technology to solve the actual security part?

It is HMS’s belief that in many cases this will be possible, and even preferred. And when industrial manufacturers are required by their customers and end users to do this, the use of communication solutions that include built-in security features will help them do it more easily and efficiently. Thus, a manufacturer of automation equipment can meet their customers’ installation requirements related to security, but without the headaches and investments needed to do it by themselves.

It is worth pointing out that security is not only meant to prevent someone from outside the factory getting access to the network. It can also be intended to protect the network, and the products on this network, inside the factory.

• Do I need to secure all my products, or can I only secure the ones considered to be at risk? And how do I know which products those are?
This will be the key question when people specifying a new factory or installation containing industrial network communication. The level of security will probably be decided based on numerous factors. This could be the value of the product being made, the value of the information and processes inside the factory, the consequences of a security breach the level of restricted access inside the factory, IT/internet network connections, and type of data on the network, to give some examples.

It is not totally clear yet how and at what speed IT security in industrial communication networks will develop in the future, and what routes will be taken to achieve it. However, HMS is actively using its deep network communication experience to undertake numerous progressive steps that will assure that its communication solutions, and the users’ automation devices and systems, will be secure as IT and OT converge further in the future.

In this context, it is important to note the difference between the meaning of a ‘secure’ product and a ‘security’ product. A Secure product is any type of product, e.g. an I/O block, a proximity sensor, or a PLC – that has been developed with security in mind, and therefore certain security methods and counter measures have been implemented to add a certain level of protection for the product’s intended usage.  

A Security product, on the other hand, is product developed with the sole purpose of addressing specific cybersecurity functionality, e.g. a firewall, a DPI gateway, or data diode. Naturally, those products are also secure products. Those kinds of products have been developed in order to differentiate themselves on the market and to make their customers’ jobs easier when they need to implement specific security measures.

• Is it the device manufacturer’s responsibility to solve the security requirements in a factory?
The quick answer is no, it is not the device maker’s sole responsibility to solve security. But, vendors wishing to sell devices in an international marketplace with a wide variation of use cases, will have to meet the protection requirements of an installation, using security protocols and functions built into the product.

A secure infrastructure is based on in-depth security, which itself is built on several lines of defence – going down to the component level. But the device vendor will have no control over the specific security policies within a factory. Therefore, strengthening the device to handle any situation will help provide more reliable security performance regardless of the installation conditions.

Security also depends on acceptance by users that have already a strong focus on security management. For example, if a factory demands that its webpages shall be accessible on the network, only products with HTTPS (secure web protocol) can be accepted. This, in turn, means the manufacturer/device maker needs to support this secure functionality in their product.

The original HMS Industrial Networks Whitepaper can be downloaded from www.hms-networks.com/technologies/iot-security

Contact Details and Archive...

Print this page | E-mail this page