3 pillars of industrial cyber security

Engineering and IT Insight: A stable physical structure requires at least three main supports. Three “pillars” form the basis for an effective industrial cyber security system: technology, policy and procedures, and people.


Engineering and IT Insight: A stable physical structure requires at least three main supports. Three “pillars” form the basis for an effective industrial cyber security system: technology, policy and procedures, and people. Courtesy: Dennis BrandlA stable physical structure requires at least three main supports. Industrial cyber-security is no different; it requires supporting structures for a stable system. Three “pillars” form the basis for an effective cyber security system: technology, policy and procedures, and people.

Technology: knock, knock

The first pillar of security is technology. Security technology is the easiest to identify and quantify so it is often the focus of most of an organization’s cyber-security efforts. However, while technology is important, it is no more important than the other two pillars. Security technology deals with the identification of users, authentication of users and systems, and access control for users and systems. It also includes firewalls, virus protection software, data encryption, time-controlled resource availability, gateways, intrusion detection systems, network access control systems, and wireless network security.

Technology based cyber-security systems are like locks on doors and windows and motion detectors inside buildings. They provide a measure of protection against nonprofessional attacks, but any technology can be overcome when attacked by professionals. Professional locksmiths can open almost any lock and disable most internal security systems, and well-trained security professionals can bypass almost any technology-only security system.

Demonstrations at recent conferences by experts from the U.S. Department of Homeland Security’s National Cyber Security Division have shown how easy it is to break into control systems. Break-ins were accomplished even though the systems were behind correctly configured firewalls, with multiple levels of password protection, and running under an intrusion detection system with network access control. These simulated attacks demonstrate that it takes more than just technology to implement an effective cyber-secure industrial system.

Policies, procedures

Engineering and IT Insight: A stable physical structure requires at least three main supports. Three “pillars” form the basis for an effective industrial cyber security system: technology, policy and procedures, and people. Courtesy: Dennis BrandlThe second pillar of a cyber-security system is a set of well-defined and readily available policies and procedures. Policies and procedures define how to apply technology security solutions in an effective manner. They encapsulate the knowledge required to configure, operate, and evaluate your cyber-security systems. Policies and procedures should start with a security policy. A security policy defines the overall rational for the policy, identifying the risk-versus-cost rules that can be applied to other policies and procedures. A security policy should not define the technologies to be used. Technology solutions will change over time, but the policy should define specific requirements that must be met by any technology implementation. Don’t be afraid to have multiple security policies, one for each part of your facility with different fundamental requirements. Policies and procedures should specify the security organization, defining the specific roles and reporting structure that should be in place to effectively use the security technology. Other policies and procedures should cover areas such as asset management, access control, incident management, business continuity plans, compliance management, vendor selection, security system maintenance, and communication management.

It is important to remember to make the procedures available in an attack. If the procedures are just stored on-line, they may not be available if the on-line system is the one that was compromised. Therefore, multiple independent copies of the procedures and paper copies should be maintained to ensure their availability even if the networks and servers are unavailable.

Trained workforce

The third pillar of cyber-security is a trained and motivated workforce. The best technology, policies, and procedures still do not provide an effective security system if you don’t have the right people support. The weakest links in most security systems are people. “Social engineering” is the term that security professionals use to describe simple methods used to trick people to reveal passwords, open Microsoft Word or PowerPoint files, download files, and insert USB drives. Any of these actions can be, and have been, used to attack a system.

Your workforce must be educated in security technologies and security procedures. Education in security procedures can usually be done at a low cost and can be integrated into other corporate training on safety and regulatory compliance. Education in security technology usually requires outside training and can be expensive, but it is vital if the technology is to be effectively installed and used. Without a trained workforce installing and maintaining the technology solutions, it is easy to have a false sense of security.

Additionally, even the best trained workforce must be motivated to correctly follow policies and procedures. Motivation comes from understanding the consequences of a compromised system and the reasons for the policies and procedures. It is important for employees to understand that inattentiveness or sloppy execution of security procedures can seriously impact their company, jobs, and community. Motivation also comes from buy-in of the policies and procedures, usually accomplished by encouraging users to suggest improvements to security policies and procedures. Many times IT departments will develop security policies without consideration of the impact on production, while the people who have to implement the policies may have simple suggestions that would significantly increase compliance without reducing security. Effective training and motivation provide the third pillar for an effective security system.

For example, all three security pillars could be used to protect a simple control system. The technology pillar includes the firewall protecting the system and the login accounts to the control system. In a secure environment the login accounts for the control system would be separate from the general corporate accounts. Policies and procedures provide a second pillar by specifying who can be granted login accounts and what training is required before access is granted. The third pillar is the actual training required by employees before they are granted system access. The training would include the reasons for the secure environment, any known risks, and the consequences for failing to protect that environment.

Industrial cyber security systems must be built on a stable platform of technology, policy and procedures, and people. If any element is missing, then the system may appear secure but will be vulnerable to attack and compromise with serious consequences to safety, company, jobs, and communities.

- Dennis Brandl is president of BR&L Consulting in Cary, N.C., www.brlconsulting.com. His firm focuses on manufacturing IT. Contact him at dbrandl@brlconsulting.com; Edited by Mark T. Hoske, content manager CFE Media, Control Engineering.

- Read more Engineering and IT Insight columns: atop www.controleng.com search:


- See link to July cover story, Dark Side of Mobility, below.

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Safety for 18 years, warehouse maintenance tips, Ethernet and the IIoT, GAMS 2016 recap
2016 Engineering Leaders Under 40; Future vision: Where is manufacturing headed?; Electrical distribution, redefined
Strategic outsourcing delivers efficiency; Sleeve bearing clearance; Causes of water hammer; Improve air quality; Maintenance safety; GAMS preview
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Safety at every angle, Big Data's impact on operations, bridging the skills gap
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
Applying network redundancy; Overcoming loop tuning challenges; PID control and networks
Driving motor efficiency; Preventing arc flash in mission critical facilities; Integrating alternative power and existing electrical systems
Package boilers; Natural gas infrared heating; Thermal treasure; Standby generation; Natural gas supports green efforts

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
This article collection contains several articles on the vital role of plant safety and offers advice on best practices.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.
This article collection contains several articles on strategic maintenance and understanding all the parts of your plant.
click me