How cybersecurity is affecting control and automation
Engineers working with industrial cybersecurity need to understand the increased risks as automation becomes interconnected. Build industrial systems that will operate securely throughout the lifecycle.
- Cybersecurity global standards from IEC, ISA Global Cybersecurity Alliance and UL help lower risk.
- Cybersecurity education and training.
The Industrial Internet of Things (IIoT), connected devices and the vast amounts of generated data create industrial opportunities, but it also increases cybersecurity risks. This shift challenges engineers to follow robust cybersecurity practices to design and build systems that will operate securely throughout the lifecycle. A discussion with Max Wandera, the director of Eaton’s Product Cybersecurity Center of Excellence, provided best practices for control engineers working on industrial cybersecurity.
What are the biggest cybersecurity challenges facing the control and automation industries?
Key trends impacting cybersecurity are increasing digitalization and the current lack of global, universally accepted standards for cybersecurity. Creating trusted environments is a must, and I believe cybersecurity is a must-have for product development, much like safety and quality. Cybersecurity threats must be taken seriously and met proactively with a system-wide defensive approach.
Analysts at Grand View Research Inc. estimate nearly $950 billion will be spent on the deployment of IIoT solutions globally by 2025. As organizations expand their digital footprint, it is imperative to protect the availability, integrity and confidentiality of connected systems.
Creating cybersecure environments is complicated without a global conformance assessment. Today, countries throughout the world develop their own requirements. This conformity gap makes it difficult for manufacturers to determine the standards to which they should build and comply, particularly as products are manufactured and sold around the world.
Further, control systems and electrical infrastructure typically consist of technologies from different suppliers. Where should the element of trust begin and end if there is no global conformity assessment scheme to ensure integrated components lack vulnerabilities?
Having a common set of verified product requirements at a global level, is an important starting point. On cybersecurity, Eaton has worked with UL, the International Technical Commission (IEC), the International Society of Automation (ISA) Global Cybersecurity Alliance and other partners inside and outside of the electrical industry to drive development of a global conformance assessment for power management technologies.
How can engineers ensure critical systems and processes are built on a secure foundation?
Security of a network or system is only as strong as its weakest link. Engineers need to make sure they are applying secure-by-design principles throughout their development lifecycle. They need to make sure they have the right training, technology and process in place to drive cybersecurity requirements throughout the product lifecycle.
Which cybersecurity codes and standards are important for engineers?
There are process, product and lab certifications, and achieving accreditations is essential to building trusted environments.
The IEC adopted the 62443 series of standards, which is a framework to address the cybersecurity of industrial control systems (ICSs). These standards provide requirements for all of the principal roles across the system lifecycle – from product design and development through integration, installation, operation and support. IEC also added 62443-4-2 to improve the security of products.
UL also created its 2900 Standard for Software Cybersecurity for Network-Connectable Products (UL 2900). These guidelines include processes to test devices for security vulnerabilities, software weaknesses and malware. This standard confirms the device manufacturer meets the guidelines for:
- Risk management processes
- Evaluation and testing for the presence of vulnerabilities, software weaknesses and malware
- Requirements for security risk controls in the architecture and product design.
IEC and UL certification of product development processes mean that customers can be confident that products and solutions they buy from us meet the same level of standards recommended by two key standards organizations across the globe.
UL provides a data acceptance program for manufacturers, which certifies testing laboratories with the global capability to test products with intelligence or embedded logic to key aspects of its 2900 standard. Products tested in these specialized labs are compliant with the industry’s highest cybersecurity requirements before they’re installed in critical systems. We introduced the first research and testing facility approved to participate in UL’s Cybersecurity Client Lab Validation program in Pittsburgh and later added a second Eaton lab to join the program in Pune, India.
Beyond product certifications, I recommend engineers consult with manufacturers that embed security throughout the product development process, the secure development lifecycle (SDL). SDL was created in response to an increase in virus and malware outbreaks after year 2000. This approach to product development places cybersecurity front and center from inception to deployment and lifecycle maintenance. SDL can help manufacturers stay ahead of cybercriminals by managing cybersecurity risks throughout the lifecycle of a product or solution.
What is the importance unifying cybersecurity requirements for connected devices and systems?
A connected world needs trusted environments. Advancing digitalization while building trust ensures the highest level of defense against emerging cybersecurity threats.
As more industries deploy IIoT devices, the security and safety of systems providing essential operations become more important and more difficult to manage. These complexities are due, in part, to a lack of a global, universally accepted cybersecurity standard and conformance assessment scheme designed to validate connected products.
A multitude of different standards and regulations created by various organizations, countries and regional alliances across the globe. All of these standards and regulations address the urgent need to secure our connected world, however they also create the potential for confusion and possibility of weak links in critical infrastructure ecosystems.
The time to drive a singular conformance assessment is now, and we’re working with leaders across the industry to do just that.
The International Society of Automation (ISA) Global Cybersecurity Alliance and its members advance advocacy for a global cybersecurity standard and industry collaboration.
How can engineers learn more about designing and maintaining securely connected systems?
Cybersecurity perspectives is a virtual global forum to help advance trusted digital environments. This online learning platform assembles experts, partners and customers from around the world to discuss hard-won lessons, best practices and industry standards to support a more secure tomorrow.
On-demand educational sessions include keynote insights from industry leaders and expert-led panel discussions on security trends.
Max Wandera is director, Product Cybersecurity Center of Excellence at Eaton; Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.
KEYWORDS: Industrial cybersecurity, industrial automation
What have you done lately to lower cybersecurity risk?