Advancing to IIoT means back to security basics

Manufacturers may see advantages to the Industrial Internet of Things (IIoT) and Industrie 4.0, but the backbone of their plant, the control system, wasn't built with cybersecurity in mind, and many companies aren't addressing this potentially serious issue.

02/14/2018


With the industry headed into digital transformation via smart manufacturing and Industrie 4.0 and the Industrial Internet of Things (IIoT), company leaders look at these initiatives as opportunities they need to jump on—and fast.

They can gain a competitive advantage through new service-enabled business models, disruptive new products, a more agile supply chain, and efficient operations. However, the systems that end up being the backbone of the manufacturing enterprise, the control systems, are not built with security in mind. On top of that, a survey released by Honeywell shows adoption of cybersecurity is low.

The survey, "Putting Industrial Cyber Security at the Top of the CEO Agenda," was conducted for Honeywell by LNS Research. It polled 130 strategic decision makers from industrial companies about their approach to the Industrial Internet of Things (IIoT), and their use of industrial cybersecurity technologies and practices.

Slow or low adoption could mean either manufacturers will move forward with the digital transformation and remain insecure, or they will be delayed in their movement forward and lose valuable time and potential revenues until they adopt a security program.

Either way, it appears companies at the vanguard of employing security already, have a leg up on any potential competitors. It can also mean more companies are still at the beginning of creating a security program.

"I think everyone knows they have a problem now, but they are not quite sure where to start," said Seth Carpenter, software engineer and cyber security technologist at Honeywell. "There is a long way to go. Awareness is a good first step. We can't do anything unless there is an agreement that something needs to be done. The next step is putting funding behind these programs. Sometimes it is not throwing money at it, it can really be building up the culture in the organization where you are thinking of security and putting responsible officers in there making sure they are reporting out on cybersecurity and it is going all the way up to the C-level and the board."

The survey's findings included: 

  • More than half of respondents reported working in an industrial facility that already has had a cybersecurity breach
  • 45% of the responding companies still do not have an accountable enterprise leader for cybersecurity
  • 37% are monitoring for suspicious behavior
  • Although companies are conducting regular risk assessments, 20% are not doing them at all

"One of the things I found interesting was when they were asked if they had a breach at their plant, most people normally don't want to talk about it, but here quite a few people admitted they had a breach," Carpenter said.

The survey found there has been low adoption of cybersecurity measures, however, awareness is through the roof, the question remains on when will manufacturers establish a timetable for adopting a security program.

"It is a combination of things," Carpenter said. "We know we should brush out teeth and take our vitamins, but sometimes you just say, I will go to sleep right now. It is hard without that driving factor or a really good business case behind it. We are at a point where there is a lot of awareness of what is happening. We see attacks in every industry like healthcare, banking, financial institutions, the awareness is there. I think that is the first part where people recognize something needs to be done. They might not know where to start. So, they say we need to do something about it, but that can be daunting. It is like eating the elephant, you have got to figure out the little bite I can take on this."

First step

Image courtesy: Ilya Pavlov/UnsplashA good first step for a manufacturer is conducting an assessment.

"There are really good cybersecurity maturity models users can map their processes to so they can get started," Carpenter said. "Sometimes the hardest part is taking the first step and think here is what we are going to get and here is where we want to be and putting together that plan."

Traditionally, security has been seen as a cost center, but in reality, it can end up viewed as a business enabler that keeps systems up and running by eliminating unplanned downtime.

"That is one of the trickiest parts of security," Carpenter said. "When I invest in a manufacturing line, I see I am producing 20% more product. That is tangible and I can put a dollar value on that. If I spend the same amount of money on a cybersecurity program how do I measure success? How do I show my boss and my bosses boss, 'Hey, we did a really good job here.' I think there needs to be a mindset shift to see this isn't a problem where we are dumping our money into because we have to, instead this is helping us maintain our machines and giving us the uptime numbers we need."

The report issued three recommendations:

1. Use an operational excellence model of people, process, and technology capabilities to enable digital transformation and build industrial cyber security capabilities into the model.

2. Focus on best practices adoption. Start with the basics like firewalls and access controls; over time move to more advanced topics like network architecture, risk management, and activity monitoring. Build a roadmap based on increasing people and process maturity that considers risk and equates safety with security. If people capabilities are limited to start, consider augmenting with external professional services that have information technology (IT) and operations technology (OT) experience.

3. Focus on empowering leaders and building an organizational structure that breaks down the silos between IT and OT. A common approach across these disciplines is critical for success in industrial cyber security and it can only be done by investing time and energy in the soft skills of change management.

"We know this is complicated, we are talking systems that have been up and running for years and years, let's face it if it is not broken, don't fix it," Carpenter said. "So, getting visibility into the assets can be difficult. You have to know what normal looks like."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See related stories from ISSSource linked below.

Click here to register to download the report.



Top Plant
The Top Plant program honors outstanding manufacturing facilities in North America.
Product of the Year
The Product of the Year program recognizes products newly released in the manufacturing industries.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
June 2018
2018 Lubrication Guide, Motor and maintenance management, Control system migration
May 2018
Electrical standards, robots and Lean manufacturing, and how an aluminum packaging plant is helping community growth.
April 2018
2017 Product of the Year winners, retrofitting a press, IMTS and Hannover Messe preview, natural refrigerants, testing steam traps
June 2018
Machine learning, produced water benefits, programming cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
Spring 2018
Burners for heat-treating furnaces, CHP, dryers, gas humidification, and more
April 2018
Implementing a DCS, stepper motors, intelligent motion control, remote monitoring of irrigation systems
February 2018
Setting internal automation standards

Annual Salary Survey

After two years of economic concerns, manufacturing leaders once again have homed in on the single biggest issue facing their operations:

It's the workers—or more specifically, the lack of workers.

The 2017 Plant Engineering Salary Survey looks at not just what plant managers make, but what they think. As they look across their plants today, plant managers say they don’t have the operational depth to take on the new technologies and new challenges of global manufacturing.

Read more: 2017 Salary Survey

The Maintenance and Reliability Coach's blog
Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
One Voice for Manufacturing
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Maintenance and Reliability Professionals Blog
The Society for Maintenance and Reliability Professionals an organization devoted...
Machine Safety
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
Research Analyst Blog
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Marshall on Maintenance
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
Lachance on CMMS
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
Electrical Safety Update
This digital report explains how plant engineers need to take greater care when it comes to electrical safety incidents on the plant floor.
Maintenance & Safety
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Randy Steele
Maintenance Manager; California Oils Corp.
Matthew J. Woo, PE, RCDD, LEED AP BD+C
Associate, Electrical Engineering; Wood Harbinger
Randy Oliver
Control Systems Engineer; Robert Bosch Corp.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me