Will IT security be the next OT standard expectation?
There is one thing I like very much in the industry : this special care for the production process. It is the very beating heart of every factory, so it is no surprise really, but the accumulated experience of 300 years of industrialization, in Europe and across the globe, produced an amazing list of tools : procedures, certifications, monitoring, official bodies, standards & references,… A series of tools aiming at one thing : securing the production process.
It is about being sure that the process runs as intended and keeps the promises. It is about securing the volume, the quality, the safety… and the profitability of the industrial production process. The problems come when, in order to satisfy profitability, we make choices that may jeopardize the other important things.
The race into Industry 4.0 started over 15 years ago with leading suppliers encouraging their customers to redesign their machines and their production lines and to take the step to move the industrial control systems, PLC’s, drives, HMI’s, from proprietary, or semi-proprietary, serial networks to Ethernet : faster communication, easier integration, new & very convenient services…
There were many advantages and many promises justifying to indeed take the step and, in time, the industry followed and adopted IT for its benefits. Yet, doing so, the industry took a risk, because what the industry was obviously not told, by the leading suppliers’ marketing, is that inside the beautiful dress of the numerous benefits, lies a technology that could jeopardize safety, quality, volume and ultimately the integrity of the production process, compromising profitability itself.
IT puts our industry at risk because it creates unexpected connections between the factory and the outside world.
These connections may be as simple as an email, a USB stick and a laptop on the network, an Ethernet enabled fax machine… Each of those three examples were used, for real cases of cyber-attacks. The threat comes when it has a path. When the factory floor is also “connected” and converted to all Ethernet, it becomes vulnerable.
IT certainly has tools & procedures to make use of the technology in a safe enough way, but where the shoe pinches is that these tools & procedures cannot be applied as is to the industry, because… precisely… of the specifics of the industry : the special care to secure the production process, sometimes summarized in a few words by the experienced production engineer saying “if it works, don’t fix it !”
Compromises have to be made, IT maintenance needs to become part of production maintenance and IT security has to melt into the automation user’s workflow.
So, yes, OT & process automation engineers need to care for IT maintenance of their now IT enabled Industry 4.0 machines & equipment. It may come as a surprise, because it was not among the promises made by the suppliers when they sold the move towards a more connected industry, and it certainly comes with a cost. OT & process automation engineers will also have to learn how to harness IT maintenance, so downtime, price & required competences remain within the planned forecasts. Neither that was mentioned before.
Now equally, seen the threat that IT brings into production, OT & process engineers have the right to demand more IT security in the products and solutions from their suppliers. Is it still acceptable today to buy devices with embedded websites supporting http, the unsecured version of https ? Is it still acceptable to buy an operator panel with an embedded website that crashes completely on an unhandled http/https exception ? Is it still acceptable to buy today devices with standard default passwords, such as admin/admin, simply relying on the user to change it ?
How can OT customers accept, on their network, devices that punch holes in the company firewall, to an undocumented server, and allow remote access beyond any local control ? How many OT suppliers have in their company a security response structure, connected to support, product management and R&D for faster reaction ?
It took 20 years for Modbus RTU (1979) to be ported over TCP/IP (1999), and it took another 20 years to come with a secure version of that open protocol (2018). How long will it take the industry to adopt it ?
ENISA and other security agencies from governments worldwide make recommendations to build a more secure industry and to create more secure products. These are guidelines for every industry supplier, and every buyer, to put a framework and establish standard expectations for security in the industry. Once OT & process engineers will demand security, time will be over for industry suppliers to implement IT features in an OT product, without considering seriously the security aspects.
This being said, if one part is about implementing security and secured technologies into the product, another is about making this security easy for the user, integrating it into the user’s workflow, otherwise it will be bypassed (e.g. see the Post it note with the admin password stuck on the side of the scada monitor).
Designing secured solutions or products does not necessarily cost more, but it calls for a different approach of the product or solution design (#securitybydesign), where the future user and the use case are the central point, and where security is considered from the start. IT suppliers cannot do that for us, in the industry : they do not know our customers use cases. It is, unfortunately, a limit for IT solutions in OT & production environments, but the good news is that this is precisely where industry suppliers can take over, with their accumulated experience and with their knowledge of OT users and industrial processes.
The key to a more secure Industry 4.0 is to take advantage of the field expertise of OT suppliers and complement, in our products & solutions, the IT efforts to secure the factory. By taking care ourselves of the last mile in this Industry 4.0 race, we will make it so that the tool fits the hand and can be operated easily and securely.
Dear OT customer, more secure OT products & solutions exist and you can contribute to secure your factory. You have the power to select those products & solutions for your projects and make OT security the next standard expectation from customers in the industry.
Find your sales partner
Find your personal contact person in your area.
Start your Remote Services
Are you looking for an all-in-one solution? Try our web-based remote access portal today.
We are here to help you
Questions? We can help you. For direct support, you can also call us.
Subscribe here to get updates on IoT and Remote Access solutions, products and features and get the latest Cybersecurity updates.