Pragmatic cyber security in digital automation
Chris Evans, Marketing & Operations Group Manager, Mitsubishi Electric Europe B.V. Automation Systems Division considers the growing importance of cyber security in manufacturing.
A recent report from Trend Micro, says major flaws continue to exist in two of the most popular M2M machine automation protocols. Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) are data protocols playing a fundamental role in M2M communication among consumer and industrial applications. Insecurities were first discovered in 2017.
It seems a long time ago now since various malware attacks on the operational layer changed the security landscape. It highlighted cyber security vulnerabilities in the de-facto automation architecture and systems. As we move towards Smart Manufacturing machine networking and system interconnectivity, risks increase. Under IoT and IIoT, cyber-security becomes even more important.
Smart Manufacturing relies on a greater convergence of the IT and OT layers of a business. When applying it to an existing plant, the potential for cyber-attack, if not understood and mitigated against would be higher.
For a new plant with new equipment it is easy to be mindful of all the current cyber-security issues and vulnerabilities. The reality is that most manufacturing plants in the UK have been around a long time that is not the case. The focus of the automation was productivity not cyber security. It is becoming understood that control systems may be vulnerable to several factors. These include access to the Internet, out of date or poorly maintained operating systems and CD drives or unprotected USB ports.
Cyber security in digital automation
Cyber-security is an arms race of escalating capabilities. The ‘defenders’ of vulnerable assets must see it as a journey rather than a destination. They need always to test and reassess the situation and install new defences. This is against the background of developing technologies and requirements that mean control systems are always becoming bigger, more complex, more distributed and increasingly open.
A successful the defence strategy against cyber-attack needs a holistic approach across the enterprise. This must start at the plant level. Automation equipment manufacturers must look to build in security as a natural part of the design process. For instance, PLCs need to include multiple embedded features such as hardware security keys and multi-layer password structures.
Hardware security prevents the opening or editing of programs on unapproved PCs not “bound” to the security key. Pairing PLC CPUs to the security key so programs will not run unless this hardware match exists. This also has the benefit of protecting the intellectual property of the control system. Additionally, using IP filtering to register the IP addresses of devices approved to access each PLC or HMI. This makes unauthorised access much more difficult.
Whilst end users will want the highest security; they will also continue to insist on simplicity of operation. Some may argue these automation security measures complicate operations. Taking a holistic view of security considers all aspects of the operation.
It may be that in some areas, relaxing some measures for the sake of continued operations is acceptable. But this is conditional on a risk assessment and suitable contingency measure to reduce any threat. Shop-floor cyber security is a balance between probability, risk, security and operational needs.
Against this human nature says that some people will always seek unauthorised access to control systems. Thus manufacturers and control engineers must build security counter measures into their products and systems.
Recent blog posts