Industrial control systems are the heart of manufacturing worldwide. Over recent decades, industry has seen many advances to productivity: firstly, the advent of automation technology; secondly, the introduction of networking from the management to the field level on the basis of standards (Ethernet, TCP/IP, and ProfiNet/Interbus); and thirdly, the introduction of operator control and monitoring devices using Windows-based operating systems.
The use of standard solutions makes automation systems to be efficiently connected and their data used for comprehensive analysis purposes. However, the improvements gained in terms of accessibility, efficiency, and productivity should be accompanied with a high-level of protection against attack both from the outside and from within.
Industrial plants typically have a life expectancy of several decades. The automotion should be like wise, some are relatively simple, such as a PLC controlling a work cell on a factory floor. Some are more complex, such as a DCS in a refinery. Others are extremely complex, such as a SCADA system at a mine with more than 100,000 I/O points.
Like enterprise computing, industrial control systems have traveled a path from standalone systems to the modern, highly interconnected world of Ethernet, the Internet and cloud-based computing.
But while enterprise computing and even home computing started confronting cyber attacks a decade ago, the industrial control systems lagged far behind. One of the main reasons is that there is a significant difference between the asset lifecycles in the enterprise computing and the industrial control system spaces.
The situation is quite different when it comes to information technology components. They are more prone to obsolescence than the industrial plants themselves. New components offering vastly improved functionality are generally available within just six months. After 5 years or so at the most, this type of component has not only reached its depreciation point in terms of its value as an asset, but it is also technically obsolete.
So, while enterprise IT has managed to keep up with cybersecurity, anti-virus and network defense by continually upgrading its systems, most industrial control systems have relied on what has been called by many cybersecurity researchers, "security by obscurity."
Changing over to different systems is far from simple in the field of production. Here, an enormous store of knowledge relating to the process routines of automation devices and control systems has been gathered over years. This is where a company's expertise actually resides. It is a resource which must be maintained and protected at all costs when the time comes to make the change to a new system.
Standardized processes and components have managed to stand the test of time. They prevent costly stand-alone solutions which become almost impossible to update and maintain after a certain period. Internationally introduced standards also act as a catalyst to knock-on developments which provide benefits to all their users.
If we wish to enjoy the benefits of standards, then we also have to put up with the manufacturer's release and model policy. The greater the degree of accessibility, compatibility, and standardization achieved by these systems, the more they are at risk. The alternative is internal development, and stand-alone solutions which are disjointed and disconnected from technical progress.
The more vital the part played by IT becomes to industry, the more difficult it becomes for companies to isolate themselves from the global exchange of data. There is also a greater risk that dangerous security gaps will be created within their communication networks. This is why intrusion detection tools are at work day and night in modern companies. Their aim is to head off problems before they occur, and to identify and eliminate any probes to the network's integrity.
Durable protection can only be provided by security policies which make use of sound expertise and are anchored in every stage of the electronic business process from the very beginning. Without the use of automated processes and tools, and without a company-wide security policy, this daunting task can only be managed with extreme difficulty. This makes choosing the right IT strategy decisive to business success. The only way to successfully protect the digital factory is to balance the competing requirements for availability, topicality, security, total cost of ownership, investment safeguarding, compatibility, and scalability.