Articles

Top Reasons Why Industrial Automation Security Needs Renewed Focus

The global automation industry over the past decade has made significant strides through increasing digital transformation of industrial processes. This change has been further accelerated due to the rising convergence of technologies including artificial intelligence, Industrial Internet of Things (IIoT), and advanced analytics. In the face of the COVID-19 pandemic, much of the world remains under lockdown. And in this current situation, industries are heavily adopting automation. That’s the reason why industrial automation security needs a renewed focus. The industrial automation security is important as manufacturers and critical infrastructure organizations weigh a technological reboot. As industrial organizations tackle COVID-19 fallout, automation has become an even hotter topic. However, the acceleration of automation should be supported by adequate security measures to drive unforeseen consequences for organizations.

In industrial facilities, mission-critical systems have traditionally relied on human supervision as the senses were usually the most effective way to ensure optimum uptime and to meet security needs. But, undoubtedly, this is changing. Automated systems often exceed and are beyond human capacity to identify machine problems and security lapses. But, being lax regarding industrial automation security can be dangerous and have very serious implications. For example, hobbyist electronics may make automating industrial machinery simple, but such products can also provide cyber attackers with a familiar target. Another instance is the plug-and-play automation solutions that are never built with security at the forefront. It can also open the door for a vast amount of vulnerabilities. Moreover, there’s also a risk that organizations will hastily deploy artificial intelligence as part of their automation initiative. Doing this will expose enterprises to multiple risks. With data science experts and many experienced industrial operators in short supply as a result of COVID-19 quarantines, there’s a heightened chance of errors creeping into AI algorithms. Developing software or AI algorithms inevitably introduces some errors even in ideal conditions. Even the software for mission-critical systems could have one to five errors per 1,000 lines of code. With software often having billions or many code, the necessity to stop and correct bugs become critical.

Besides the risks of cutting corners with software-driven automation or AI workloads, the expansion of remote access in industrial environments is another significant danger. Such access should be granted very discreetly after a proper background check. The rush to enable remote operations can also prompt organizations to make control systems accessible through the public internet without appropriate security controls. The threat of doing so is a concern for safety instrumented systems. Such systems are the last line of defence process for processes operating beyond their boundary conditions and a known attack target for malicious actors. The remote operations also increase the risk of phishing attacks using social engineering. Such an attack could quickly recognize employees having privileged access so their credentials are exploited to gain access to the industry’s control system environments through the increasingly accessible remote gateways.

The companies are in a rush to deploy automation. But, the risks are high as remote access won’t be uniform across the industrial sector. The most critical of critical infrastructure systems tend to have established protocols in place and are less likely to redefine core processes. Critical infrastructures such as nuclear power plants, oil refineries, and chemical plants are less likely to be impacted by working restriction due to the social-distancing norms. Critical infrastructure organizations also tend to have regulatory requirements for cybersecurity. For example, Energy Utilities must follow cybersecurity standards outlined by the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation. At the other end of the spectrum is industrial infrastructure such as heating, ventilation, and air conditioning (HVAC), lighting, and plant systems. Such systems have been operated and monitored remotely for decades now. The organizations which are in the middle of these two poles are more likely to increase automation and remote working infrastructure.

So, ultimately, before embracing automation or other technologies, every organization has to evaluate the risks and rewards of digitization and automation. The risk of moving too slowly in this current COVID-19 situation can impose threats to an industrial company’s longevity just as much as rushing a deployment. There are diverse opinions on how much to automate, what to automate, and when to automate. But, it entirely depends on every firm’s individual need and the capacity to handle it. The physical assets are increasingly going digital. Not embracing automation woven around these with an adequate digital process will create an imbalance, inefficient digital operating model. Organizations must collaborate to solve these problems. To ensure that reliability and security are aligned to both the criticality of the systems and the security risks, engineers and IT leaders need to team up especially during the pandemic.

From a business point of view, the firms need to consider strategies to deploy automation to match up the required level of security and enhance resilience in the face of uncertainty. Even if the economy migrates to a semi-open posture, there’s a lack of clarity on the duration of shutdown and the risks posed to the workforce. But, more certain is the likelihood shareholders will continue to be demanding as the recovery mounts. The technologies such as automation, AI, remote access can enable industrial organizations to continue business operations with the least required efforts. But, those who aim to do so should only deploy the technologies when they’re sure of handling them securely and cautiously. Despite the adage of security by design, many organizations find them in a sort of continual remediation mode. The security should remain a functional requirement as industries use technologies to their rescue.