Industrial Security is no longer optional!

INDUSTRIAL SECURITY describes the protection of production and industrial plants from attacks, whether intentional or unintentional. Security used to be the task of information technology (IT) in the form of IT security. Today, production and industrial plants are also highly interconnected using information technology. It is easier for attackers to intrude into automation and control systems, manipulate them and even compromise safety (Machinery Safety). This means that staff who are not IT experts have to deal with potential threats. Industrial Security deals with the security of control networks in production and industrial plants in factory automation and process control.

The objective of Industrial Security is to guarantee the availability of plant and machinery, as well as the integrity and confidentiality of machine data and processes. Attackers often use existing vulnerabilities to penetrate control networks or disrupt processes. To prevent attackers accessing the control network, potential vulnerabilities must be detected and remedied promptly. If an attacker succeeds in exploiting a vulnerability, the consequences for the company can be devastating, ranging from production standstill to risk to humans if safety measures are targeted for manipulation.

Tips for greater industrial security

Because security is not a physical parameter but rather a “moving target”, the measures against cyber threats must be updated constantly. Responsibility lies primarily with plant operators, for whom data security equals investment protection.

The following strategies help you implement security in your company:

1. Defence in depth: This principle is based on always placing new and different obstacles in the path of intruders. That makes it more difficult for attackers to achieve their objective. The point is to create as many obstacles as possible on as many levels as possible.

2. Organisational measures: It is important that all of a company’s employees internalise security. To do this, you should set up internal guidelines that apply to all employees and also to partners such as device manufacturers and service providers. Anyone responsible for security should support and check compliance with these guidelines.

3. Training: Not everybody can be an IT expert, so you should offer regular security training for your employees.

4. "Zones and Conduits" segmentation: Zones containing devices with similar security requirements should be separated from each other by firewalls or safe routers. Using the conduits between the zones, only devices that are genuinely authorised to do so can send and receive information.

5. Firewalls: Although routers and switches can support security mechanisms, you should also employ firewalls in your control network (industrial communication network).

6. Patch management: A patch process helps you define role-specific responsibilities. In addition, it should take into account not only patches and updates released by the manufacturer, but also third-party software (e.g. office applications, PDF Reader).

Solutions and training

In response to the need for Industrial Security, Pilz has enhanced its offering. Within the control network, connections between the diagnostic or configuration tools and the controllers can be protected from manipulation with the SecurityBridge Application Firewall, enabling secured connections to the outside world. With the access permission system PITreader you can control access permissions reliably and individually to your specifications and requirements to safeguard your plants from unauthorised access.  

New training courses ‘Fundamentals of Industrial Security’ and ‘Certified Expert for Security in Automation’ enable delegates to confidently implement the necessary measures in their workplace.  

Jason Reed is certified machinery safety expert at Pilz Automation Technology

https://bit.ly/Pilz-Ind-Sec