Posted By Jeff Moad, March 04, 2011 at 7:36 AM, in Category: Factories of the Future
Stuxnet is just the beginning of the security threat for which manufacturing executives must prepare.
Most top executives and IT leaders figured out a long time ago that developing and enforcing a bulletproof set of security policies for back-office systems is not just a tactical technology issue. It’s a strategic imperative.
As businesses have increasingly gone online to market their products, receive orders, collect payment, and provide service, top executives have realized that they must be able to assure customers that their private information is being protected. Asa result, most enterprises treat security as a strategic issue, developing enterprise-wide security plans and policies and scrutinizing the security implications raised by every new initiative. Many have even created the role of chief security officer.
Unfortunately, this strategic approach to IT security policies and plans often don’t extend to the manufacturing plant, where mission-critical systems appear to be increasingly vulnerable to the same type of sophisticated cyber-attacks that have long targeted back-office systems. A report issued this week by the not-for-profit Repository of Industrial Security Incidents counts 60 known industrial cyber-security breaches between 1999 and 2010, many resulting in lost production time, destruction of property, and even fatalities.
The most dramatic and high-profile of these attacks, of course, is Stuxnet, a virus that may have been unleashed to disrupt automation equipment that was being used in Iran’s nuclear program. Speculation has it that the virus, which attacked Siemens SIMATIC control systems, may have had state sponsorship. This raises the possibility that other states, enterprises, or individuals may try to replicate Stuxnet with a virus that attacks industrial systems.
And there’s plenty of evidence that at many companies, PLCs, DCSs, and other industrial systems are sitting ducks. More and more of these systems are connected to corporate or even public networks. And many haven’t been subject to the type of rigorous security hardening that is necessary to ward off attacks.
Even manufacturers that have followed the security suggestions of their industrial systems providers remain vulnerable. Three SCADA security experts, Eric Byers, Andrew Ginter, and Joel Langill, last month published a report concluding that even industrial networks and systems secured according to the best practices recommended by vendors such as Siemens are vulnerable. Because Stuxnet is so sophisticated, commonly recommended security best practices are ineffective, the report concludes.
"We know what [Stuxnet] does to a poorly secured system -- it eats it for lunch," Byers said recently. "We now know what it does to a well-secured one -- it eats it for lunch, too."
The obvious conclusion is that manufacturers need to implement tougher security technologies to stand up to next-generation worms such as Stuxnet. But they need to go further. Executives need to apply the same strategic approach to industrial security that they’ve applied to the enterprise. That means comprehensive security policies that dictate what employees can and cannot do. (Stuxnet was apparently introduced via a thumb drive.) It also means site assessments, risk analysis, access control lists for trusted and un-trusted entities, and the use of advanced security technologies.
Not surprisingly, software vendors are getting involved. Recently, security software provider McAfee Inc. entered into a strategic agreement with Wind River, a maker of embedded, real-time software used in industrial-control and other systems. Through the agreement, McAfee intends to bring advanced security techniques such as white-listing and telemetry to industrial control systems.
The good news is that some industry groups are waking up to the threat. The International Society of Automation recently announced that it has formed a task group to analyze whether the organization’s ISA99 security process best-practice standards are still adequate in the Stuxnet era.
Hopefully, ISA will act quickly to fill the gaps, and manufacturing executives will begin to treat security as the strategic issue that it is.
Written by Jeff Moad
Jeff Moad is Research Director and Executive Editor with the Manufacturing Leadership Community. He also directs the Manufacturing Leadership Awards Program. Follow our LinkedIn Groups: Manufacturing Leadership Council and Manufacturing Leadership Summit