Nation-states probing our manufacturing systems, multiple standards from an assortment of standards bodies, numerous and mostly incompatible security technologies and vendors with vastly different solutions; that’s the manufacturing security landscape we face as we start the new decade.
Frankly, I haven’t seen a mess like this in all of my years working in manufacturing automation. There is little to no consensus, IoT applications that are increasing the attack surfaces, different security solutions from different vendors and a vast number of opinions and ideas about how much and what type of security a manufacturer should implement and who should be responsible.
There are four general positions that I’ve heard people in the industry take.
THE “SEE NO EVIL, HEAR NO EVIL” CROWD – these are folks that believe that the threat isn’t real and just don’t believe it will ever happen to them. A lot of them understand it’s a risk, but are either perfectly willing to take it or just don’t know what to do. Manufacturers rolling out a lot of IoT projects are in this group. These folks need to understand something about IoT. The ‘S’ in IoT is for security! Not only aren’t most of these IoT applications highly secure, you sometimes get the security that is incompatible or unlike the security used in the rest of your automation system. A lot of these companies are willing to assume the risk of IoT applications that increase their threat surfaces because of their belief that the data is more important than the security vulnerabilities they are creating.
THE “WE DON’T NEED ANY SPECIAL-SECURITY” CROWD – These are the folks who have decided that they can protect a manufacturing cell by sealing it off. They have an architecture where there is only one communication path in and out of the cell and no other path to any other controller or the Internet. I’ve had a very highly influential expert from one of the automotive companies describe this to me. In this scenario, there is no need to secure any of the devices in the manufacturing cell. Instead, you watch the path into and out of the cell like a hawk with automated and manual tools. Since the data stream in and out of the cell is very regular and consistent, anomalies can be immediately detected and suspicious traffic blocked. This architecture saves the expense of deploying security systems to all the low-level devices in the cell, having to configure that security and train your staff on those security procedures. Any network technology, EtherNet/IP, PROFINET IO, EtherCAT or any other network with or without security can be deployed. This is a simple and cost-effective solution to most but not all manufacturer’s security problems.
THE “LET’S FOLLOW THE CROWD” CROWD – Long ago, it used to be said by the forerunners of the IT departments that you can’t get fired for picking IBM. You might say that now about Allen-Bradley or Siemens. Many of these folks haven’t really thought security through, they don’t know, they don’t understand, and they aren’t going to take the time to figure out the right position for themselves. Their security plan is to do whatever Allen-Bradley, Siemens, or some other vendor tells them to do. They are going to trust their suppliers to know how to secure their manufacturing system. I’d expect that these people will be some of the first companies to buy into CIP Security for EtherNet/IP.
THE “SKY IS FALLING” CROWD – These people see security as the most important issue on the manufacturing floor. They believe that every manufacturing system is at risk. That CEOs, CIOs, and every manufacturing executive will be clamoring for security solutions in the coming years. According to these people, security is the biggest issue on the planet, nothing is more important, and no one should send a bit over a link that isn’t encrypted. I recently heard this articulated by Hilscher GmbH in Germany at the SPS IPC Drives show in Nuremberg. They are making the case to their customers that every automation device must be redesigned for cybersecurity. The fact that they sell a silicon solution to that problem raises a bit of suspicion but putting that aside, they do have an amazingly good product if you want to secure a device. Unlike the old days when their solution was awfully expensive, it is now reasonably priced and like most things German, a paradigm of world-class engineering.
WHERE DO I STAND?
I don’t believe that every automation device is going to be redesigned for security. I also don’t believe that it’s not an issue. There are nation-states with unlimited funds and talented engineers that spend their days looking for vulnerabilities that they might use later. We must protect our manufacturing systems from those bad actors.
I think the most reasonable and cost-effective approach is to secure each manufacturing cell separately. Even though I am selling CIP Security and will help any vendor adopt it, I don’t believe it is necessary for every application to implement it and haven’t believed that for a long time. I think that the idea of walling off a manufacturing cell or system with only a single communication link in and out is the best approach.
This is not only the most practical solution; the tools are already available to implement this approach. There is no chance that the thousands and thousands of automation vendors that supply automation devices are going to adopt a security solution let alone the identical one. We are going to always have unsecurable devices with us and devices implementing all sorts of different security standards, so securing everything is out of the question. Instead of locking every window and door to the castle, I like the idea of just watching what’s coming in over the drawbridge.
This is going to be an ongoing battle – possibly for the entire decade. I don’t see any resolution unless, God forbid, there is some sort of catastrophe blamed on an insecure manufacturing system. Then, the politicians will jump in, legislate a solution that will probably be inadequate, ineffective and unworkable. Let’s pray that doesn’t happen.
The traditional Chinese curse, “May you have an interesting life,” seems to be relevant for those of us dealing with manufacturing security.
Note: The ideas expressed in this article were inspired by a talk delivered by Jeff Smith of Dynics Inc.