The session opened with an introduction by Aurel Buda (Turck). He emphasised how everything is opening up: “Traditional automation networks used to have a closed system, with sensors and actuators being connected and communicating bidirectionally with a PLC network,” he said. “Nowadays, sensors, actuators and edge controllers connect remotely via industrial Ethernet. Devices connect not just to PLCs but to SCADA, MES systems or cloud services
“This means that there are many more points for intruders to attack a system. Despite early attacks having happened years ago, we are still at an early stage of security awareness. Currently, I see companies that are very aware of cybersecurity and industrial networks, but I also see companies that are not cyber-aware.
“Most customers really don’t like is to change anything on their systems, such as firmware updates.
This is where we are just at an early stage. In a couple of years, we will see systems that need to get firmware patches for security reasons, perhaps nearly every day or every week, just as happens with our IT infrastructure. Adding that to safety systems is a game changer. It is still challenging to have standards that allow for security patches, even in safety systems. Currently, the core protocols are not intrinsically safe.”
Buda’s introduction was backed up by Luke Orehawa (Nidec). He stated that, as a company, Nidec is known for integrating its factory automation systems. “We’ve been doing Fieldbus technology for quite a long time now and introduced our first industrial Ethernet system in 2005,” he stated. “Having one cable rather than many simplifies installation complexity. Functional safety traditionally requires more stringent cabling measures – typically the number of cables doubles. If we can remove those cables, and make those systems simpler, we can increase the robustness of the system, while decreasing its cost. This is where functionally safe protocols such as Ethernet IP have come into play to allow secure and high integrity data exchange.
“We can take those advantages further when we start integrating the IT system to improve the overall system efficiency and effectiveness. So for example, no longer are maintenance visits periodic, but they’re when they’re required – or even better, before they’re required!! We send that data up through the cloud mechanisms to be monitored by service providers.”
” Orehawa emphasised that convergence between IT and OT has proven difficult, citing an example in 2016, when there was an attack on the Ukrainian power grid. This was the first industrial control system attack since Stuxnet in 2010. But it was quickly followed up in 2017 by the world’s first cyber attack on a safety control system. In both cases, the mechanism of infection was through the IT system, typically through email. From there the attacker was able to traverse into the industrial control system and - quite worryingly in the 2017 attack - into the safety control system. To help attendees, Nidec placed in the chat a couple of links to relevant articles.
Third speaker Mark Staples (Euchner) suggested that most IT teams aren’t used to or aware of the factory installations. “They are very familiar with the IT layer, and they’re very familiar with all of the office type equipment, but maybe not so much when it comes to the operational the OSI layer,” he claimed. “One key area to address is education, because we are all seeing more connected devices, more networks of devices that sit on Ethernet, Ethernet IP, PROFINET, etc. Potentially these are open to attacks. If we look at where attacks have got into businesses, they have generally snuck in via the OT level.”
Euchner focuses on safety technology. “Alongside a lot of the standards and regulations training we do, we do some product training, particularly our products which are networkable, Staples continued. “Part of that product training is to make people aware of networks, think about network switches, or putting a demarcation zone in place. We have a real cybersecurity slant on some product technologies, to ensure that they operate in a really safe way, particularly our controllers, because they too can sit on an Ethernet network. As Luke quite rightly said, if people attack these systems and get them to malfunction potentially, we are putting people in harm’s way.”
Ian Holland (Dold) insisted that engineers must be very diligent, firstly in who is allowed access to the system and secondly, how they segregate individual parts of the system. “I think there’s no such thing as a unhackable network,” he worryingly claimed!. “If there is the want, the desire, the money invested in hacking to circumvent any system, then someone will get through whatever penetration diversion techniques you use.“
According to Holland, Ethernet, because of the way in which it is structured, has lots of holes in it. “Anywhere up and down a sevenlayer OSI model, you are able to intervene, capture packets and pretend to be someone else,” he argued. “Hackers can tell a network that they are the fastest way to the internet, and then all of the traffic on the network goes to you. All of these tricks have been around for years and years. So I think the best way to avoid Ethernet degradation is to be properly segregated. Avoid remote access via USB, via Bluetooth, or any kind of unauthorised interaction with the individual nodes. Additionally, the network can be made very secure if you have the right level of network sniffing software involved: because this knows the structure of the network, it will stop or give notice of anyone who shouldn’t be there.”
Who understands the landscape?
Smart Futures and PWE editor Aaron Blutstein was also on the call and interjected with some penetrating questions: “Do you think that when you look at IT and OT that cybersecurity as an issue is actually not understood by either,” he asked. “One cybersecurity expert I interviewed recently said that when he went into companies to sort out their issues, when he spoke to the IT department, they had only a very basic understanding – and this was from a quite a large company. So you do wonder whether the actual knowledge within organisations is sufficient?”
Staples acknowledged that this was a very relevant point. “It depends on the nature of the business that the customer is involved in - I can imagine they’re very aw are in the banking industry. But when you get into more industrial environments, then I don’t believe they are, even down to the simple things like passing USB sticks around the office and the way that bugs and viruses can get into the system.
Orehawa, too, emphasised the importance of having competent team members. “In the functional safety world, when we’re talking about derivatives from ICS 61508, the framework demands competent team members. This standard also highlights that a security risk assessment should be performed if deemed necessary. I think it should be performed, whether or not there are any outcomes to mitigate. At the OT layer, we do have this sort of structure in place. In the IT world, they might be not as competent in dealing with the scenarios that the OT Network offers. So what we really need to do is build that secure team, that cybersecurity team who are going to look at the IT and OT together, and run a competence assessment on those members and make sure we have got competence within that team. If not, we should look to outsource it.”
Buda added that a simple assessment is whether the company has somebody who feels overall responsibility for security. “Companies can have IT staff but they may not feel responsible for security and the 62443 standard. You need to have at least one assigned security officer who would sit in your quality team.”
In Holland’s experience, IT and OT are traditionally governed by two different parts of an organisation. “Only recently have I seen OT manager jobs advertised, for someone who would report into the chief IT officer within a business,” he noted. “If we are thinking big, such as a large canning plant, we are more likely to see a structure within the IT and OT, with someone specifically deployed to look after OT equipment. Whereas in a small business, it is quite possible that there might be one guy who is an expert at IP addressing computers, or running a virus scan or updating Microsoft, but not necessarily an experienced in OT matters.”
Speakers
Aurel Buda, Director, Product Management Factory Automation Systems, Hans Turck GmbH & Co. KG
Luke Orehawa, Safety Engineering Manager, Control Techniques
Mark Staples, UK Sales and Services Manager - Euchner (UK) Ltd
Ian Holland, Managing Director, DOLD UK
The complete edition of Talking Industry is available to listen online or via Podcast – please visit: www.talkingindustry.org
https://www.linkedin.com/company/69516213
