As Internet of Things implementations continue to move into the industrial and manufacturing arena, it’s now more necessary than ever to understand and solve security challenges. In her guest post below, Lorie Wigle, Vice President, General Manager IOT Security Solutions, McAfee, a Division of Intel Security, explores several excellent solutions. ~ Terri Blake
Industrial control systems are part of the rapid evolution to exploit connectivity, big data, and cloud computing. Manufacturers are designing in new capabilities as their customers pursue advances in automation, and gateway devices are proliferating to connect legacy systems. Numerous business benefits are driving this transformation.
Factory floors, utilities, and other industrial installations are becoming more and more intelligent with instrumentation to collect data about the equipment and the environment. This data can be analyzed both locally and in the cloud to trigger maintenance, optimize production, or meet regulatory requirements for data logging. Cloud computing is particularly well-suited for analytics that are not real time. As examples, monitoring the performance of a device over time enables failure prediction and maintenance ahead of a potentially costly downtime event. Similarly, utilization can be measured and tuned to optimize energy efficiency. The surrounding facility can be monitored and analyzed for EHS (environmental, health and safety) issues, and operational insights result from analyzing the production data.
All powerful motivators for connectivity and compute.
But security must be designed in as these systems are connected, for this new access to operational data and systems also creates new business and EHS vulnerabilities.
Historically, many industrial control systems have been perceived as secure because they were separate from IT networks and the Internet. This separation is sometimes referred to as an “air gap.” But in the words of a Siemens executive, “Forget the myth of the air gap – the control system that is completely isolated is history.”1
We must assume that industrial systems are vulnerable to attack, and we need to protect them adequately. Fortunately, good solutions are available. Many of these systems ship from their manufacturers with predetermined functionality – i.e., they’re not general-purpose computing platforms like PCs or smart phones. That means we can “white list” the software that runs on them. Many ICS vendors around the world utilize McAfee Embedded Control* to lock down fixed function devices. Firewalls should also be installed on industrial networks, and solutions such as McAfee Next Generation Firewall* are evolving to support many industrial protocols such as OPC. Operators should also implement good physical security including mechanisms on equipment that disable I/O facilities such as USB ports. At Intel, McAfee, and Wind River, we’re working to make it as easy as possible to design in robust security by building pre-integrated stacks and tools into our processors, software, and security solutions that can be deployed by both manufacturers and industrial system operators.
Clearly there are many benefits to cloud-connected industry – let’s be safe about it!
1. Stefan Woronka, Manager for Industrial Security Systems, Siemens at AusCERT, 2012