Download and/or View Presentation
At our January meeting, Tim Shaw, consultant and chief security and automation architect for industrial automation and control systems, presented an excellent talk on the topic of cyber security for industrial facilities.
Held at Rumsey Electric Co. in Conshohocken, PA, the meeting drew about 30 members.
Shaw made the point the industrial facilities should mostly be concerned with adequate cyber security. Hacking is more of a problem with IT since it’s generally aimed at computers and popular operating systems. Security in the IT realm is highly specialized and costly. Industrial facilities must be smart about security to minimize costs and follow common sense.
He stressed that industrial facilities have issues that are outside the experience and expertise of conventional IT departments and consultants. “A one-size-fits-all IT-like approach to cyber security leads to unnecessary complexity and frustration in an industrial facility,” says Shaw.
An industrial facility may have some devices similar to those in IT, like a server or PC running Windows or Linux. But many more are simply smart devices with microprocessors that have no peripherals.
The susceptibility of such devices to cyber attack will vary greatly based on their technical design and features.
Shaw provided the following list of instrument attributes that may make a cyber attack unlikely:
- The lack of field-alterable software
- Replacement of total firmware only via USB/Memory stick
- Containing no information of value to an adversary
- Restricted-capability USB support
- Read-Only remote data access
- The lack of a file system
- Proprietary operating system
- Integral multi-level/multi-user password protection
- No Ethernet or restricted Ethernet-TCP/IP support
- No wireless communications
- Not controlling or operating critical equipment
Shaw noted that cyber-accessible instrumentation can be placed in special protected zone that permits remote access without compromising security.
Summing up, Shaw says while inaction is risky, industrial plants shouldn’t try to protect everything.
Many smart devices don’t need much, if any, protection. Plants should be realistic about protecting industrial-based communication channels.
Lastly, while IT people can be helpful, their objectives and best practices don’t always align with the realities of operating a plant.