Safety and security work hand in hand in the manufacturing automation arena.
However, despite more and more sophisticated, frequent and costly cyber attacks, security still does not receive the same attention as safety. There is a growing need to elevate security awareness to the same level as safety – ensuring not only a safe, but also a secure manufacturing environment.
Security awareness
Let’s face it – security awareness today suffers from an identity crisis at manufacturing facilities across the globe. Big, small or anything in between, there is a general lack of understanding of security best practices.
With reported cyber attacks growing by 600% since 2010, according to NSS Labs, security awareness amongst manufacturing organisations needs to grow to the point where best practices end up ingrained in workers’ minds. That only makes sense as safety protects man against machines, while security protects machines against man.
Well-known within security circles, cyber security awareness in the manufacturing enterprise remains nascent and needs to bust out and go mainstream within each organisation.
But where does that awareness begin and how can a manufacturer get started on the journey toward security?
A decade ago when most systems and business networks remained isolated from one another security was relatively simple. The enterprise stayed connected to the Internet, but focused on keeping its network up, running and protected, while process control and safety systems remained isolated and really did not have to worry about web connections.
However, in the name of progress and efficiency, over time the two networks became interconnected – a true sensor to boardroom communication. By the early 2000s, and especially after September 11, 2001, security professionals saw that safety systems and the control network, previously unguarded from any kind of security measures, needed protection. But getting industry leaders to understand and grasp that concept was akin to rolling a boulder up hill.
Stronger safety emphasis
The idea of safety, on the other hand, generated a strong following especially after the disaster in Bhopal, India when a methyl isocyanate gas leak at the Union Carbide pesticide plant left 3787 dead and 558 125 injured.
In the years since Bhopal, process safety gained corporate importance and all manufacturers understood and respected all safety initiatives. Yes, manufacturers had to look at cost, but it was imperative that companies targeted safety. ‘Safety First’ initiatives began in full force.
Process safety programs focus on design and engineering of facilities, maintenance of equipment, effective alarms, effective control points, procedures and training. It was, and still remains, a vital area to protect a company, its people and the surrounding area from any kind of potential disaster.
When it comes to safety, in order to contain a complex process, a manufacturer must design and implement management systems to:
* Understand the risk, which involves predicting problems, including predicting the risk of possible accident/loss scenarios, establish the appropriate design and the right layers of protection to control risk to a tolerable level.
* Control risk factors every day, which involves controlling the original design by maintaining the established layers of protection and managing changes to the design using integrated management systems.
* Analyse actual problems and determine weaknesses in the system, which involves identifying weaknesses in design and management systems and weaknesses in risk understanding through root cause analysis of actual problems (losses and near-losses).
Lagging security adoption
At a basic level, security follows those same set of guidelines. Why, then, are more organisations not implementing security into their daily mindset as they are safety? Some of the top internal reasons are: people, training, no real corporate mandate and no business return on investment.
With security being the new kid on the block for process control, getting people to embrace how to integrate security into their everyday work life is an ongoing education process. Teaching workers not to plug a thumb drive into a computer before checking to make sure it is free of any virus is just one example.
To talk security, there must be a solid business proposition behind why a manufacturer would decide to make the investment. Bringing the idea up to the executive suite that security is more of a business enabler that keeps the network and system up and running and productive and not just an insurance policy is important to generate awareness and send a strong message out to the company. After all, security is going to be an ongoing expenditure, not a onetime expense. Initially, there needs to be a risk analysis; what do you need to protect, what is the cost, what is the risk? Then there needs to be a way to quantify those numbers to assess the true benefit.
One of the advantages safety has that is not as prevalent in security is the concept of levels. With safety you have a very clear definition of a safety integrity level. A system must meet SIL 1 where there is safety, but at a basic level, through SIL 2, SIL 3 to SIL 4, which is the most dependable. While with security, there is the security assurance levels (SL) but it is not as prevalent and not commonly used throughout the industry. Manufacturers are not yet demanding a security protection that guarantees an SL 3.
Essentially, SL 1 would protect against a casual or coincidental attack and SL 4 would protect against an intentional attack using sophisticated means and extended resources. There are several values of SL within a solution. There is a targeted SL, which is where the user wants to be. Then there is an actual SL which is the user’s current status based on the existing implementation. There is a maximum attained, which is the maximum attainable SL with your current technology. The ideal situation is your targeted SL and your actual SL end up equal. SL levels are a part of the ISA99 security standard specification, which the international industrial control committee defined and accepted.
The problem is an SL is harder to determine than a SIL because of the ever changing threat scenario. SL remains relatively new, however, and there will need to be some time for industry to let it marinate as the initiative becomes part of imbedded culture.
Raising awareness
Security protection is still in its infancy. But that does not mean the industry gets a free pass to ignore or hold off on securing its systems. The list of attacks and potential exposure goes on. Companies need to improve data security strategies against a greater variety of more sophisticated IT attacks or face an ever spiralling scenario of data losses, according to one KPMG report.
The risk is there for everyone, but by following a guide of best practices, mandatory personnel training and starting the task of undergoing risk assessments, manufacturers big and small can ward off intruders to keep their systems up and running so they can remain a profitable enterprise. The basic need for security is to:
* Increase plant safety.
* Reduce downtime.
* Reduce environmental and financial risk.
* Meet regulatory compliance.
* Connect the plant to the enterprise.
In the end, a manufacturer’s main goal is to make product and not deal with anything that throws them off track. That is why they have to demand security in the products they buy. They have to make those demands to force vendors to certify the products in an accepted standard, but be willing to pay extra for a more secure solution. After all, if a vendor invests in security for their products and no one will pay for it, then it will be a slow roll out. In safety, it is clear manufacturers will invest in higher safety compliant systems that have a SIL certified rating.
Security, like safety was, is a culture change. Technology must include security and people have to embrace it. Security must start at vendors and work its way through the product lifecycle and it has to continue once it gets up and running at the manufacturer. It is a huge job and the industry is moving in a positive direction, but there is a long way to go.
As Mike Baldi, chief cyber security architect at Honeywell Process Solutions says, “Safety requires investing in resources to achieve it. Security is exactly the same. Security takes money and people to manage it, to implement it and to verify it is working. It is an accepted practice for safety. It is becoming an accepted practice for security.”
For more information contact Boni Magudulela, Honeywell Southern Africa, +27 (0)11 695 8000, [email protected], www.honeywell.com
© Technews Publishing (Pty) Ltd | All Rights Reserved