Industrial Cyber Security Compliance & Enforcement
By Bill Lydon, Editor
Cyber security is now becoming a hot topic with users and vendors of industrial automation systems. The big question is, "Will companies make cyber security investments without legal enforcement?"
ISA’s Automation Week 2013 hosted an Executive Panel on cyber security challenges for industry in Nashville, TN on November 6, 2013. Brigadier General Rudolf Peksens, who is retired from the US Air Force, moderated the panel. General Peksens told the audience that the automation business is involved in cyber security conflicts whether we want to be or not. He framed the situation that industry now faces the “bits and bytes” of IT systems, which have been weaponized and are penetrating critical networks at will. The threat is significant, documented and growing.
U.S. Federal Government
Samara Moore, National Security Council, Director for Critical Infrastructure, discussed cyber security and reinforced the compelling cyber threats across the United States and the world. She noted that the threat is becoming broader and more diverse. As we continue to leverage technology for efficiency and productivity, we require more system connections that increase the exposure to cyber threats. In addition, the threats are becoming more sophisticated and increasingly more dangerous. Moore spoke about the U.S. Presidential Executive Order 13636 that was announced in President Obama’s 2013 State of the Union address and signed on February 12, 2013. The Order calls for the development of a national cyber security framework that includes “standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks,” and “help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” The National Institute of Standards and Technology (NIST) and the U.S. Department of Commerce are charged with developing the framework and engaging the private sector in guideline development.
On October 28, 2013, NIST released a preliminary cyber security Framework. On October 29, 2013, NIST announced a 45-day public comment period on the preliminary Framework in the Federal Register. Comments were due by December 13, 2013. The goal is to motivate and drive industry to action resulting in system and network security and resiliency. The intent is to develop a technology neutral voluntary cyber security framework.
The Automation Federation, part of the International Society of Automation (ISA), has been deeply involved in the workshops and the ISA99 standard is cited in the preliminary cyber security Framework as a key standard. The ISASecure Embedded Device Security Assurance (EDSA) certification program is currently available. A few leading suppliers have certified their automation controllers to this standard, but many others have not.
Moore also discussed efforts that are exploring possible incentives for companies to implement cyber security, including federal procurement and grant incentives.
Thoughts & Observations
It appears to me that building cyber security compliance and culture has a strong similarity to the application of training, best practices, devices, systems, and procedures needed to meet plant/machine safety goals and requirements. Today, it easy to forget that it took the force of law and the threat of fines to foster a culture of safety investments and industry practices. Remember that the United States government established the Occupational Safety and Health Administration (OSHA) under the Occupational Safety and Health Act, signed into law December 29, 1970. OSHA was empowered to levy fines for non-compliance and, over many years, safety has become ingrained in the industry. Ultimately, industry started to reap the returns from safety systems and understand the value, including increased productivity. Hopefully, industry professionals have matured enough to embrace cyber security measures and reap the benefits.
Brigadier General Rudolf Peksens voiced his concerns about the possibility of a cyber Pearl Harbor if industry does not act. I certainly share those concerns. After following cyber security issues for a long time, I believe the “big game” has not started yet. Adversaries are just learning, poking and gathering data. Winners of classic military battles generally get good reconnaissance and probe at their opponents’ defenses before launching major attacks. To carry the war analogy further, there are typically campaigns with many battles.
Users and vendors should not be over confident about their cyber protection without kicking hard against their products and systems. I have not been seeing new industrial controllers, software, and networking protocols that are inherently designed for cyber protection and mitigation. The answers today are add-ons, firewalls, and services that have their place in the scheme of things.
Solving Food Manufacturing Labor Shortages Through Robotic Automation
By Maria Ferrante, PMMI
PMMI had a chance to speak about new technologies and trends in automation with Don Wickstrum, president and owner of...
CIA Exploits of IoT Devices: What lessons can we learn?
By Alan Grau, Icon Labs
Recent WikiLeak documents allege that the CIA developed, or sought to develop, or even “borrowed”, cyberattack...
The IoT Impact on Business Models: What Should Manufacturers Do First?
By Bill Lydon, Editor, Automation.com
The availability of many new technologies has provided the building blocks for dramatic changes in the...
Solving the 7 Most Common Tank Gauging Problems to Improve Safety
By Ulf Johannesson, Emerson
Many terminals and tank farms struggle with tank gauging because they use outdated equipment. However, modern tank...
Identifying Cyber Security Pitfalls in Manufacturing
By Jonathan Wilkins, EU Automation
With new strains of ransomware and other vulnerabilities created every week, what should manufacturers look...
ISA and Automation Federation expert Steve Mustard to present at Advanced Design and...
Mustard is featured in an online article—posted by PLASTICSTODAY—that promotes the presentation he will be giving next week at the Advanced...
On Robot to announce expansion into US market at Automate 2017
Officially launching to the North American market at Automate 2017 in April, On Robot’s two-finger RG2 grippers—available in both single and...
Seeq to present with Bristol Myers Squibb and Devon Energy at OSIsoft User Conference
The presentations will speak of the benefits Seeq customers are realizing in the oil & gas, pharmaceutical, chemical, energy, mining, food and...
SME Education Foundation partners with NASA Hunch to advance high school manufacturing education
This new collaboration is designed to attract and introduce more high school students to career opportunities in the industry and prepare them to...
Top 10 Considerations when Implementing OPC UA
Matrikon's downloadable OPC whitepaper discusses how vendors can enable their new and existing products with OPC technology to compete on the...