Security Challenges of Industrial Automation Control Systems
Cybersecurity, system security, and information security are challenges faced by all industries and sectors. For the manufacturing sector, these challenges are particularly acute, especially in relation to industrial automation control systems.
The threats to industrial automation control systems are varied:
- Targeted external attack to deliberately hinder production
- Targeted external attack to impact the state or quality of the product produced
- Indiscriminate external attack
- Ransomware attacks (extortion)
- Actions by disgruntled employees
As with information systems in other corporate environments, attackers can exploit technical vulnerabilities in systems. That said, most cybersecurity, system security, and information security attacks happen because of access to systems. This can be authorised and unauthorised access.
In the case of the latter, attackers usually gain unauthorised access to a system by exploiting an organisation’s non-technical security vulnerabilities. Tricking employees through social engineering techniques is one example.
Other Security Challenges
Industrial automation control systems also face other security challenges. This includes:
- Updating security – examples of this include applying security patches, updating software, and more. In general, updating the security infrastructure of an industrial automation control system is often crucial, but this must be done in a way that does not make the control system unstable.
- Updating system functionality – when not properly implemented, updating systems to add new functionality can introduce new security vulnerabilities, particularly when integrating with legacy devices and platforms.
Unique Security Challenges
Following on from the above, many of the challenges facing industrial automation control systems are unique. This includes the fact that the automation of industrial control systems means integrating systems and platforms developed by different vendors. These systems and platforms can be both proprietary and non-proprietary, with the latter presenting particular security challenges. An example is a device running on the Windows operating system.
Also, there is often a myriad of different devices involved, each one of which presents unique security challenges. This includes wireless transmitters, PLCs, remote terminal units, sensors, and more.
In addition, many of the above systems, platforms, and devices currently in use were developed five, 10, or more years ago. The internet, cloud technologies, and communication infrastructures were not as advanced back then. Therefore, the issue of cybersecurity as we know it today wasn’t as high on the priority list for vendors making these products.
You then need to add into the mix that many of the components and systems above have a long-life so could be in operation on production lines for some time to come.
Also, there is an increasing trend in the manufacturing environment to more closing integrate production networks with corporate networks like supply chain management, sales, business oversight etc.
This means the “airlock” between networks that existed in the past, and which offered a level of production line security, is now being eliminated.
Dealing with These Security Challenges
The first step in dealing with the security challenges of industrial automation control systems is to work with a solutions provider who understands the challenges and who prioritises security.
In practical terms, it is essential manufacturing operations take a holistic and multi-faceted approach to dealing with security challenges. This includes:
- Administrative controls – policies and procedures on cybersecurity, information security, and system security to cover everything from password integrity to major incident procedures to physically securing connected mobile devices.
- Staff training – this needs to be on technical policies and procedures as well as how to use the security systems in place. It is also important, however, that staff are aware of the interpersonal and social engineering risks that companies face, as well as how each individual in the company can decrease these risks.
- Physical controls – access controls, cabinet locks, etc.
- Technical controls – firewalls, intrusion prevention systems, anti-virus and anti-malware software, intrusion detection systems, backup procedures, disaster recovery solutions, etc.
- Upgrading legacy devices and systems – having a plan to upgrade and replace non-secure legacy systems, platforms, components, and devices will also make the industrial automation control system more secure.
Dealing with cybersecurity, data security, and systems security is the new reality of modern manufacturing environments. This is unlikely to change in the short-to-medium term in any significant way, and the threats we all face are more likely to increase rather than decrease.
Being aware of the risks, understanding that everyone is vulnerable, and being proactive in mitigating those risks, is the best solution.