16 PERSPECTIVES AW JANUARY 2021
e 10 ommandments of y ersecurity By David Miller
Senior Technical Writer, Automation World
I
ndustry 4.0 and the Industrial Internet of Things (IIoT) have opened up vast horizons of new production efficiencies for manufacturers of all stripes through data acquisition and analysis. However, the adoption of these technologies can be a double-edged sword if not implemented properly. As software and devices all the way down to the sensor level are increasingly transformed into potential network gateways, previously unseen cybersecurity vulnerabilities may arrive in tow. More and more companies are connecting previously isolated industrial control systems (ICS) to the enterprise level to enable everything from higher-level data analytics and remote access to digital twin simulations. With COVID-19 expanding the need for remote connection, this trend is expected to accelerate. These increasing connections are part of the reason the past decade has seen an explosion of cybersecurity concerns, with the world witnessing threats to every imaginable sector of industry—from oil and gas and general manufacturing to critical electrical infrastructure. The attackers behind these incursions range from organized criminals attempting to steal intellectual property or personal information for the purpose of extortion; hacktivists who aim to knock out critical assets and cause chaos to garner public attention; disgruntled current and former employees; and even state-backed foreign actors engaged in espionage activities for political purposes. And while attacks on critical infrastructure such as the electric grid or wastewater treatment facilities are more common, the threat to manufacturers is real as well. Even though industry leaders such as Kellogg’s are investing more resources into securing their network and assets and sharing their insights, much uncertainty still remains. According to a 2019 Deloitte poll of more than 4,200 professionals, when asked
2101_Perspectives.indd 16
how confident they were that their organization’s connected products, devices, or other “things” were secure, only 18% said that they felt very confident, while 51% said that they were somewhat confident, 23% said that they were uncertain, and 8% said they were not confident at all. For those organizations that fall into the latter categories, Ilan Shaya, CEO of ICS Security, a company that develops security measures for industrial control systems, recently shared his “10 commandments” of cybersecurity during Inductive Automation’s Ignition Community Conference. Commandment 1: Shaya recommended, first and foremost, that operators should identify all connections to their supervisory control and data acquisition (SCADA)
network and run a thorough risk analysis of each. This includes internal local networks and wide-area networks such as business networks, connections to the internet, wireless network devices, satellite uplinks, and even modem and dial-up connections where they are still in use. Commandment 2: In addition to ascertaining the level of risk each connection presents and taking steps to protect it, Shaya advised that operators ask themselves whether or not each connection is really necessary to minimize potential vulnerabilities wherever possible. Because every connection also creates an accompanying security risk, SCADA networks should be isolated from the enterprise level as much as possible. In cases where there is a genu-
Ilan Shaya’s “10 commandments” of cybersecurity come at a time when increasing remote access, sensor proliferation, and plant-to-enterprise networking are creating unprecedented concerns over the safety of companies’ assets.
1/15/21 3:16 PM
