Cybersecurity in industrial applications

Cybersecurity is a critical issue, not only for IT infrastructure but also for operational technology (OT). Traditionally, OT was an ‘air-gapped’ environment, meaning that it was not connected to external networks or other IT infrastructure. With the growth of the IIoT or Industry 4.0 the gap has been closed, and OT networks are widely connected to IT systems and the cloud.

IT incidents often cause loss of data, information or value, unfortunately involving increasing amounts and consequences for victims, but they are recoverable. A security breach in an industrial or infrastructure system can lead to so much more than just financial loss since a more physical picture comes into play. The demand for better security in industrial applications is surging and cybersecurity needs your attention. It is worthwhile to share some key facts I have learned, and I hope this will be helpful for you to develop your own roadmap for cybersecurity in industrial communication networks.

A system is highly protected from external threats if there is absolutely no connection to the internet. However, security needs to be considered on different levels to prevent human errors. For example, an external contractor may connect their laptop to your machine network, which could expose your machines to risks and threats, or an employee may make unintentional configuration changes, or the incorrect firmware can be downloaded to a machine.

The responsibility for the security of an installation falls on everyone as there are many security aspects to consider, especially when accommodating co-existence with older products or installations using older networks. To make the implementation easier and more efficient, I would recommend the use of communication solutions that include built-in security features that meet the installation’s security requirements. If you are a system integrator, you have no control over the specific security policies within your customer’s installation environment. Therefore, strengthening a device to handle any situation helps to provide more reliable security performance regardless of the installation conditions.

The best way to achieve security is to commit to international standards. The standardisation aspect of cybersecurity is a bit more advanced, with some established standards like ISO27001 and IEC 62443. ISO27001 is a mature standard focusing on protecting the IT management systems, and it is driven and accepted by IT people. It is proven in use with highly available technology like TLS encryption, VPN connectivity, X.509 certificates and so on. In industrial applications, this standard is mainly relevant for those systems connected to IT environments, such as remote access, IIoT and cloud-based communications. IEC 62443 is an emerging standard for industrial control applications — focusing on the robustness and security of industrial communication. The emphasis is on the total application, according to the defence-in-depth philosophy. Being in accordance with IEC 62443 also means confidential information on the device is protected from any possible extraction. Additionally, the device should have sufficient resources to withstand attacks, as well as the additional processing capacity required by the security mechanism. All possible but unused interfaces must be closed, such as ports, JTAG interfaces and so on.

In summary, by closing the gap between IT and OT, OT is increasingly becoming part of a system chain that can be hacked. Industrial environments will have to be fully secured for this. This security includes all people, processes, systems and components involved.

Tom Hu is the Technical Services Manager at Global M2M, helping clients all over the manufacturing, irrigation, water treatment, waste management and building management industries. He has diverse experience in secured remote access and IIoT solutions involving AWS, Azure, ThingWorx, OSIsoft, MindSphere, Ignition, VPN, MQTT and HTTPS.

Image credit: ©stock.adobe.com/au/jamdesign