Protect and control
17 Jul 2013
Process control system safety must start focusing on the relationship between IT and manufacturing, claim industry experts
There is growing awareness across the process industries that it is impossible to achieve total IT security. Even systems equipped with state-of-the-art security measures can still be vulnerable through connections to the networks of suppliers, contractors or partners.
But the potential impact of an attack on industrial automation and control systems (IACS) can be more serious than for corporate or enterprise wide IT systems in general, according to Paul Gogarty of ABB.
The IT world has developed powerful tools and techniques to help prevent, identify, and mitigate the effects of intrusions
The most significant difference is the high availability requirement for monitoring and control functionalities. “With general IT the highest priority is to protect confidentiality of information foremost, followed by integrity and then availability of information to authorised users,” said Gogarty. “With IACS, availability comes first, then integrity and finally confidentiality.”
End users - sometimes forced by their enterprise IT - require certain solutions from system integrators and vendors that may adversely affect the availability of the control systems.
“The IT world has developed powerful tools and techniques to help prevent, identify, and mitigate the effects of intrusions,” Gogarty explained. “However, requirements specific to process systems often make employing these tools and techniques in industrial environments problematic.”
Andrew Wadsworth, head of process control security at Amor Group, urges companies not rely on the perimeter defences between ICS and the corporate network. “That sentence should be in big, bold, red, underlined text,” he said.
“The perimeter can be breached leaving IACS exposed…There are frequently unrecognised connections between IACS and the corporate network and internet.”
Looking at the need to build bridges around the cultural differences that exist between IACS engineers and IT professionals, Gogarty believes it crucial for both groups to speak the same language.
This includes learning that IACS, while vulnerable in some areas, can’t employ all security control measures that a typical corporate network would employ.
