Cybersecurity should be a top-of-mind issue with automation professionals and people throughout their companies. Information technology systems are not the sole targets of cyberattack. Operational technology systems, including supervisory control and data acquisition systems, programmable logic controllers (PLCs), robotics, factory automation, distributed control systems (DCSs), and other manufacturing systems are also at risk for cybersecurity attacks.
The consequences of cyberattacks on automation systems can be far more serious than financial loss, including physical damage. Certainly, the source of threats can be part of the discussion, but more importantly, cybersecurity is an inside job. The only thing companies can control is developing, fortifying, and continually improving cybersecurity protection and programs inside the organization. This can include contracted outside resources as part of an overall cybersecurity protection development strategy, but at the end of the day, the primary responsibility rests on the shoulders of the manufacturing organization. Cybersecurity includes a range of hardware and software and the development of a cybersecurity-conscious culture inside the company.
There are similarities and important differences between plant safety and cybersecurity. Plant safety needs to be redefined as equipment and manufacturing processes are added and modified. Cybersecurity, however, requires an ongoing effort, since cybersecurity threats change at a much higher rate than production systems and equipment. Some of the same planning process safety principles apply, and both require an ongoing process of continual review, awareness, and updates.
Cybersecurity needs to start at the top and be embraced by everyone. A successful culture is developed by personnel seeing meaningful action to protect systems and information. Without building the culture, it is easy for people to take shortcuts around cybersecurity methods and procedures for expediency to solve production issues. Achieving a cybersecurity culture where everyone understands the value of the program is the goal.
Because cybersecurity threats can directly affect the manufacturing company's operations, the people on staff need to understand the technologies and processes for protection. This is the case even if the majority of cybersecurity protection is going to be outsourced. This really is not any different from doing an automation project using an in-house project manager and outside contracted resources. In either case, personnel need to become knowledgeable.
An excellent source for training is ISA, which offers a set of industrial cybersecurity certificate programs and aligned training courses in the market covering the complete life cycle of industrial automation and control system (IACS) assessment, design, implementation, operations, and maintenance. Each certificate program and training course is based on ISA/IEC 62443, the world's only consensus-based series of IACS standards and a key component of the U.S. government's cybersecurity plan.
Organizations that invest in a cybersecurity culture that proactively identifies vulnerabilities and protects the plant's critical infrastructure, operational performance, and profitability are unlikely to be a cybersecurity disaster news headline.
ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:
- ISA Global Cybersecurity Alliance
- Cybersecurity Resources Portal
- Cybersecurity Training
- IEC 62443 Conformance Certification
- ISA Suite of Security Standards
- ISA Family of Standards
- ISA/IEC 62443 Cybersecurity Certificate Programs
- Industrial Cybersecurity Technical Resources brochure
About the Author
Bill Lydon is an automation industry expert, author, journalist and formerly served as chief editor of InTech magazine. Lydon has been active in manufacturing automation for more than 25 years. He started his career as a designer of computer-based machine tool controls; in other positions, he applied programmable logic controllers and process control technology. In addition to experience at various large companies, he co-founded and was president of a venture-capital-funded industrial automation software company. Lydon believes the success factors in manufacturing are changing, making it imperative to apply automation as a strategic tool to compete.
A version of this article also was published at InTech magazine.