During the pandemic, many companies necessarily overcame hesitation to granting external access to control systems, despite cybersecurity concerns. Has what we learned about cybersecurity lowered the risk for remote industrial control system access, monitoring, and control, or just made it more prevalent and increased attack opportunities for cybercriminals? How much cybersecurity is enough? Do I only have to be better than most to show due diligence?
Several presenters at the February ARC Forum from ARC Advisory Group, offered remote access cybersecurity advice.
Digital transformation: Diverse buy-in
Mary DeAlba, global industrial network solutions design manager, SKF Group, said the SKF digital transformation journey began in 2017 with more than 40 participants defining operational technology and information technology (IT) requirements of a digitalized SKF smart factory standard.
Operational technology (OT) needs included industrial network hardware that could survive the manufacturing environment, support machine protocols, protects end-of-life operating systems and allow remote access mindful of the need for audit reporting and safety consideration.
IT needs included remote access with two-factor authentication, secure, encrypted with certificates, along with malware detection, resiliency and auditing, among other needs.
Lessons learned, DeAlba said, is that if IT isn’t flexible about OT requirements, OT will do its own thing. Not all OT experts want to be network experts. Demarcation of industrial IT architecture and enterprise IT architecture must be clearly defined. Clearly define support overlap; suppliers should agree. A manufacturing IT organization may be needed to bridge the gap and accommodate digitalization demands.
Don’t lose the remote work pandemic gains
Herbert (Bert) Vander Elst, senior director IT and head of technology, manufacturing and supply chain, GSK Vaccines, suggested focusing on business continuity as we recover from the pandemic. Vander Elst warned not to disrupt what’s working well when working remotely, such as the large expansion in remote monitoring. GSK Vaccines accelerated a year in remote capabilities in just a few weeks, with careful attention to cybersecurity risk, business processes, digital signatures and advanced compliance needs in a paperless environment.
John Korsedal, principal digital product manager, GE Digital, touted remote operations security, safety and compliance through use of cybersecurity standards such as NERC-CIP (electronic security perimeter), ISA 99/IEC 62443 (establishing segmentation and controlling the traffic flows between zones) among others.
Helpful cybersecurity features for remote-access control systems, Korsedal said, zero-trust security backbone, multi-factor authentication (MFA), control room managed access, permitting, communications and safety features, user monitoring and recording. Other useful features include ability to kick anyone out from the administration system, requesting control and returning control, a time-out feature and pop-ups to confirm changes.
Think again about IT and OT teams working together to reduce cybersecurity risk in remote-access pandemic-enabled control systems.
Mark T. Hoske is content manager, Control Engineering, CFE Media, email@example.com.
Industrial Cybersecurity Pulse