In order to move security beyond just network protection, Rockwell Automation has outlined a plan to evaluate security from equipment, to vendors, and on up to the cloud.
Industrial organizations are operating in ways they scarcely could have imagined a few decades ago. They are converging historically separate information technology (IT) and operations technology (OT) systems, and using mobile, analytics and cloud connectivity to increase collaboration and information sharing. This significantly improves operations, but it also creates substantially more entry points for security threats. The challenge of security is compounded by the growing sophistication of the hacking community.
Rockwell Automation began its own security assessment last year, and they turned the result of their analysis into a plan for securing facilities from individual equipment up to the cloud connectivity. In creating a security plan, Rockwell developed a three-step approach for building an industrial security program that extends from the enterprise to the plant level, and helps mitigate risk across people, processes and technology. The three steps include:
- Conduct a security assessment — Conduct a facility-wide assessment to understand risk areas and potential threats. Facility managers need to assess the potential risks from a security breach and develop plans accordingly. What do you have and what do you need to secure? Once the assets are identified and classified by risk, then the security solutions can be developed to specifically address each asset and its risk.
- Defense-in-depth security — Deploy a multilayered security approach that establishes multiple tiers of defense. You have to look at everything, networks, equipment, laptops, building security. Include disaster recovery.
- Use only trusted vendors — Verify that your automation vendors follow core security principles when designing their products. – Start asking vendors more questions about security. Measure vendors on more than just their ability to deliver throughput, quality, and up-time. Ask if they have a product security officer; what they do when there is a security flaw; how they alert people.
>> Read more by Rob Spiegel, Design News, Feburary 16, 2017