This page contains a Flash digital edition of a book.
DRIVES, CONTROLS & MOTORS FEATURE


CYBER-SECURITY: IT’S A JOURNEY, NOT A DESTINATION


Cyber-security has been a hot topic since the Stuxnet incident of a few years ago. Previously it was thought that securing the ‘top end’ of an organisation was an adequate solution but this incident and others like it completely changed the security landscape and highlighted vulnerabilities in the de-facto automation architecture that previously had not been considered. Chris Evans, marketing & operations group manager at Mitsubishi Electric Europe B.V. Automation Systems Division, explains...


T


he well documented Stuxnet security issue of a few years ago shifted the


problem to the automation domain, which had often operated under the radar and outside the remit of IT. Engineers suddenly started to reconsider their cyber-security arrangements. It was realised that many people may want to bring a plant to its knees, for political or commercial reasons, because they hold what they see as a legitimate grievance or simply to see what will happen. Scenarios were imagined where


drinking water became contaminated or supply interrupted, power plants shut down, or road, rail and air traffic management compromised. In the industrial world it was realised that control systems were potentially vulnerable, often due to out of date or poorly maintained operating systems and CD drives or USB ports that had not been locked down. It didn’t take a lot of imagination to work out that the more critical a control system, the more likely a target it would be to cyber-attack and the more damage that could be done. Cyber-security is an arms race of


escalating capabilities, so ‘defenders’ of vulnerable assets must see it as a journey rather than a destination, constantly reassessing the situation and implementing new defences whenever necessary. This is against the background of developing technologies and requirements that mean control systems are always becoming bigger, more complex, more distributed and increasingly open. Most larger control systems have many


points with potential for unauthorised access. Therefore layers of protection must be built into the system both at a network, hardware and software level. For instance, future PLCs (programmable


/AUTOMATION AUTOMATION | JUNE 2015 21


Above: Chris Evans, marketing & operations group manager, Mitsubishi Electric Europe B.V. Automation Systems Division


logic controllers) will include multiple embedded features such as hardware security keys and multi-layer password structures. Each PLC will be capable of hardware security key authentication to prevent programs from being opened or edited on unapproved personal computers that have not been ‘bound’ to the security key. Furthermore, programs will be written so that they cannot be executed by PLCs which do not have a registered security key. Thus the integrity of embedded technologies and intellectual property will be protected from compromise. Additionally, an IP filter can be used to register the IP addresses of devices approved to access each PLC. Thus unauthorised access, whether for operational reasons, hacking or implantation of malware, will become much more difficult. Whilst end users will want maximum


security; they will also continue to insist on simplicity of operation. Some of these automation security measures, all of which are optional, could be argued to


Right: Cyber-security is an arms race of escalating capabilities, so ‘defenders’ of vulnerable assets must see it as a journey rather than a destination


complicate operations and that is why a holistic view of security needs to be taken, considering all aspects of the operation. It may be that in some areas, some measures can be relaxed for the sake of continued operations and this is fine provided that the risk has been assessed and counter measures are implemented elsewhere to elevate the threat. As with everything related to cyber security, the consideration has to be probability and risk and security and operational systems should be designed around these important criteria. It’s probably an unchangeable aspect of the human condition that some people will always seek unauthorised access to control systems. Therefore control engineers must build security measures into their products and systems, and recognise that these are surmountable hurdles rather than impregnable barriers, so must be constantly renewed and redeveloped.


Mitsubishi Electric Europe gb3a.mitsubishielectric.com T: 01707 288780


Enter 211


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60