Industrial Control Systems: high stakes for top management

Industrial Control Systems (ICS) and Supervisory Control & Data Acquisition (SCADA) now involve solutions that enable the development of a secure Industry 4.0. They require organizational adaptation and decisions taken at the top of the company.

Fear is not the best motivation

In 2001, I had just graduated when I carried out an audit of an automotive plant’s local area network. The plant had suffered several IT crashes, shutting down the machines for hours.

The audit revealed that the local network was completely “flat”; the office computers connected to the Internet used the same VLAN as the ICS. Office traffic alone disrupted machine control traffic.

This anecdote illustrates the history of the incremental development and poor control of connectivity in factories and industrial environments.

Led by local managers, who generally focus on automation rather than on IT per se, factories have long evolved and modernized without taking into account future risks and security issues – or only very partially. Increasingly connected robotic equipment, controlled by hard-to-update software and sometimes linked to cloud-based ERPs, puts industrial systems at risk.

What was a mere risk before is now a certainty. The hacking of companies, individuals and connected objects has become a global business.

But the purpose of this post isn’t to scare but to reassure. Industry has embarked on a major modernization process (Industry 4.0) to optimize manufacturing cycles and processes. This adaptation is essential for manufacturers. It would therefore be unwise to make hasty decisions on the total partitioning of machinery, the multiplication of complex processes and unmanageable factory regulations.

The partners and stakeholders are here

Ok, you can now relax. Players in the security market are getting organized and taking these issues head-on, especially since the 2010 attacks (Stuxnet):

  • Consulting services are expanding and becoming increasingly specialized: training, assessments, mapping of systems and connections in the industrial environment, even Ethical Hacking to demonstrate the risks “in real life.” These offerings already show manufacturers what is happening, who is connected to what, and the related vulnerabilities and risks. Having this information is already a big step forward
  • IT security providers offer solutions to secure various parts of the ICS: network partitioning and filtering, protection of PLCs (Programmable Logic Controllers, i.e. automatons) against intrusions, event supervision. They come with their IT expertise and adapt to the specific lines of work and challenges of the industrial environment, as well as to proprietary protocols
  • Finally, service providers and integrators are beginning to offer end-to-end services by managing security solutions (event management, filtering) and providing the necessary security intelligence to understand threats and suggest preemptive solutions. Solutions to secure Industry 3.0 and create Industry 4.0 already exist and will limit risks to a level that is acceptable to all

Up, up, up!

However, solutions alone cannot do everything. Organizational evolution is also necessary. First, the convergence of the Operational Technology and IT teams is inevitable. They share common challenges and depend on each other’s professional skills. Secondly, the attention given to security issues will climb the organizational rungs.

The days will soon be over when the security manager had a hard time getting the attention of a deputy CIO, because the latter’s main priority was to connect technicians, forklift operators, operators and machines.

Security issues will be taken into account at the level of the company’s Executive Committee, so that modernization isn’t carried out at the expense of security. Some companies are already doing this, by appointing to the Executive Committee a global Information Security Officer overseeing both IT and OT.

Compromises will also certainly have to change sides. Security may have to take precedence, at first, over cost and implementation time. Only the top management can make a defining investment decision such as this.

Industry 4.0, a fantastic business opportunity

There is no doubt that Industry 4.0 makes our companies and our work more agile – as long as we follow some rules. The benefits can be achieved securely, subject to the following conditions:

  • Decisions on security issues are made at the highest level in the company
  • Security is designed in on all projects
  • Management challenges the usual cost/time/security trade-offs

Read more: Orchestrating the security of the connected factory (in French)

Aymerick Dumas

I spent more than 10 years consulting for French and international companies. The objective was always the same: analyze, understand and summarize their needs. I am now in charge of defining and implementing our global strategy within the Orange Cyberdefense marketing team to help customers secure their industrial environments and their IoT projects.