The Headache That Is Embedded Security

If you’re a manufacturing professional, as I am, the subject of security – embedded security for manufacturing applications, to be exact – is complicated and ever-changing. Few of us have the background to understand the algorithms, the practices that are used in the IT world, and the massive number of concepts and terms that get thrown around.

There is a lot to this technology area, and in this blog (and others to follow) I am going to highlight the basic concepts and define some of the terms you need to know to have a modicum of understanding of embedded security.

Let’s start with the threats. Immediately, most of us will think of malicious hackers attacking your control system for fun, or maybe profit. Actually, the biggest threat is your current and former employees. We’ve all been surprised, in our personal and professional lives, by the pettiness, vindictiveness and irrationality of people we thought we knew well. When you think about security, if you can secure your system from internal threats, you are probably going to do a good job with external threats.

What are the risks? Depending on your process and the potential danger to your company and, often, the public, the risks can be as modest as shutting down a minor control system, all the way to causing great public harm as in the case of a utility. You can lose process data, recipes, logic or anything else that might harm your business in various ways. Or you might be exposed to some sort of extortion. The risks in most businesses are too large to ignore.

Is there technology that can rescue you? Well, yes and no. OPC UA has certificate-based security with real teeth. EtherNet/IP and ProfiNet IO are developing certificate-based security. However, the management of certificate-based security is complicated, although important for all embedded technologies based on certificates. Today, there just isn’t a good solution for managing certificates in a manufacturing environment. There are too many legacy devices, too many devices with all sorts of oddball operating systems, and no standards that would allow the certificate problem to be solved.

Another question you should consider is: Is your company actively engaged in risk prevention? If you’re like the executives in the recent study, “The Global State of Information Security Survey 2015,” it’s not a priority of your management team. Only 21% of executives indicated in that survey that it was a priority to improve security. Check out some additional alarming cybercrime statistics from our friends at BroadbandSeach.

And for that 21%, finding people with a security background who can bridge the gap between the manufacturing floor and IT is nearly impossible. There just aren’t a lot of folks with those skills around.

And unfortunately, when you do have a good team with that specialized knowledge, they spend a lot of time trying to resolve the conflicting standards between IT and manufacturing. The fact that the standards, technologies, and products are constantly evolving in this area complicates it even more. Then there are things like legacy systems, organizational practices and company standards that can get in the way. Is the best practice for the St. Louis plant the right approach for Greensboro and San Jose?

You can get a severe migraine just trying to list the issues you have to confront. I can’t help you with a lot of the organizational stuff, but over the next several months I’ll be regularly publishing information that you’ll need to begin to tackle these issues. Watch for more RTA blog posts, articles in the RTA “Best Darn Newsletter” and the RTA Page on LinkedIn.