When it comes to cybersecurity, manufacturers often make decisions based on fear, uncertainty and doubt. After all, who knows when the next Stuxnet will hit? The problem with that operating philosophy is that it is unstructured and detached from the corporate business model. During a cybersecurity panel discussion at Rockwell Automation’s Automation Fair this week in Chicago, the message was clear: Fear is not a motivator and hope is not a strategy.
Nevertheless, cyber threats are everywhere and companies want to secure the manufacturing infrastructure and systems, but they don’t always know where to start or how to manage it for the long term.
That’s a big problem considering industrial control systems (ICS) are connecting to more smart assets, enterprise systems, as well as the Internet, meaning the plant could be opening the virtual door to the bad guys.
Manufacturers wondering how to handle this in their own facilities can rip a page from the Shell security playbook. The oil and gas company views cybersecurity as a business case designed to resonate with company executives, partners, technology providers and customers. They’ve moved away from the message “the hackers are coming,” and instead have positioned cybersecurity as a business opportunity in the company’s digital journey.
To that end, “it has to operate like a business,” said Tyler Williams, global technology leader for industrial cybersecurity at Shell Global Solutions, who was part of the cybersecurity panel. It also requires unifying the language between information technology (IT) and operation technology (OT), he said, and creating a common framework that aligns the concepts of security and safety.
“You can no longer delineate the concepts of cybersecurity and safety,” Williams said, “you need to treat them as one in the same. Doing that is nontrivial, but we are in the energy delivery business, and, it’s an exciting business to be in, but it’s also a dangerous business. To be credible and a leader in the space, we have to make sure people get home safe everyday.”
That means, too, that technology partners must support Shell’s efforts by harmonizing the language of cybersecurity and safety.
Frank Kulaszewicz, Rockwell’s senior vice president of architecture & software, agreed that partners must be on the same page when it comes to cybersecurity by addressing the entire infrastructure from the physical hardware to the software. Things like authentication and policy management, tamper detection, intellectual property protection, and resiliency and robustness are also factors.
“We think about this as a layered security model,” Kulaszewicz said.
“We think about the connection between the network security, the physical security and safety in industrial areas. No one quite makes that connection yet, but hopefully with this team of partners, we’ll be the first to do that.”
The team of partners Kulaszewicz was referring to were the other panelists, including Jeff Jones, principal cybersecurity strategist at Microsoft, Shiraz Hasan, AT&T’s area vice president for the Industrial Internet of Things, and Maciej Kranz, vice president of Cisco’s corporate strategic innovation group.
“It’s important to know that security is not an overlay,” Kranz said. “It needs to be embedded in all systems at the architectural level. We embed security then develop joint solutions around firewall capability, intrusion protection and intelligent policy-based access control.”
The conversation on the Automation Fair stage quickly evolved to the Industrial Internet of Things (IIoT) and the cloud, and the ever-changing architectural landscape. The question was asked: You have all of this new technology rushing at you and being adopted so quickly, so how do you deal with that?
AT&T’s Hasan said the company has been on the IIoT journey for long time, and security is the first conversation that always comes up with customers. From a cell network perspective, the company has created secure technology by working with Rockwell and Cisco. “It takes an ecosystem to get there, but we’ve figured it out. In order for enterprise customers, like Shell, to trust us, we had to start by proving the security in the network.” That set up includes private IP addresses to endpoint devices, VPN technology, built-in protocols that only allow certain information to come in from an end point, and more.
All of that is essential, but for Shell’s Williams, it would be better if the technology ecosystem could manage security as a service so that manufacturers can focus on their core competencies. “The architecture is not helping me,” he said. “If you tell us security is built-in to this new business opportunity, we say, fantastic, install it and take care of it on our behalf. Let us get back to making oil and gas.”