The importance of the human factor in spreading company culture that puts safety at the centre of business process. This is the key message coming out of the first edition of the ICS Forum, the convention dedicated to IT security in the industrial sector. During the event, the technology able to fight such threats was also discussed.
di Laura Alberelli
Cyber security is a hot topic, and rightly so. A country’s industrial fabric must be controlled and defended. Should a cyber-attack cause damage, the consequences on productivity can cause shock waves throughout the system of a nation. Is adopting an IT and production system protection strategy enough? Are we sure that the biggest threat is coming from outside the company rather than from within? In Italy, how well up are people on this subject? What strategies are being employed and are they up to the job? To take the pulse of the situation and to give a helping hand to business people, technicians and managers in finding a way through this maze, Messe Frankfurt Italy recently organized – in collaboration with con Innovation Post – the first edition of the ICS (Industrial CyberSecurity) Forum in Milan. The event was supported by a number of associations such as AgID (Italian digital agency), A.I.PRO.S (Italian association of security professionals) ANIE Automation, ANIMA, ANIPLA, Clusit (Italian IT security association). The popularity of the convention (with over 500 visitors) was proof that a clear approach in the matter is no longer an option but a must.
Cyber security systems must be teamed with monitoring operations to be effective
ICS Forum hosted two round table events and four workshops. Franco Canna (Innovation Post director) and Jole Saggese (chief editor of Class CNBC) were the men in charge. “Speaking about manufacturing companies, the greatest IoT and Industry 4.0 threat comes from the imbalance between the immediate advantages brought by technology and the cyber security set in place in order to guarantee such digital processes, which can often be extremely fragile and open to attack. To reinforce defensive barriers, it is necessary to combine strict and continuous control with professional management of all on line events. At the same time, all in company devices and machinery must be monitored. This is the only way in which alarm signals can be detected before they become serious dangers, allowing a company to time defence and recovery in the most appropriate way possible. To achieve the results required, however, companies must invest in high performance solutions, relying on sure and tested technology. Security must never be seen as a cost, but an investment, which, over the medium/long term, can ensure the sustainability of Industry 4.0. Without relevant security the IoT revolution can be one of the biggest risks society has ever faced” These are the words of Andrea Zapparoli Manzoni, cyber security expert as well as Clusit directive committee member.
Increasing convergence between IT and OT
During the event, the increasingly tight convergence across the worlds of Information Technology (IT) and Operation Technology (OT) was discussed. According to Antonio Madoglio from Fortinet (high performance cybersecurity solutions) “Transferring experience from IT to OT is not so difficult. While not forgetting the relevant differences that must be kept in mind. For example, protocols used by the IT world are different from that of OT. The environment is another difference between the two contexts. Certain devices are responsible for mechanical or electromagnetic stress typical of the OT sphere, but do not exist in the IT sector. Those working across the sectors know that points of convergence as well as divergence will always exist, and must also be safeguarded”.
“Where technological measures have been adopted able to block any attack within an IT or OT infrastructure, said Dario Amoruso of KPMG (the group specialized in Information Risk Management) – hackers will have greater difficulty reaching the technological barrier separating the field devices (thus the OT network) and the IT network. It is more difficult to defend against human attacks (for example, “phishing”). In this case, the hacker attacks the victim (the physical being) whose reaction will trigger the attack on the real target. Social engineering attacks are among the most numerous and dangerous. Trying to defend against the human factor, our company (as do others dealing with risk management) has created awareness courses which guarantee a certain level of knowledge. As “phishing” techniques are becoming increasingly sophisticated, training must equally be smarter and more focused”. Many companies who have adopted IT security protocols were present at the Forum. Here are their reactions to the event.
The word straight from companies protecting themselves now
In terms of Cyber Security, Siemens supports their clients through the Defense in Depth strategy – a multi-layer concept for industrial users. Roberto Zuffrada presented the system – which guarantees plant, network and system integrity protection – according to ISA 99 and IEC 62443 legislation (the most important security standards in industrial automation). Defense in Depth shows the importance of segmentation of networks, creating protective cells using products dedicated to network security (firewall and industrial router). Equally fundamental are traceability and access control both in terms of building/factory as well as systems, networks and machinery.
To respond to company needs in terms of information infrastructure and security, Rockwell Automation provides its Connected Services package, including numerous services such as existing infrastructure evaluation, design, implementation and remote support and monitoring of integrated network systems. The Connected Services offer – illustrated by Roberto Motta – begins in the creation of safe industrial IT network infrastructure. Netwotk cybersecurity services from Rockwell Automation include needs analysis, threat detection and management, design, technical support, IT/OT training, remote monitoring, pre-engineered network solutions and network management and monitoring, basically, an all in package. Such services accelerate integration of new framework and systems, significantly improving security and reducing machinery down time. The “open” platform in terms of cyber security is proposed by Schneider Electric. EcoStruxure – as illustrated by Alessandro Galmuzzi – is an open architecture platform, based on standard and Industrial Internet of Things compatible. All its specific solutions, components and software are conceived within the cybersecurity vision, complying with the toughest legislation existing. Furthermore, Schneider Electric defence systems are flexible and adaptable to the characteristics of all existing infrastructure and plant meaning it can be applied under current reference standards of a company’s own OT and IT systems but also that of other brands across varying generations of technology. ABB – in the figure of Massimo Scanu – underlines the importance of testing a security patch before sharing it with end-users. Only through fast and constant update can a company protect itself from threat. In this respect, ABB (thanks to its partnership with Microsoft®) receives a patch in advance, allowing its full testing to be carried out on its own systems. Once certified, the patch will be uploaded onto the company website where clients can download it in full confidence. According to Servi Tecno – Enzo Maria Tieghi, CEO of ServiTecno as well as Steering Committee president at ICS Forum – over the coming years, Operational Technology will need to be up to a double challenge: finally bringing security to the “Plant Floor” achieving this in a moment where Industry 4.0 is eliminating barriers and limitations through connectivity.
The concept of Security-by-Design is the only one applicable in a process driven environment, where plant complexity has grown in some cases over a period of 20 or 30 years. This has created a generation of machinery focused on final results rather than performance or interaction across systems. Now, it is necessary to “sew” security directly onto plant and control and supervision systems”. Raising communication security levels in control instrumentation and the technological infrastructure connected to this is a key goal for ESA Automation too, with whom we will close this panorama of providers. To protect the vast quantity of company data in the cloud, ESA Automation has developed its remote maintenance system Everyware. Guaranteeing maximum security thanks to the implementation of solutions like double authentication, the multi-national auditors, KPMG, positively rated the system for reliability and risk mitigation.