Security
Toronto has been selected as the location for one of four global Cisco Internet of Everything (IoE) Innovation Centres, representing a planned investment of up to $100 million over 10 years.
The connected enterprise and industrial control system security were two of the major themes at Rockwell Automation’s annual Automation Perspectives media event on November 12, which preceded the company’s Automation Fair conference and tradeshow. More than 100 media from 25 countries gathered in Houston for the event, and Manufacturing AUTOMATION was there. Get the highlights here. 
The connected enterprise and industrial control system security were two of the major themes at Rockwell Automation’s annual Automation Perspectives media event on Tuesday, which precedes the company’s Automation Fair conference and tradeshow. More than 100 media from 25 countries gathered in Houston for the event, and Manufacturing AUTOMATION was there.
Those responsible for manufacturing plants and process facilities are increasingly turning to members of the Control System Integrators Association (CSIA) for help in boosting productivity and guarding against catastrophic computer failures that can interrupt operations, according to a CSIA survey. “CSIA members are forecasting a busy year for automation projects among industry clients,” said Piercarlo “PC” Romano, newly elected CSIA board chairman. “More and more CSIA members are showing plant managers, directors of operation and others that control system integrators are experts at managing risk and offering proven solutions to their production challenges.” According to CSIA, topics at the forefront of industry discussion are cyber security, globalization and trends in information technology. “The threat of cyber-attacks is real,” said Bob Lowe, executive director of CSIA. “Our integrator members know their responsibilities and are taking this threat seriously by becoming educated, making it part of their project planning and implementing CSIA Best Practices and Benchmarks to reduce risk for their clients.” Lowe says CSIA is looking at emerging economies such as Latin America to determine how integrator members play a role in developing industrial automation and in demonstrating the value of CSIA Certification worldwide.      “We are part of a global industry and CSIA’s vision is for industries everywhere to have access to low-risk, safe and successful applications of automation technology,” continues Lowe. “A global strategy strengthens CSIA’s partnership with industry suppliers, helps us access global networks, and leads our integrators to the clients requesting their expertise.” In addition, CSIA members are tracking the top IT-based technologies in control system integration, such as cloud computing, virtualization and bring your own device (BYOD). These trends are already changing the way integrators work with their clients and are expected to have significant impact on the future of the automation marketplace.
Cisco’s John N. Stewart, senior vice president, chief security officer, Global Government and Corporate Security, talks information security and how to understand a global picture in a local context.
Today’s businesses, including manufacturers, are facing increased security risks as threats are becoming magnified by the world’s next generation of workers’ online behaviour. Despite popular assumptions that security risks increase as a person’s online activity becomes shadier, findings from Cisco’s 2013 Annual Security Report (ASR) reveal that the highest concentration of online security threats do not target pornography, pharmaceutical or gambling sites as much as they do legitimate destinations visited by mass audiences, such as major search engines, retail sites and social media outlets. In fact, Cisco found that online shopping sites are 21 times as likely, and search engines are 27 times as likely, to deliver malicious content than a counterfeit software site. Viewing online advertisements? Advertisements are 182 as times likely to deliver malicious content than pornography. Security risks rise in businesses because many employees adopt “my way” work lifestyles in which their devices, work and online behavior mix with their personal lives virtually anywhere - in the office, at home and everywhere in between. The business security implications of this “consumerization” trend are magnified by a second set of findings from the Cisco Connected World Technology Report (CCWTR), which provides insight into the attitudes of the world’s next generation of workers, Generation Y. According to the study, most Generation Y employees in Canada believe the age of privacy is over (91 per cent), but one third say that they are not worried about all the data that is stored and captured about them. They are willing to sacrifice personal information for socialization online. In fact, more Generation Y workers globally said they feel more comfortable sharing personal information with retail sites than with their own employers’ IT departments - departments that are paid to protect employee identities and devices. As Generation Y graduates from college and enters the workforce in greater numbers, they test corporate cultures and policies with expectations of social media freedom, device choice, and mobile lifestyles that the generations before them never demanded. As the first chapter of the Connected World Technology Report indicated in December, Gen Y in Canada is constantly checking social media, email and text updates, whether it’s in bed (two out of three surveyed in Canada), at the dinner table (nearly 60 per cent), in the bathroom (52 per cent in Canada compared to only 33 per cent globally), or driving (one in three Canadians, considerably higher than the 19 per cent global average). That lifestyle is entering work environments in greater numbers, spotlighting the future of work and how companies must consider competing for the next wave of talent. Unfortunately, what the security studies show is the next-generation workforce’s lifestyles are also introducing security challenges that companies have never had to address on this scale. Key findings : Android malware - Android malware encounters grew 2,577 per cent over 2012. (ASR)- However, mobile malware represents only 0.5 per cent of total Web malware encounters. (ASR)- These trends become especially significant considering the smartphone is the No.1 device among Gen Y workers over laptops, PCs and tablets(CCWTR) Web malware encounters by country In 2012, there was significant change in the global landscape of where users encountered Web malware. China dropped from being the second-most malware-stricken country in 2011 to the sixth spot last year.Scandinavian countries, such as Denmark and Sweden, experienced greater numbers of Web malware encounters, climbing the world ranking to the third and fourth spots, respectively. The United States retained the top spot with 33 per cent of the world’s Web malware encounters. (ASR) Privacy tradeoff -Although most Gen Y respondents do not trust websites to protect personal information (80 per cent in Canada compared to 75 per cent globally), such as credit card and personal contact details, their lack of confidence does not deter their online behavior, gambling that they will not be compromised. This puts a large amount of pressure on companies when these individuals take risks online with work devices on corporate networks. (CCWTR)- Fifty-seven per cent of Gen Y is comfortable with their personal information being used by retailers, social media sites, and other online properties if they will benefit from the experience. (CCWTR) IT Policy Compliance - 87 per cent of IT professionals surveyed in Canada said they have a policy governing the use of certain devices at work. (CCWTR)- 34 per cent of the Gen Y workforce in Canada said their company’s policy forbids them to use company-issued devices for non-work activities but 64 per cent said they don’t always obey those policies(CCWTR)- 36 per cent of IT professionals in Canada believe their employees obey IT policies (compared to 52 per cent globally). (CCWTR)- 72 per cent of Gen Y respondents in Canada said IT has no right to monitor their online behavior, even if that behavior is conducted using company-issued devices on corporate networks. (CCWTR) The Internet of everything & security’s future Looking ahead, the Internet of Everything represents the largest online trend today. As more people, things and devices connect to the Internet, more data from more places will be introduced across corporate and service provider networks, which open up new vulnerabilities and a need for more sophisticated security approaches. - Exponentially more machine-to-machine (M2M) connections are coming online each day, leading to a proliferation of endpoints that extend far beyond mobile devices, laptops and desktops to an “any-to-any” scenario in which any device can connect to any cloud to any application across any network.- By 2020, with an Internet open to an estimated 50 billion things, the number of connections balloons to more than 13 quadrillion (specifically, 13,311,666,640,184,600). Adding just one more “thing” (50 billion + 1) will increase the number of potential connections by another 50 billion. - These new connections generate data in motion that needs to be protected in real time as it is evaluated for actionable insights through the network and before it’s compromised and causes irreparable damages. - For network security professionals, the focus becomes content-neutral plumbing - shifting from the endpoint and the periphery to the network. Click here to read the Cisco 2013 Annual Security Report.
Yokogawa Electric Corporation and McAfee have signed a partnership agreement to offer holistic and value-added IT security solutions for the industrial automation world. According to a news release from Yokogawa, the partnership will address the imperative of digital threats to industrial control systems.In particular, the partners will collaborate to offer Yokogawa’s customers solutions to avoid gaps between different IT systems across proprietary solutions and expanded communication channels (e. g. IP, wireless, and mobile) and running common operating systems and applications. According to McAfee’s recent threats report, cyber-crime, hacktivism, and cyber warfare are on the rise worldwide and are growing ever more sophisticated. Governments, large enterprises, small business, and home users face a wide range of digital threats, and recent prominent cases of industrial sabotage and espionage have escalated these concerns. Today’s cyber security threats mean that industrial control system users and suppliers alike must be increasingly vigilant against current and future intrusions, as human safety and environmental impacts are directly at stake. While today’s process control systems can take advantage of advanced general-purpose IT to reduce costs, improve performance, enable interoperability with APC, MES, and other systems, and add other important new capabilities, the very same technologies have made today’s industrial control systems increasingly vulnerable to security intrusions – malicious or otherwise – from both within and outside the plant. Organizations tasked with running critical infrastructure such as oil and gas pipelines, chemical plants, power stations, and water treatment facilities must look at holistic security systems across two disparate, yet interconnected zones, enterprise IT and industrial control systems. This partnership will work to address the issue that industrial process control systems typically have a three to five times longer lifecycle than typical commercial systems. Since both system technology and cyber threats are ever-changing, automation system suppliers must embrace a lifecycle approach to industrial cyber security. “Security measures for control systems are indispensable. Yokogawa is continually making stringent efforts to provide our customers optimum control system security solutions, starting with the development of highly secure instruments and systems and extending to the provision of operational support services,” said Nobuaki Konishi, vice president of Yokogawa’s IA Systems Business Division (IA Platform Business Headquarters). “This partnership will allow us to combine our technology and plant security know-how with McAfee’s technology to enhance the security of our products and our line-up of security solution services covering the entire lifecycle of our customers’ plants. This will include the integration of anti-virus software with industrial control systems used in the process industries.” “Businesses are looking for integrated security solutions, moving from simply securing components, to understanding and measuring the security of a business system as a whole,” said Wahab Yusoff, vice president for McAfee South Asia. “That is why we feel strongly about this opportunity to work with Yokogawa as a leading global supplier of industrial control systems with a history of nearly 100 years of growing expertise and experience.”
On Tuesday, Nov. 6, security enthusiasts participated in Symantec's Cyber Readiness Challenge at the Design Exchange in Toronto. The event kicked off with a keynote presentation by Clint Sand, senior director of Symantec's Security Business Practice, on the current threat landscape, followed by an interactive "capture the flag" game that saw the top player going home with a $2,500 grand prize. Check out some of the highlights above.
From the viewpoint of national security, more manufacturing processes than you would think fall into the category of "critical manufacturing." The U.S. Department of Homeland Security, for example, identifies nine manufacturing areas as critical infrastructure, including iron and steel mills; ferrous and nonferrous metal processing; and the manufacturing of machinery, electrical equipment and transportation equipment. Public Safety Canada also identifies manufacturing as one of 10 critical infrastructure sectors, and collaborates with the United States on a cross-border approach to information sharing and protection through initiatives such as the "Canada-United States Action Plan for Critical Infrastructure."
On July 14, Siemens reported that its Simatic WinCC PCS7 control system had become the latest victim of a high-profile cyber attack. The Trojan worm - known as Stuxnet - targets Siemens' PCS7 control systems through certain vulnerabilities in Microsoft Windows operating systems. The worm spreads through mobile data carriers, such as USB sticks and networks. Once Windows becomes infected, the worm launches malware that searches for the WinCC software. If found, the virus then tries to steal industrial trade secrets from the infected host with the intent to deliver those secrets to the hackers via the Internet. This vulnerability exists in all Windows versions back to and including Windows 2000. Process manufacturing, utility and infrastructure organizations using the Siemens PCS7 control systems are all potential Stuxnet targets. Though the virus is detectable and exposure is preventable, Symantec Corp - a software security vendor - reports a staggering number of infections. According to a company representative, as of August 4, some 90,000 to 100,000 computers had already been compromised. Perhaps more troubling is the fact that Stuxnet is a global issue. According to Symantec, its "latest count puts the number of infected countries at 115," with Iran, India and Indonesia having the highest number of infected computers.  Trade secret theft isn't the only purpose of industrial automation and control systems (IACS) targeted attacks. Expropriation of process control is another - and arguably more dangerous - purpose. In these types of attacks, a hacker tries to obtain control of systems that, among other things, regulate equipment pressures, flows, currents, voltage, switches and safety alarms. By taking control of these systems, a hacker could theoretically alter oil and gas flows, water processing, and chemical and nuclear plant operations. These types of cyber attacks - which are not unprecedented - have the potential to cause catastrophic damage to health, compromise safety and destroy the environment. In 2003, for example, a hacker used the so-called Slammer worm to disable safety monitoring systems at the Davis-Besse nuclear facility in Ohio. Luckily, no one was harmed.  IACS security threats continue to grow, thanks to a shift to wireless technology over the last 15 years. From the 1960s until the mid-1990s, IACS architecture was largely delivered across closed-loop, LAN-based networks. These systems were cut off from the rest of the enterprise and the world-at-large. As a result, IACS faced limited outside threats. As of the mid-1990s, however, enterprises started using wireless, Ethernet, TCP/IP and web-based technologies, and began integrating IACS into enterprise-wide ERP systems. These changes helped organizations achieve business efficiencies, including those relating to administrative centralization, cost and convenience (think remote access).  Organizations are quickly learning, however, that IACS ubiquity comes at a cost. Companies now have to protect themselves against significant and pervasive risks with which they generally have very little experience. For most, cyber security issues require urgent attention. The learning curve is steep. Further complicating matters is the fact that the IACS security management industry is itself emerging from its infancy, though it is growing up quickly. The International Society of Automation (ISA) Security Compliance Institute - a non-profit global institute made up of suppliers, customers and professionals - has undertaken the responsibility to develop universal compliance standards for IACS. When complete, these standards will be collectively housed in the ISA99 brand. To date, ISA99 has completed and published two standards. The first standard defines relevant concepts, terminologies and models. The second standard provides organizations with a step-by-step methodology to develop a customized security action plan, or in ISA's terminology, a cyber security management system (CSMS). The second standard explains the following: • How to identify, analyse and classify cyber security risks; • How to develop awareness of security issues; • How to develop appropriate security policies; • How to select and implement appropriate security counter-measures; and • How to review CSMS performance and improve on that performance. Future ISA99 standards are intended to apply to the entire IACS ecosystem, including: hardware and software, electronic sensors, monitoring systems, diagnostic systems, human machine interfaces (HMIs), programmable logic controllers (PLCs), remote terminal units (RTUs) and networks.  Organizations, though, should not wait for the ISA to publish its complete library of standards. Rather, they are well advised to start developing and implementing an IACS security strategy according to the ISA99 second standard. A layered approach Brian Ahern, president and CEO of automation system security vendor Industrial Defender, recommends a layered, "defence-in-depth" approach to cyber security. "Defence-in-depth presumes that no single mode of security mitigation is impenetrable or sufficient, and that a security solution must be comprised of several layers of mitigation technology that address prevention, detection and response to various attack types," Ahern explains.  The layered approach can be thought of as a series of concentric circles, all protecting the control system, which resides at the epicenter. These concentric circles are mutually reinforcing, adding robustness to the security structure. The first series of layers are preventive in nature. They are intended to deny entry to security threats. Firewalls, virus detection and remote access authentication form part of the outermost preventive perimeter. The next preventive layer defends individual system components, including servers, HMIs, PLCs, RTUs and computers. Ahern advocates a whitelisting approach, which "permits only a predetermined list of authorized applications to launch on each automation system computer. By ensuring that only approved, trusted applications can execute, the whitelisting application automatically blocks all unauthorized applications, including unknown malware and rogue applications installed by users." The next series of layers includes detection and monitoring controls. At the detection layer, sensors and collectors gather performance and security event information. For example, sensors are capable of detecting unauthorized wireless access via laptops or other devices. They also gather key data relating to traffic patterns, failed login attempts and password usage. A further layer includes alert controls, which notify and log suspicious traffic activities. Finally, executive dashboards present real-time and/or batch analytics according to pre-defined security rules. Ahern recommends a centralized approach to the administration of detection and monitoring controls as follows: "These technologies must be unified under an integrated monitor and response discipline, providing overall security situation awareness, including the ability to correlate and associate events and responses in different areas of the systems environment." The last series of security layers relates to event response. The point at which a response is required depends on the nature of the threat. In some cases, active responses will be required when threats are identified at the first line of preventive defence. In other cases, detection may not occur until all preventive layers have been breached, in which case rapid override actions may be required.  The best defence Effective, sustainable automation system security for IACS requires a mutually reinforcing and supportive defensive corps made up of prevention, detection, monitoring and response controls. Organizations are well advised to base their specific security-related decisions on a strategic plan developed in accordance with the second ISA99 standard. This will help organizations develop and implement security controls that adequately reflect their unique security and business needs. As greater numbers of organizations implement appropriate security strategies, a further outer defence ring will emerge - on the macro inter-organizational level. Jonathan Gross is vice-president of Pemeco, Inc., a consulting firm specializing in ERP implementation. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
Industrial security takes center stage at ISA EXPO 2009 on Oct. 7 featuring presentations by security experts with U.S. Department of Homeland Security experience, as well as a groundbreaking hack and defend tutorial and demonstration on wireless security. Sean McGurk, DHS Director, Control Systems Security Program (CSSP), will present the ISA EXPO 2009 Keynote Presentation. In his presentation, entitled "Securing the Nation's Industrial Control Systems Infrastructure", he will discuss the current threat landscape, common vulnerabilities and security issues facing critical infrastructure control systems, and mitigation strategies being developed to address these challenges. He will also discuss current program efforts including how to become directly involved in securing the Nation's critical infrastructure control. Greg Garcia, President, Garcia Strategies, will deliver the featured presentation, entitled "Industrial Security and the Political Control System: A View from Washington". He served as the nation's first Presidentially-appointed Assistant Secretary for Cyber Security and Communications (CS&C) for the U.S. Department of Homeland Security, from 2006-2008. During his tenure, the U.S.Department of Homeland Security affirmed the urgency of cyber security across the nation and embarked on a comprehensive cyber initiative that will measurably strengthen the security of our nation's networks against domestic and international threats. Wednesday's security spotlight will also feature a live "Hack and Defend Industrial Wireless Systems" demonstration. The never-been-done-before wireless hack and defend tutorial session will give attendees the chance to learn techniques about breaking and defending wireless systems, as well as pose questions to the experts. ISA Security Lounge The ISA Security Lounge will offer meet-and-greet opportunities with ISA EXPO keynoters — including Sean McGurk and Greg Garcia, industry leaders, recognized professionals, presentations, and running demonstrations of cyber security related topics of interest featured during the technical conference. The ISA EXPO 2009 conference will feature six Exchange Conference Tracks centered on key issues facing instrumentation, automation, and control professionals, including a dedicated track on industrial security. Attendees will have the opportunity to discuss best practices, lessons learned, and potential solutions to specific automation problems as part of the conference's technology exchange format. For more information about ISA EXPO 2009, and registration, visit www.isa.org.
Vancouver-based Wurldtech Security Technologies, a provider of industrial cyber-security testing and certification solutions for critical infrastructure industries, revealed a detailed strategic initiative designed to help improve the security of the Smart Grid.The effort includes the addition of wireless communication capabilities into the award-winning Achilles Satellite security and robustness testing platform to diagnose and remediate vulnerabilities in Smart Grid technology; the expansion of the Achilles cyber-security certification program to include resilience benchmarks for smart grid devices and applications; and the creation of the world’s first cyber security research institute and global center of excellence focused on vulnerability analysis and cyber-threat metrics for Smart Grid infrastructure."The Smart Grid is critical to our sustainable energy future," said Tyler Williams, CEO of Wurldtech, "but the bulk power industry has had little necessity for cyber security in the past because critical control networks were isolated from the litany of IT threats that could jeopardize process integrity and reliability. The advantages of Smart Grid however, require increased connectivity, including a reliance on the internet, and if we don’t move quickly to make functional security an integral part of the Smart Grid initiatives, we may find ourselves in the unfavorable position of attempting to fix the car while driving at full speed."The Achilles Satellite is a unique stand-alone platform designed to allow equipment manufacturers of all sizes to conduct standardized cyber security and robustness testing to identify vulnerabilities in IP-enabled computers systems before their deployed in critical infrastructure networks. In fact today, the Achilles testing technology is relied upon by almost all major global automation vendors and has made enormous improvements in both the reliability and resilience of the computer systems that operate critical infrastructure around the world. By adding additional capabilities to the Achilles platform, enabling security testing over common smart grid protocols such as IEC 61850/870, and the new wireless protocols based on 802.11 and 802.15.4 (WirelessHART, ISA100.11a and Zigbee), suppliers of smart grid devices and applications can benefit from the same advantages previously reserved for the traditional SCADA and control system vendors. "There is no reason why any device, system or software application that is found on a critical control network should be deployed without going through rigorous security and robustness testing with technologies like Achilles" said Greg Garcia, former assistant secretary for cyber security from the U.S. Department of Homeland Security. "Having the required subject matter expertise, the proven technology to identify and diagnose vulnerabilities, and the infrastructure to categorize threats and proactively distribute effective mitigations, Wurldtech’s solutions will provide the functional security core that the Smart Grid initiatives need."Williams said, however, that these initiatives alone will not provide the layers of functional security necessary to protect the Smart Grid from intrusion or accidental disruption. "We have been working tirelessly over the past eight months with numerous energy industry end-users on an exciting new initiative and are extremely pleased to announce today the signing of a Memorandum of Understanding (MOU) between Wurldtech and The University of British Columbia (UBC). The MOU provides the framework for Wurltech and UBC to create the world’s first global centre of excellence in cyber security."Funded directly by leading energy companies, government agencies and other industry stakeholders, and focusing, the Centre of Excellence will consist of three distinct components:• A Cyber Security Testing & Certification Test Bed and Demonstration Center: a multi-million dollar test bed designed to replicate high-availability control networks and advanced metering infrastructure currently being constructed to support the on-going analysis of Smart Grid and control system infrastructure, for security, safety and interoperability issues. • An International Applied Cyber Security Research & Assessment Team: A centrally managed, but distributed, multi-disciplinary team of cyber security subject matter experts, private sector and academic researchers to conduct both applied research and consulting services based on roadmap requirements directly from end-users.• A Web-based Knowledge Portal: An information coordination center to provide symmetric information, without restriction, to qualified users. This portal will act as the conduit for workplace cyber security training and education as well as online certification and training courses covering the emerging functional security issues in the critical infrastructure industries and the Smart Grid."Wurldtech is responsible for yet another game-changer," says Ted Angevaare, Shell Global Solutions’ global manager of process control security and architecture. "A focused private-sector effort with activities directed by end-users and managed by an organization with clearly demonstrated industry stewardship, subject matter expertise, and an understanding of the issues and fundamental needs of the industry – this is a recipe for success. Shell is proud to be amongst the many supporters of this effort and we look forward to contributing our expertise to the combined knowledge base so that the entire community can benefit."www.wurldtech.com
Page 4 of 4

Subscription Centre

 
New Subscription
 
Already a Subscriber
 
Customer Service
 
View Digital Magazine Renew

We are using cookies to give you the best experience on our website. By continuing to use the site, you agree to the use of cookies. To find out more, read our Privacy Policy.