Changing Focus: Key Considerations When Looking At Industrial Process Control Cyber Security

Industrial processes have reached new heights due to the advantages offered by computer technology and the increased sophistication of systems. However, these benefits also bring along potential dangers; industrial process controls are more vulnerable to outside cyber attacks than ever before. Information technology (IT) professionals have long dealt with securing networks and protecting data; however, the protection of computer-controlled industrial processes is still a relatively new area of study. Computer-controlled processes place different demands upon the IT professional, and that's why it is important for them to readjust their thinking when working in the industrial environment. Below are some of the key variables and the differences between IT support and industrial process control support:

Availability of systems

In most situations, the typical system designed to handle information can be shut down for a given period of time without great consequence. Maintenance can be performed as necessary, and system reboots are a standard procedure to help correct crashes and remove viruses.

However, industrial processes are often continuous in nature, and this makes being shut down on the fly a highly-undesirable choice. Such shut downs are potentially devastating to the plant or facility, and that means maintenance must be performed on operating machines. Thus, IT professionals within the industrial process sector must think in a "process first" mindset when making decisions about taking down machines.

Consequences caused by system failure

Another area that is a night-and-day difference between information-handling and process-controlling systems is the degree of consequences if failure occurs. A virus within a system designed to handle information can be costly if it destroys data, and such losses can be devastating to a business. However, industrial process control manipulation by an outsider can cause mechanical failure that affects real physical property and human lives.

The most visible example occurred in 2010 when the Stuxnet computer worm infected the Iranian nuclear program; the worm caused programmable logic controllers to malfunction and as a result, several uranium centrifuges were damaged. This particular incident raised awareness concerning industrial process control sabotage and computer attacks.

While industrial processes are typically more routine than this scenario, the impact can still be destructive and deadly. Humans operate in close proximity to industrial processes, and their safety often depends in large measure upon the proper operation of machinery. A cyber attack can injure or kill workers, and this raises the stakes considerably when compared to an information management system.

Focus of security efforts

Systems designed to handle information typically find their value concentrated within the actual information itself. That's not to say that the servers, routers, switches, workstations and other physical equipment is inconsequential, but in most circumstances, they are far less of an economic concern to the company. As a result, IT professionals expend resources in protecting the central systems from attack and also are diligent to back-up data in an effort to keep it from harm or being stolen.

On the opposite side of the spectrum, industrial process control systems usually have their value in the equipment that carries out the work: programmable logic controllers, DCS controllers and other field-based devices are extremely expensive, and the IT professional must focus cyber security efforts on these components.

Operation and security architecture

Modern-day information management systems usually function with a full-reliance on "off the shelf" operating systems and other software components that are standardized to a large degree. These systems also often possess inherent cyber security programming that prevents a need to install a completely separate security framework.

However, industrial process systems were often designed before cyber security was a consideration, and security measures revolve around limiting access to workstations or field equipment. Unfortunately, as security concerns have now spread beyond the physical realm, these process systems are likely not to contain security measures. Instead, IT professionals from sites like http://cmafh.com must recognize a need to install additional equipment or systems that can protect controls from attack.