April 2021

n TALKING INDUSTRY Keeping plants secure in an era of threats In the fourth panel discussion in our Talking Industry series, three experts on plant safety and security got together to discuss the latest thinking on these topics. Andy Pye, consultant editor of Drives & Controls, who chaired the session, reports on some of the highlights of the lively session. 26 April 2021 www.drivesncontrols.com S afety and security in industrial plants may need rethinking. The future of manufacturing processes is digital, which is creating many opportunities for plant operators to enhance efficiency, increase flexibility and make their plants future-proof. But there is a downside: threats to plant security arising from rapidly growing and increasingly sophisticated cyber-criminals, as well as an increased risk of unintentional security incidents fromwithin organisations. In the latest of our series of online discussions called Talking Industry, three expert panellists (see details on the right) focussed on three broad areas: n rethinking the relationship between safety and security; n increasing productivity through safety; and n safety in large systems, integrated machines and production lines. Jason Reed took the reins for the first section, concentrating on the relationship between safety and security. In doing so, he took on the challenge of condensing three hours of presentation material into around five minutes. Today, he asserted, not only do we have a desire to connect and share information, but we also have a need to do so. So buzzwords such as the Internet of Things, Industry 4.0 and smart factories, are becoming the norm. The traditional process of setting up a factory or a production line to manufacture thousands of widgets cost-effectively, is being replaced by smart factories or single production cells that can manufacture batches or one-off orders. However, there's a downside to this – there are people, organisations and even nation- states that want to exploit weaknesses in the IT infrastructures. Common points of entry are via the Internet, removable media such as USB memory sticks, and email campaigns. Historically, IT security has been about confidentiality of information. Threats are made via companies’IT structures – typically in the form of ransomware, where a system is locked down until a payment is made, or IT breaches in which company or customer data is stolen. The cost to the company of either of these forms of attack is financial. But with smart factories, industrial security involves protecting production and industrial plants against faults, whether intentional or unintentional. In the past, communications would have been carried out via manufacturer-specific protocols. To do any damage, an attacker would probably need to enter a factory physically or access machines via telephone lines. Now, these protocols are now increasingly being replaced by Ethernet-based communications, allowing attacks to be carried out via the Internet. Jason Reed suggested that anything with an Ethernet connection is a risk. Some of the remedies that the panel discussed included: n protecting plant and machinery so that only authorised personnel have access, thus preventing manipulation of the control systems by external attackers; n using anti-virus scanning software; n training staff not to click on malicious attachments or links from emails, or log on to unsecureWiFi networks; n keeping track of passes of anyone entering buildings; n keeping records of who is competent to carry out patch updates to machines; n when buying new equipment, making sure that its operating systems are up-to-date; and n managing passwords properly, or avoiding them by using RFID tags and alternatives. Standard practice The ISO standard 62443 (industrial communication networks, network and systems security) deals with IT security and automation. It currently offers the best guide for both operators and device manufacturers when it comes to implementing security efficiently. However, as Eve Edwards confirmed, standards are lagging badly in this area. As technology moves forward at pace, it takes a while for standards committees and their publications to catch up. Martin Kidman gave the example of sensing devices that are based on radar, even though radar is not actually mentioned in most of the standards. Standards are now being drawn up so that they are almost“technology-agnostic”. They are being written around the

RkJQdWJsaXNoZXIy MjQ0NzM=