Drives & Controls October 2022

n TALKING INDUSTRY Cyber-attacks: the ever-present threat The vital issue of cybersecurity was the topic for debate in the latest of our Talking Industry series of online panel discussions. Andy Pye, who chaired the session, reports on some of the points made by the experts during their conversation. 44 October 2022 www.drivesncontrols.com T he future of safety engineering for manufacturing and processing now focuses around the digital world and this is creating new opportunities and challenges for plants operators, and enabling them to enhance efficiency, increase flexibility, whilst making their plants more safe and secure. But cyber-attacks are a constant worry with the potential to disrupt a company’s operations disastrously. Kicking off the recent Talking Industry Webinar on the topic, Aurel Buda from Hans Turck in Germany, said:“Everything is opening up. Traditional automation networks used to have a closed system, with sensors and actuators being connected and communicating bidirectionally with a PLC network. Nowadays, sensors, actuators and edge controllers connect remotely via industrial Ethernet. Devices connect not just to PLCs, but to Scada, MES systems or cloud services. “This means that there are many more points for intruders to attack a system,”he continued.“Despite the first attacks having happened years ago, we are still at an early stage of security awareness. I see companies that are very aware of cybersecurity and industrial networks – but I also see companies that are not cyber-aware. “Most customers really don’t like to change anything on their systems, such as firmware updates,”Buda added.“In a couple of years, we will see systems that need to get firmware patches for security reasons, perhaps nearly every day or every week – as happens with our IT infrastructure. Adding that to safety systems is a game-changer. It is still challenging to have standards that allow for security patches, even in safety systems. Currently, the core protocols are not intrinsically safe.” Network security Luke Orehawa, safety engineering manager at Nidec Control Techniques, turned to the topic of network security.“We’ve been doing fieldbus technology for quite a long time now and introduced our first industrial Ethernet system in 2005,”he said.“Having one cable rather than many simplifies installation complexity. Functional safety traditionally requires more stringent cabling measures – typically the number of cables doubles. If we can remove those cables, and make those systems simpler, we actually increase the robustness of the system, while decreasing its cost. Here is where functionally safe protocols such as Ethernet IP have come into play to allow secure and high integrity data exchange between the sender and receiver. “We can take those advantages further when we start integrating the IT system to improve the overall system efficiency and effectiveness,”Orehawa added.“So for example, no longer are maintenance visits periodic, but they're when they’re required – and, even better, before they’re required! We send that data up through the cloud mechanisms to be monitored by service providers. Convergence between IT and OT can be difficult. While there are lots of benefits to having a single network, there is also the downside that companies are opening themselves up to an extra attack vector. Orehawa pointed to the 2016 attack on the Ukrainian power grid – the first industrial control system attack since Stuxnet in 2010. It was followed in 2017 by the world's first cyberattack on a safety control system.“In both cases, the mechanism of infection was through the IT system, typically through email,” Orehawa reported.“From there the attacker was able to traverse into the industrial control system and – quite worryingly in the 2017 attack – into the safety control system.” One point that was brought up during the discussion was that some companies are resistant to maintaining firmware updates – or, even worse, may downgrade firmware from the latest version. “Most IT teams aren’t used to, or aware of, factory installations,”said Euchner’s Mark Staples.“They are very familiar with the IT layer, and they're very familiar with all of the office- type equipment, but maybe not so much when it comes to the operational layer. “One key area to address,”he suggested,“is education, because we are all seeing more connected devices – more networks of devices that sit on Ethernet, Ethernet/IP, Profinet, and so on. Potentially these are open to attacks. If we look at where attacks have got into businesses, they have generally snuck in via the OT level.” Staples pointed out that his company focuses on safety technology.“Alongside a lot of the standards and regulations training we do, we do some product training, particularly our products which are networkable. Part of that training is to make people aware of networks, to think about network switches, or to put demarcation zones in place. So we have