Tech Briefs Magazine - February 2021 - 16

FACILITY & NETWORK SECURITY
not inherently designed with cybersecurity in mind. Exacerbating the problem is the potential for negative performance impacts resulting from the
integration of common cybersecurity
technologies into existing systems. Balancing accessibility with security is a
multi-faceted strategy that relies on
standard communication protocols,
encryption of data being transferred
over networks, leveraging the most upto-date cybersecurity standards, and
implementation of technologies that
allow identifying and mitigating cybersecurity threats in real time.
Tech Briefs: Obviously, cybersecurity
is a major concern for those deploying Internet of Things (IoT) systems.
Why then is security often the last
element of IoT deployment?
Jabbour: Because cybersecurity is
most easily overlooked. Most IIoT
installations are trying to satisfy a business need and cybersecurity is something that is usually not a standard
conversation topic in business needs
until an attack happens.
Lloyd: Cynically, because security is
always the last element of all deployments. The push for IoT is all about
features and cost. This means devices
are produced quickly, at minimum
price, and you get the security you pay
for. Devices are often not patchable
and cannot support the traditional
agents and scanners in our security
toolsets. So, IoT security is a very hard
problem - effectively, injecting innumerable fragile new devices into a network that was already unruly and disorganized. The transition to IoT will only
go well for those who are disciplined
and plan in advance to contain the
blast radius of problems when - not if
- they occur.
Tindill: There are several reasons
why cybersecurity is considered only at
the end of deployment. Procurement
and sourcing processes exclude cybersecurity requirements because price
remains the primary factor. Most engineering processes exclude cybersecurity - this means that specification,
design, configuration, testing, and
commissioning often occur without
any cybersecurity tasks or deliverables.
IT and cybersecurity teams are excluded until it is time to connect to the net-

work or Internet - this is when these
teams may find out for the first time
the project even exists. Cybersecurity
should have sufficient weight in the
decision criteria; after it is included in
the purchasing processes, it is then
carried through the entire design, configuration, hardening, and cyber accep tance testing, all before launch.

" The role of cybersecurity

is to protect the investment
in the cloud, wireless
sensor networks, and other
industrial systems so they
can deliver their ROI while
being more resilient to
cyberattacks.
Donovan Tindill

Pavel: From early days when the
biggest risk was a computer virus, to
today when operational technology
malware can destroy equipment and
lead to loss of life, the computer world
has seen an exponential increase in
cybersecurity attacks. IoT-based technologies provide their own set of
unique security challenges associated
with data integrity, data leakage, privacy, and the potential for unauthorized
access.
So, why is security often the last element of IoT deployment? Some of
these systems were not designed with
cybersecurity in mind but rather with
the sole goal to provide a certain function. End users did not consider cybersecurity as one of their main selection
criteria but rather the ability of a system to perform a task, its efficiency,
and cost. Only in recent years has the
cybersecurity problem become more
emphasized by users, government, and
standardization groups.
Tech Briefs: For manufacturing applications - automation equipment,
robots, etc. - what additional or
different considerations should be
evaluated when assessing what's
needed for a facility network?
Lloyd: The top three priorities for
industrial networks are segmentation,
segmentation, and segmentation. The

www.techbriefs.com

Cov

ToC

old air gaps have evaporated and the
Internet is increasingly mixed in to
physical plant operations, whether we
like it or not. This profusion of interfaces means the total attack surface
has exploded and sooner or later,
something is sure to get in. The overriding priority is to plan ahead to limit
the spread of bad events, using segmentation, and for the most critical
systems, to plan ahead to close " blast
doors " similar to the bulkhead doors
in submarines.
Pavel: Cyberattacks have the potential to affect confidentiality, integrity,
and availability in a manufacturing setting. They can lead to loss of product
and process IP; production losses due
to destroying, modifying, and reprogramming parts and processes; damage to reputation; and even injury and
loss of life. The importance of data
integrity for manufacturing can be
seen in relation to part production -
altering product and process specifications could be detrimental to product
quality and reliability.
Data and cyber-physical system availability is also critical to manufacturing
productivity. Legacy hardware and software are commonly used in manufacturing processes and some of these systems were not designed with cybersecurity or the IoT in mind. Therefore,
there is an inherent risk when connecting such legacy devices to IoT or integrating them into the factory network.
Tech Briefs: Where factory floor, corporate, and Internet connections coexist, are firewalls a sufficient option
for cyber protection?
Jabbour: Absolutely not. Firewalls
are but a single appliance of a total system and while they should be used,
other design considerations must be
taken into account.
Tindill: In the mid-1990s, firewalls
and antivirus were the standards because they provided sufficient safeguards to defend against the cybersecurity threats of the time. Virtually 100%
of organizations today have firewalls
and cyberattacks can bypass firewalls
with other tactics, techniques, and procedures (TTPs). Cyber threats are rapidly evolving and multiple cybersecurity controls are required. Firewalls fulfill primarily a protective control, good
Tech Briefs, February 2021

http://www.techbriefs.com http://www.abpi.net/ntbpdfclicks/l.php?202102TBNAV

Tech Briefs Magazine - February 2021

Table of Contents for the Digital Edition of Tech Briefs Magazine - February 2021