In recent research on Manufacturing execution systems (MES) and manufacturing operations, we have looked at ways of moving from monolithic MES solutions to agiler, distributed systems based on Industrial Internet of Things (IIoT) platforms.
The LNS Research definition of an IIoT platform includes Cloud, connectivity, Big Data Analytics, and application development capability. Many clients ask us why is security not a basic tenet of the Cloud definition. We will look at the answer below but first, let’s consider the current state of security in plant floor systems and beyond.
Old is Insecure
Recent global security attacks have involved all sorts of systems from smart home devices to global domain name servers (DNS). One universal source of easy pickings for hackers is old Windows systems that are no longer fully maintained by Microsoft, and this immediately leads us to MES and other industrial systems running on Windows. These systems are usually developed for a specific role in a factory and, when completed and left to run, often unchanged for years or decades; they quietly do their job with little to no maintenance.
That “no maintenance” tag includes no operating system updates and little or no backups, a recipe for insecurity. We have had many clients admit that they still use Windows XP (I even met one with live Windows 3.1 applications) for manufacturing critical applications. Many understand that there is a security issue, and they often try to hide vulnerable systems behind firewalls. This is a weak defense as firewalls will be the first port of call for the determined malicious hacker.
Other solutions for old systems is to put a modern dummy system alongside the old system and monitor the new one for attacks. If you see an attack on the new system, then the old one will be vulnerable and action required. This is sometimes called a canary defense after the use of canaries to protect miners from deadly gases. This is an interesting approach for very critical systems, but renewal might be a better medium-term strategy. Many of these old systems are in place because companies think that it is too difficult or expensive to replace them. We would argue that it is potentially too expensive NOT to replace them.
MES on IIOT: Security for Free?
As we mentioned at the start, IIoT platforms are expected to incorporate security, but the LNS Research definition of an IIoT platform does not have a security piece at the highest level. A closer look shows lots of mentions of security, but even that is not really enough.
We argue that every component of an IIoT, and IoT, needs to have security built in and integrated with the rest of the security infrastructure. For example, many vendors are now offering low-cost devices to connect plant equipment to the IIoT data repository without going via the control hierarchy. It is imperative that these internet connected devices have security built in right at the edge of the network and on each logical connection to the intranet and internet.
Not IT/OT Convergence
Ensuring a complete security strategy requires a unified approach. In most companies, the IT department will have the greatest security skills, and it is essential that these people work with, and listen to, plant operations experts. There are real concerns about proper operation and upgrading old systems when security layers on top. Teamwork to solve old system security where possible is imperative.
As manufacturing companies consider their Operational Architecture and how MES functionality will be implemented, it is imperative that security is a constant concern. By moving to the Cloud, security is usually enhanced rather than diminished as Cloud suppliers devote huge efforts to ensuring their underlying systems are as secure as possible and are constantly updated to react to potential threats. No individual manufacturer could devote such efforts, and they should focus on plant security working with their MES and plant software vendors to ensure maximum security and properly maintained systems. Do not get caught out by obsolete and vulnerable systems.