Cyber-security has been a hot topic since the Stuxnet incident of a few years ago. Previously, it was thought that securing the "top end" of an organisation was an adequate solution, but this incident and others like it changed the security landscape and highlighted vulnerabilities in the de-facto automation architecture.
Engineers suddenly started to reconsider their cyber-security arrangements. Scenarios were imagined where drinking water became contaminated or supply interrupted, power plants shut down, or road, rail and air traffic management compromised. In the industrial world it was realised that control systems were potentially vulnerable, often due to out of date or poorly maintained operating systems and CD drives or USB ports that had not been locked down. It did not take a lot of imagination to work out that the more critical a control system, the more likely a target it would be to cyber-attack and the more damage that could be done.
Cyber-security is an arms race of escalating capabilities, so 'defenders' of vulnerable assets must see it as a journey rather than a destination, constantly reassessing the situation and implementing new defences.
Most larger control systems have many points with potential for unauthorised access. Therefore layers of protection must be built into the system both at a network, hardware and software level. For instance, future PLCs (programmable logic controllers) will include multiple embedded features such as hardware security keys and multi-layer password structures.
Each PLC will be capable of hardware security key authentication to prevent programs from being opened or edited on unapproved personal computers that have not been "bound" to the security key. Furthermore, programs will be written so that they cannot be executed by PLCs which do not have a registered security key.
Additionally, an IP filter can be used to register the IP addresses of devices approved to access each PLC. Thus unauthorised access, whether for operational reasons, hacking or implantation of malware, will become much more difficult.
While end users will want maximum security; they will also continue to insist on simplicity of operation. Some of these automation security measures, all of which are optional, could be argued to complicate operations and that is why a holistic view of security needs to be taken, considering all aspects of the operation.
It is probably an unchangeable aspect of the human condition that some people will always seek unauthorised access to control systems. Therefore control engineers must build security measures into their products and systems - and recognise that these are surmountable hurdles rather than impregnable barriers, so must be constantly renewed and redeveloped.
