On the Internet you can find an interesting time machine with which to travel through the history of web pages. When you look at the websites of companies from fifteen years ago, in addition to the old-fashioned look, there is one remarkable detail that catches the eye: the address that starts with “http://” in the address bar of the browser.
This unencrypted protocol was the norm at that time, but today the browser immediately warns the user about the insecurity of such a site. The change perfectly reflects how digital security requirements have evolved. The same shift is now taking place even more prominently in industrial automation.
The shift is particularly evident in the major transformation industrial automation systems have undergone in recent years. For example, secure and efficient web technologies have brought browser-based user interfaces more and more often into factories; configuration, parameterization, and operation of modern automation systems are increasingly done through the browser.
These developments have brought significant advantages in allowing users to securely and flexibly manage systems across devices, with no need for separate software. Siemens’ WinCC Unified visualization leverages these same technologies to provide both a flexible and modern user experience.
Tools to manage emerging threats
As technology evolves and transparency increases, new threats will inevitably arise as well. If we think, for example, about the operation of a machine, today we need to pay even more attention to who can control the machine and with what rights.
In the secure operation of a machine, it is not only about whether a person can trust a machine, but also whether a machine can trust a person who controls it, or another system. It is worth thinking carefully about who the machine should receive commands from and to whom to hand over information. The issue should not be taken lightly, as every connection to the system is potentially a major security risk if not properly protected.
The importance of these risks is highlighted precisely in an industrial environment where the stakes are high. Control systems often manage equipment worth hundreds of thousands or millions of euros, the incorrect operation of which can lead to serious consequences. It is not only about financial losses, the safety of people, the protection of the environment and the reputation of the company can also be at stake. A damaging event can be prompted by a deliberate attack, but equally by inadvertent error or negligence. It is necessary to prepare for all situations.
Fortunately, advances in technology not only create threats, but at the same time provide powerful tools for threat management. By investing in cybersecurity in the design and operation of systems, functionality and security can be ensured to a high level. In the development of modern SIMATIC devices, Siemens follows the principle of security-by-default, so that when using a Siemens end-to-end solution, the equipment and its operating relationships are secure by default.
Unconsciousness as a challenge
In many manufacturing plants, the level of cybersecurity of automation systems is already high, but there are also poorly protected plants with development needs. There are certainly many reasons for the low level of security, some of which may be related to culture or the technology in use.
Cybersecurity culture has been relatively undeveloped among automation engineers. Security considerations are simply not used to being taken into account in the design and maintenance of systems, especially in smaller projects. It has not been so much a deliberate omission as a lack of awareness.
The long life cycle of industrial automation equipment has also certainly had its own impact. Many production facilities use very old systems that were not originally designed with modern cybersecurity requirements in mind.
However, the level lifting is now clearly underway. Renewing legislation, and with it growing awareness, has deepened our understanding of the importance of cybersecurity. It has also been realised that cyber security does not develop on its own, but requires determined measures and a comprehensive approach.
We need a common vision
At the heart of a cyber-secure automation system is a shared understanding of security by all parties. It is not enough for one party to understand the situation, but all parties must share the same view of what cybersecurity means in practice. For example, when we talk about network security, access management or system recovery processes, their importance for continuity of production should be crystal clear to all parties involved. This understanding must be maintained throughout the entire life cycle of the machine, despite the fact that companies and individuals belonging to the stakeholders may change.
Building consensus is not always easy, as improving cybersecurity may also face opposition. “Why does logging into the system have to be so complicated?” or “What if the password is forgotten?” are typical concerns. These are genuine questions that require pragmatic solutions. At the same time, they also show how important it is to understand the big picture of cybersecurity.
Cybersecurity is not just technology or encryption methods. It is an entity that combines technology, people and processes. Technology alone is not enough; you need reliable processes, for example for managing passwords. In addition, people who follow secure processes are needed.
We need a culture change, similar to what has already been seen in machine safety. Just as we have learned to accept the protections required by machine safety as part of a safe work environment, we must also embrace cybersecurity practices as part of our everyday work. It should be understood that security is not an additional cost or a hindrance, but is a basic condition for reliable production.
The factory of the future is secure
Let’s go back to the beginning. Just as we no longer accept insecurity in internet browsing, we should not accept it in industrial automation either. The factory of the future is not only smart, but also secure, and this security is built on the seamless interplay of technology, people and processes.
Ultimately, the point is that cybersecurity is not an option but a necessity. It is an investment that pays for itself in improved operational reliability and reliability.
With a strong security culture, we can take full advantage of the opportunities offered by digitalisation. At the same time, we protect the most valuable assets of our production plants effectively.
