ROBERT BERGMAN, Bedrock Automation
If any of today’s large vendors of automation systems offer cyber security protection, odds are good that it has been bolted on after the fact. Cyber security was not an issue when these systems were originally designed, so swapping them out now would be a major challenge for both the vendor and the end user. But those systems are due for update eventually and legacy vendors are now striving to build in as much security as they can.
Over the next several years, more and more companies will be claiming to offer some degree of built-in cyber security. Although they will be guided somewhat by standards such as ISASecure (IEC 62443), each will likely interpret such standards differently and integrate them into their operations at different levels and degrees. As you evaluate your next PLC, SCADA RTU, DCS or other industrial control system claiming to have built-in cyber security, ask the following questions to determine if you are getting maximum protection.
- Is there an embedded public key infrastructure (PKI) to manage an encryption and authentication of messages based on a known 3rd party root of trust?
- Does the authentication support Transport Layer Security (TLS) 1.2?
- Is encryption compliant with NMIST SP800-57, Suite B?
- Does the system have secure boot?
- Does security extend to sub-components as well as to the device itself?
- Is there anti-tamper protection at the component level?
- Are the modules all-metal, anti-tamper, sealed and FIPS 140-2 compliant?
- Does the system use a pin-less I/O backplane?
- Is the system firmware secure and protected?
- Are open communications protocols such as OPC UA and MQTT secure and protected?
- Does the system have a secure component supply chain?
- Does the system have the built-in bandwidth to support high-performance hardware accelerators without disrupting performance?
- Is the security included in the basic cost of the control system?
For a truly intrinsically secure control system, the answers to all these questions must be yes. For more detail on them and many other essential components of an intrinsically secure system, Bedrock Automation offers a free white paper: Chapter Three: Intrinsic Cyber Security Fundamentals.
Bedrock Automation’s OSA industrial control system has an embedded PKI that manages authentication and encryption using the same cyber security technology that protects military and aerospace applications. For more information visit bedrockautomation.com.