Featured Video
This Week in Quality Digest Live
Risk Management Features
Bita Kash
Health information exchanges are an effective but underused tool
Mike Richman
Odd objects, the rewards of risk, and magnificent management
Eryn Brown
There’s plenty of evidence on how to get the best out of workers, but businesses often ignore it
Nicole Radziwill
Why you should start employing a risk-based mindset
Manfred Kets de Vries
Sometimes we’re so used to living with stress, we don’t know how to identify it

More Features

Risk Management News
Transforming a dysfunctional industry
An invite from Alcon Laboratories
Why not be the one with your head lights on while others are driving in the dark?
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
The audit solution provides 360-degree, real-time visibility into nonconformance status and completion
Preparing your organization for the new innovative culture
Standard recognizes that everyone is critical to a successful quality management process.
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals

More News

Timothy Zimmerman

Risk Management

Ensuring the Cybersecurity of Manufacturing Systems

Operational technologies control many of the processes we rely on every day

Published: Tuesday, October 17, 2017 - 12:03

Cybersecurity, at this point in the technological age, has become a household word. Every week, almost like clockwork, it seems there is a story in the news about a newly discovered hack or data breach, often made possible by poor cybersecurity practices. Many of these incidents are focused around stolen data, which reside in our IT, or information technology, infrastructure. However, the breaches that interest me are those that affect the systems and devices that monitor and manipulate much of the world around us and have real-world health and safety consequences if they are compromised. These extremely important systems and devices are known as operational technologies, or OT.

Typically hidden in plain sight, OT control many of the processes we rely on every day, including traffic signals, power distribution, hydroelectric dams, water treatment, building HVAC, oil and gas distribution, nuclear power plants, and many varieties of manufacturing. Again, the most important characteristic of OT is their ability to reach out from the digital world and manipulate the physical world where we humans reside. It’s not difficult to imagine some of the disasters that could occur if these critical OT processes were to be compromised because of poor cybersecurity practices.

So, how do these systems manipulate the physical world? At the most basic level, they’re not much different from my coffee maker, whose proper function I rely on for my proper function every morning.

Inside the coffee maker there is a tiny computer, a series of valves, and heating elements that work together to create, in my opinion, the most delicious and invigorating elixir the world has ever known. If the computer failed to manage the coffee-making process, the consequences can vary from simple disappointment, e.g., no coffee because the water was never heated, to catastrophic, e.g., the heating element stayed on all day, caught fire, and burned down my house. The same is true for more elaborate OT systems, like manufacturing machines and robots, which can include thousands of sensors and actuators.

So, what’s the problem with securing these devices? Well, not so long ago, OT systems were built using proprietary hardware and software, and their operational details were not well known. Today, however, OT leverages many of the same technologies that were originally created for IT, e.g., networking, the internet, operating systems, user management, USB ports, and web servers. Because of this shared technology, it’s easy to assume that any type of cybersecurity technology could be implemented to protect OT, but this is not the case.

For example, cybersecurity devices that filter unauthorized network traffic on an IT network could cripple an OT network simply by preventing important data from reaching its destination, and, in some cases, can cause failures just by delaying data. Software used to scan a network for vulnerabilities may send unfamiliar messages to OT devices and can cause them to fail, which is especially bad if the device is actively controlling a process. Even something as simple as antivirus software can have a detrimental effect on the performance of these critical systems and may be impossible to implement altogether.

This is where our research begins. In our laboratory testbed, we install, integrate, and test these cybersecurity technologies on emulated manufacturing systems. We have all the parts and pieces to reproduce manufacturing systems in the lab, including identical industrial controllers, network hardware, human-machine interfaces, and even robots. The main difference between our testbed OT and the real manufacturing processes are the additional measurement devices we use to evaluate their operational characteristics.

Standards and guidelines detailing best practices for protecting IT and OT have already been produced by industry, trade groups, and government agencies. However, one thing they are missing is guidance that describes how to balance those protections with potential negative impacts they may have on performance. To fill this gap, my group is working to produce guidelines, test methods, metrics, and tools based on measurement science and standards to give industry the confidence it needs to effectively apply cybersecurity protections on their systems without negatively affecting their performance, safety, or reliability. Our work has already resulted in a manufacturing profile for the Cybersecurity Framework, which outlines a risk-based approach to help manufacturers implement, manage, and improve their cybersecurity posture using industry standards and best practices. And to put the manufacturing profile to the test, we will be using it to protect our robotic and process control testbed under many different configurations and scenarios while measuring the performance impacts to the system.

At this point, we have just begun validating our measurement systems and performed initial testing, but with all the progress we have made so far, I can only see great things coming out of our work. If you’re a manufacturer, I hope our research can help you continue to keep your operations safe, reliable, performing as expected, and more secure.


About The Author

Timothy Zimmerman’s picture

Timothy Zimmerman

Timothy Zimmerman is a computer engineer with the NIST Intelligent Systems Division. His research focuses on cybersecurity for the manufacturing sector, especially its impact on industrial control systems and robotics.