Everything is digital. We want data. But not all data is interesting or necessary. We need methods to classify, prioritize and refine data, to connect bits and turn them into meaningful information, and then share that information with operators and other assets, ensuring that the most valuable and efficient business, financial and operational decisions and actions are taken.
While the entire industry is scrambling to digitize, all that connectivity, productivity and efficiency will not be effective if the culture, systems or installations are not intrinsically secure. Before implementing a digital strategy it is important to understand not only the implications of the strategy for the business, but also the implications for the security and protection of people and assets. In short, integrating cybersecurity is the cornerstone of this new digital age.
The prospect of connecting billions of devices to industrial automation systems raises two really important questions.
First, how do we keep systems and information secure? Adding more devices means increasing the attack surface area, which in turn increases cybersecurity risks. In this matter there must be a balance between adding intelligence, protecting devices and protecting data. Compiling data just for the sake of having it may result in no additional value being created. In turn, more data means a potential cause of confusion and increased risk of cyber-attack.
Secondly, what do we do with the data and information? We need processes to find out what the data means and what it is telling us. There are many options for analysing data, including trends, reports, alarms and other functions. But there must be a reason for gathering all this information. This is known as an operational intelligence approach, which is based on optimizing automation and control, remote administration and predictive maintenance to enable services, advanced analysis, and the generation of actionable information to drive better and more efficient decision making.
Operations are improved by providing operators with intelligent data so that they can make better decisions based on this data to optimize production. As an analogy, let’s think about what would interest us if we connected our washing machine to the Internet. Would we want to know when the water starts to enter, how is the soap dispensed, the drying cycle time, the rinse cycle time, the centrifuge cycle time and the RPM? We probably don’t need that information. Is it worth the risk of a cyber attack? And what do we do with the data? In practice, all we would probably like to know is when the washing machine started, when it finished and if there were any potential problems. Just because I can connect my washing machine to the Internet doesn’t mean I should, unless it makes sense and unless I can do something worthwhile with the information.
Digitisation in general is a huge breakthrough and a real opportunity to increase ROI and asset value. But, when it comes to process automation, we should use digitisation’s capabilities to bring intelligence to the device layer, which means we need much smarter sensing and instrumentation to simplify control architectures and reduce the time, cost and effort required to configure systems.
Distinguishing the data actually needed from the data available is important in system design. It is about applying lean design concepts to improve operations, efficiency and productivity. Scanning strengthens our capabilities so that we can help users extend the life of their assets, improving decision making and creating intelligent enterprise control systems that give businesses better financial control and enable them to approach the customer more flexibly. In any case, the system must first and foremost be intrinsically cybersecure.
In 2007, ISA developed the ANSI/ISA-99 standard entitled “Security for Industrial Automation and Control Systems: Concepts, Terminology and Models”. In 2010, this document –extended and updated– became the IEC-62443 international standard and is still in use today; it is the most widely acknowledged and used standard for industrial cybersecurity assurance in the world.
Since the beginning of 2017 ISA has been teaching several officially certified courses on industrial cybersecurity in Spain. These provide a detailed overview of how ISA/IEC-6243;standards can be used to protect critical control systems.