Safety and cybersecurity are interconnected in the manufacturing environment Security breaches can trip systems that stop machinery or alert operators in the event of a problem, damaging equipment, placing people at risk—even causing environmental calamities.
Yet at many manufacturers, the safety and information technology teams do not effectively collaborate. “If you discover a vulnerability in IT, you patch it and move on,” says Steve Ludwig, safety programs manager for Rockwell Automation, speaking at the 2018 Safety Leadership Conference in Louisville, Kentucky, last week. “On the [operations technology] side, that’s not the case. We need more education in the engineering community about OT risks.”
Safety-related security breaches can occur when:
Employees or contractors inadvertently plug an infected machine into the system; connect to an unsecure network; or download the wrong program.
- Disgruntled current or former employees, knowing the ins and outs of a system, break in and cause damage.
- Hackers break into an operations system for financial, competitive, or political reasons.
- State-sponsored spies target critical infrastructure and production systems to disrupt operations or steal secrets.
- Cybercriminals seek to disrupt, infect or shut down critical infrastructure, from nuclear plants to water supplies and oil refineries.
EHS, operations and IT teams should work together to identify safety data requirements for operations systems and develop a risk-management strategy for security threats and vulnerabilities, as well as their potential implications on safety. It’s up to leadership to advocate for this collaboration and make sure employees companywide understand its importance, said Ludwig.
Basic cybersecurity hygiene involves knowing your assets and their potential risks,. “Very few plants have a complete list of all of their PLCs” where they came from and how long they’ve been in operation, said Ludwig. “The focus has always been on productivity and maintaining that uptime.”
A safety assessment looks at not only standard operator functions but all human-machine interactions, including machine setup, maintenance, cleaning and sanitation, as well as training and administrative requirements. In addition, companies should expand their traditional scope of this assessment and look at potential cyberattack risk.
“With safety assessment, you’re going through the steps—what is the normal operation of that machine?” said Ludwig. “How long will that machine be safe?” With a connected enterprise, you can get information on the safety front like how often a door is opened or shut on a machine.
Ludwig asked the audience if safety was being called upon to address security at their companies, to a mixed response. One audience member commented that his plant was not addressing cybersecurity in its safety contingency plan, though there had been talk of more collaboration between IT and OT. Other safety leaders remarked that they were, intentionally or unintentionally, sometimes left out of leadership meetings about cybersecurity.