Agility is one of the buzzwords of Industry 4.0. Many chemical companies are trying to make not only their teams, but also their organization, production and plants agile. This calls for new approaches to IT management in production-related areas – especially closer cooperation between all parties involved.
According to the so-called Agile Manifesto, the top maxim of agility is “early and continuous delivery”. This poses new challenges for all participants and systems. They must show a greater willingness to be flexible, focus on regular, short periods of adaptation and drive new processes.
Although the density of IT components per space may be even higher than in a typical office, depending on the level of automation, these components are usually inconspicuous and unnoticed in OT infrastructures. For several decades, IT has only served the purpose of controlling the mechanical part, which is involved in filling a product, for example. With topics and marketing terms such as Industry 4.0, IoT or Big Data, a noticeable awareness of these OT devices has emerged, especially in the last ten years, and a rethink is taking place. Increasing networking creates new opportunities, but also brings with it some risks, especially in the area of IT security. In the control system area, protocol changes, e.g. between the control system and operating level, are a relatively simple requirement, which, if poorly implemented, can complicate work processes in daily operation or make them practically unusable.
In greenfield projects, experienced engineers will have to be brought on board as early as the planning stage of new production facilities, halls and plants. They must have the technical background in IT, be familiar with the threats and requirements of IT security and be able to assess and evaluate risks, but also take into account the maintenance requirements for operation over the next ten to twenty years. Implementing a process in a technically secure manner does not necessarily mean that it can be easily adhered to in daily work. If the process is not fixed and easy to use, loopholes and workarounds are always sought to implement the required activities as quickly and easily as possible.
Providing a control system with operating system or software updates not only means bringing the patches to the operating level via several protocol changes and making them available, but also not disturbing the smooth operation. It must be possible to use planned or unplanned maintenance windows spontaneously – ideally by a machine operator or control station staff. Such processes can also be scripted and partially automated with a great deal of effort, but this leads to isolated knowledge of individual persons and procedures that are difficult to understand.
Furthermore, such a procedure also raises the question of the security of necessary access data. These are partly stored in plain text in such scripts and are thus a possibility for potential attackers to spread further in the infrastructure in case of an emergency. With a standard solution such as ondeso SR, however, such processes can be planned and securely implemented by plant engineers and/or IT, so that they are well documented, traceable and maintainable at all times and can be used by the operating personnel as required without a great deal of prior knowledge.
An even greater challenge than the greenfield, however, will be posed by brownfield plants in the coming years. Many of the processes that have been developed, implemented and improved in IT cleanrooms for more than 30 years are simply not or only partially realizable because they were not taken into account when planning the facility. The endpoints in the form of industrial PCs, HMIs, PLCs, sensors and actuators need to be maintained and cared for in the same way as the mechanical parts they serve. Only once you have a complete overview of all existing components and their current status you can begin to identify actual threats, evaluate risks and derive protective measures from them.
Such a catalogue of measures is the basis for helping those involved to implement and manage OT throughout its life cycle. An example of a measure in this regard is the frequently required protocol changes between the individual levels, which are currently implemented by necessity using insecure data transfer protocols such as http or ftp, since old devices would no longer support encryption with current standards – such as TLS 1.2 – at all.
With ondeso SR the data can be provided process-independently in the individual sub-areas by optionally allowing individual, newer devices to take over the data distribution. This enables the change to current protocols such as sftp, https or ssh, whereby encrypted data transmission at the zone boundaries provides additional security. It is always important to avoid “security through obscurity” and, in line with Kerckhoff’s principle, to keep the key secret instead of forcing the secrecy of the encryption algorithm.
The Agile Manifesto states that “the best architectures, requirements and designs are created by self-organized teams”. However, for such a team to be self-organized, the tasks and responsibilities must be clearly defined. A maintenance engineer cannot be responsible for the functioning of a system if an essential part is withheld from him and controlled by other parts of the organization. How should he ensure operation if he does not know when the OT components will receive updates or other “maintenance work” is due?
The core competencies of functioning IT processes and their definition, on the other hand, lie in the IT departments of companies. For them, it goes without saying that patches have to be tested, regular backups have to be made for disaster recovery, data has to be stored redundantly and so on. In a production environment, it is not possible to determine when the systems are ready for such measures by looking at fixed maintenance windows. Instead, those responsible must use spontaneous failures for upcoming activities or take short-term production adjustments into account.
In addition to pure knowledge, operators need the right tools to be able to react to these requirements in a very timely manner. The Agile Manifesto states: “Build projects around motivated individuals. Give them the environment and support they need and trust that they will get the job done”. If you know what assets you have, what protection goals you want to achieve and how, and how tasks and roles are distributed and responsibilities are assigned, you can then start looking for the “right” tools to provide optimal implementation support for this specific purpose.
Since the firewall does not protect against viruses, the virus scanner does not contribute to the stability and performance of the system, and system hardening is not a solution for an unstable network, the maintenance engineer will also need software specially developed for him in future. This will enable him to keep an eye on all systems in their current operating state at all times, to implement the defined specifications of the central IT and IT security and, in an emergency, to react independently and promptly in order to avoid major damage.
This article by ondeso was also published on 19.05.2020 in the German specialist magazine “CHEMIE TECHNIK” published by Hüthig. One focus of this issue is the topic “Process IT”.
Would you like to learn more? Do not hesitate to contact us, we will be happy to help you.
Here you will find an overview of our products and solutions.
Here you can learn more about our company and our expertise as a pioneer and market leader.