According to Steve Brambley, deputy director of GAMBICA, the new group already has 19 members and came about as a result of feedback from other group members suggesting that this is an area of increasing interest to the automation industry.
“I put out a proposal to GAMBIA’s membership and within hours got messages back from about 15 member companies saying they were definitely interested in participating in such a group,” reveals Brambley. “We had an exploratory meeting where it was determined that the industry is interested in spreading best practice among both vendors and their customer base.
“Defence-in-depth is what is needed; because there is no single solution to industrial network security – it is systematic. Industrial network system security is just part of the wider topic of security and needs to be integrated, not treated separately. There is no point in having an uncrackable password protection system if people write them on sticky notes and put them on their screens.”
Brambley points out that industrial networks are rarely managed in the same way as enterprise networks, and fall under different areas of responsibility in a business. Office applications are typically managed by an IT department using its approved security software, standards and codes of practice, while the industrial side tends to be looked after by an engineering department without necessarily involving the IT team.
For example, it is not uncommon for a PC controlling a manufacturing cell to be running a very old version of Windows, such as NT or XP without an internet connection.
“At some point later in its life, the engineering department may decide it wants to connect some manufacturing cells to get production information out onto the IT network,” add Brambley. “This can introduce vulnerability if the cells are managed by a PC with an old version of Windows that has not been updated.
“Industrial network systems need to be dealt with differently from IT networks in a business.
“Communications need to be continuous and without glitch for monitoring a fast process, whether the controlled process is food, oil, metalworking, paper or anything else.
“This is different to an enterprise IT environment, where it does not matter if a PC takes a few seconds to update and the user can’t access a Word document during that time!”
Brambley concludes that security measures need to recognise the needs of the system and that the automation industry has a part to play as the experts in integrating their own systems into a wider security policy. They need a voice and a presence to tackle these issues and GAMBICA’s new group will aim to provides this.