Protecting your operational integrity
By Clemens Blum
New powerful and capable industrial control systems and software solutions have created more opportunities for manufacturers to pursue and achieve greater levels of efficiency, performance, and profitability. Businesses now have more data to measure and analyze, as well as more opportunities to use that data to drive efficiency. This greater interconnectivity between systems and software has also enabled producers to be more agile, particularly in reacting to changing business variables and process conditions.
But these new offerings and capabilities have also created new business vulnerabilities. As manufacturers apply technologies, they must ensure they are not jeopardizing the operational integrity of the plant. Operational integrity is simply the unhindered ability of the system and plant to remain sound and to continue production. In other words, operational integrity means safely and securely mitigating and eliminating threats to business continuity, while meeting or exceeding production targets.
Producers are correctly looking at the promise new technologies bring, namely the ability to use real-time information to better understand their resources, improve how they control costs and business variables, and increase their profitability. The need for real-time operational data to achieve this “promise” has propagated the use of commercial off-the-shelf information technology solutions in industrial environments and shifted the industry toward “connected” network solutions. Now with the Internet of Things, big data, and other emerging trends, connectivity has reached a new level of focus in the discussion, as well as in investments. Because almost everything can be connected to anything from anywhere at any time—at a low cost—new opportunities for improving business processes and performance seem unlimited. For example, at its Rabigh, Saudi Arabia, refinery complex, Rabigh Refining & Petrochemical Company implemented a plant information management system, fully and tightly integrated with its control, SAP, and other production and corporate business applications, to optimize output, improve quality, and increase overall business performance. The solution covers the entire refinery and petrochemical complex comprising 23 plants.
But regardless of what that new technology and better connectivity promise for improving business performance, eliminating and responding to potential risks to operational integrity must continue to be the number one priority. Control systems, especially in the continuous process industries, are critical, not just for driving efficiency and ensuring there is no loss of production, but also for ensuring the safety of the company’s assets, people, and environment. Off-the-shelf solutions and higher, more frequent interconnectivity have increasingly exposed industrial control systems to malware and security threats that traditionally target commercial systems. For example, since the Shamoon attack, the preferred target for cybercriminals seems to be the energy sector, where incidents have increased 52 percent since 2012.
Therefore, when deciding when and how to implement or upgrade an industrial control system, the focus cannot be entirely on how newer technology helps achieve production goals. Companies must investigate and understand what and how many layers of protection wrap the system. Those safeguards will enable everyone in a plant to fulfill their roles more effectively. People on the process-connected side of the system will be better able to do their jobs, while those in the control-room side will be able to concentrate on operation performance, without worrying about risks to the integrity of the system.
Secure operating platforms must be delivered with policy, procedure, and layered technical controls to create a “defense-in-depth” model. To handle the new challenges of an even more interconnected world, cybersecurity must be considered first, not as an afterthought. Although the promise of connectivity is great, so is the threat. This is the reason plant and operations managers, especially in critical industries, must ask how any new or upgraded system is protected and what impact the upgrades might have on the security of their operation before they even look at how the solution will increase and improve efficiency.
As industry end users explore and take advantage of new interconnected technology, they can no longer just talk about security. While many threats to plant assets, people, and the environment are external and beyond the plant’s control (such as natural disasters), many threats are within the plant’s control. Taking active, specific measures to manage technology upgrades and ensure control systems are cybersecure is the first step to protecting the operational integrity of the business.