Would you let an Information Security Consultant inside your production facilities?

Jarkko Holappa

September 16, 2016 at 02:30

Between industrial automation and traditional IT there is a void, that hasn’t been used to cross in either direction. The somewhat justified view of automation experts is that IT doesn’t understand the principles and limitations of automation environment. Manufacturing equipment don’t communicate using protocols that are understood by IT engineers and either the solutions offered by IT consultants may no longer be valid when moving to the production facilities. For a younger ICT practitioner visit to the production facility may remind a visit to the museum of technology, while the technology outdated ages ago is still running in the factory systems and operations count on it 24/7.

However, cooperation is needed between these expertise areas, and integration of the environments takes place on many levels already now. And there will be continually more IP-based technologies, wireless networks and new devices. Nowadays, production environments are only seldom physically separated for example from a company's network infrastructure. And even if that is the case, various portable memory storage devices pose the same threats to the industrial automation environment. Windows in workstations or in data collection is not uncommon either. On the other hand, ICT expert doesn’t know the industrial automation in depth, and neither have the best knowledge of the process. Therefore, in addition to an automation expert, a person responsible for maintenance as well as a process designer and a system administrator are required. The security and risk management knowhow ensures that in addition to technical solutions, the practice has been built in accordance with the identified risk profile. In this way the management has also the needed visibility to the risks in order to make investment decisions.

And the answer to the question in the title: Yes, I would but only when escorted and after ensuring the person has all the necessary personal safety equipment and a sufficient security training to allow the person to operate in the production area. This will ensure the continuity of expertise to future visits as well.

Nixu has experience and expertise in both areas; ICT field and security of industrial automation environment. We help our customers find reliable, secure solutions for the implementation of the services of industrial Internet. We also monitor the information security of our customers’ production networks. Contact us to hear more about our services.