Digital Security & Off-the-Shelf Solutions

Security Yokogawa

Security has been an embedded driver in the process industry for several decades. Since the first fence was erected around a production facility, or the first night watchman toured a buildings premises to restrict access and prevent deliberate or inadvertent consequences, security has played an important role in the respective business.

Physical security has grown and become more complex to combat the evolving threats in the world today, and growth is unlikely to slow as new threats continue to emerge. The cost to defend, protect and secure increases as threats evolve, and businesses struggle with the challenge of keeping abreast of the evolving threats as they change.

Today we are accustomed to the growing presence of physical security as it threads its way through our lives. We are, however, less familiar with the hidden intrusions that happen on a digital level, but the deliberate or inadvertent consequences can be said to be even higher due to the growth in digitization, and the act of protecting ourselves against such intrusions is becoming more important; now commonly known as Digital Security.

Rapid Growth in Technology

Over the past two decades we have seen exponential growth of technology enter our lives and businesses. This growth was brought about by three major points:

  •  Moore’s Law:  allowing technology to constantly evolve
  • Parkinson’s Law: that can be related to data expanding to fill the available space or processing power; and
  • Competition: Rapidly falling costs and increased availability and falling costs

Moore’s law refers to an observation made by Intel co-founder Gordon Moore in 1965. He noticed that the number of transistors per square inch on integrated circuits had doubled every year since their invention. Moore predicted that this trend would continue into the future, allowing technology to constantly evolve, which is obviously true up to today.

Cyril Parkinson, a British historian, first observed a trend during his time with the British Civil Service that “Work expands so as to fill the time available for its completion” – this concept can be applied to several areas and has come to be known as Parkinson’s Law. Relating to data: data expands to fill the available space or processing power allotted to it.

In economics, the theory of supply and demand has been proven true: as supply increases demand decreases, and prices drop. As technology improves and becomes more widely available to everyone, people are willing to pay less and prices drop significantly.

All three of the points stated above lead to lower entry points (barriers) for newer technologies. As technological advances become easier, and more people (and companies) join the game, there is a tendency for customers to gravitate to the latest available technology as it is assumed to be the best. As people gravitate to the newest technologies, they leap over solution-updates that have already been proven, leading to cheaper updates overall. Generally, the mindset is: if we see a new technologywe want it now.

As a consequence, information is traveling faster than ever before and our leaders no longer have a time buffer built into their decision making. Furthermore, if a major incident were to occur, information is readily available to the public and the sharing of this information drives public opinion almost immediately. The world has seen the effects of this several times in our recent history, resulting in crippled companies and toppled governments.

Improve Digital Safety In Parallel with Operational Safety

Traditionally, operating companies place great emphasis on safety in their corporate culture. When compared to most other industries, operating companies go the extra-extra mile and build sophisticated remote monitoring centers to provide guidance and oversight to their employees working offshore, in an effort to prevent even the smallest incident. However, the Deepwater Horizon (Transocean/BP) accident in 2010 clearly demonstrated how an unintended accident can occur at anytime, and how the impact of such an event, to a community and company, can be catastrophic.

By incorporating these remote monitoring centers, safety is improved but the company’s digital footprint grows significantly which adds risk to another area, in that it enhances the exposure to possible cyber-intrusion. As a result, it is a necessity to create a safe and predictable work environment by improving Digital Safety in parallel with safety in operations, at every production facility.

Off-the-Shelf Solutions

Due to the fact that Digital Security is now an absolute necessity, process control systems are directed towards utilizing commercial off-the-shelf (COTS) components to acquire improve capabilities and reduce costs. While the use of COTS brings various merits, it has also introduced its own set of security problems.

Control systems are expected to operate over the span of production facility (20 to 25 years) and have extremely high availability. In contrast, the COTS components of the system are subject to a much wider market audience that drives rapid obsolescence and increases exposure to widespread attacks as techniques become more sophisticated each year. As a result, the security measures installed at the beginning of a systems lifecycle may not be sufficient to prevent the attacks deeper into the plant lifecycle.

In other words, as the control system ages it may be increasingly difficult to install and maintain the latest security recommendations and maintain the appropriate level of safety, resulting in increased systems exposure. Moreover, even if the control system is able to be updated, without the appropriate testing, the risk of an unintended trip increases.

COTS components are constantly changing and improving; if plants do not upgrade often (which can be costly and inconvenient) they are at significant risk..

COTS components will remain as a integral part of the process control system and vendors are taking measures to integrate security into their designs and system lifecycle. These include:

Description Response
Following recognized international standards  Design Preventative
Embedding security into the design of the process control system Design Preventative
Partnering with COTS suppliers to provide an integrated hardened solution which has an obsolescence lifecycle relevant to the respective industry Design Preventative
Building systems architectures around a defense in depth philosophy Design Preventative
Incorporating security as a key engineering discipline when building the system Design Preventative
Existing infrastructure assessment surveys Service Analysis
Provide integrated services that are aimed at continued prevention, detection and isolation across system and the COTS components Service Preventative
On-going testing and backwards assurance against the latest known threats Service Preventative
Security Response Assistance Service Analysis Reactive


Much like the physical security provided at production facilities, there is a cost associated with each of the activities outlined above.

First, there is an infrastructure cost that lays a foundation to build on, much like the physical barriers built around our refineries and power plants today. In the case of retro-fitting to an existing facility without disrupting production, the cost can be high. However, when security is designed to meet the specifications of a new facility, the costs are much lower. Much like security officers that patrols the physical barriers and screen visitors at our operating facilities each day, there is a maintenance cost as well. 

Like our physical security, the investment in digital security is a function of what we are trying to protect and the exposure if breached. It is not only a necessity to have digital security, but to also be keep abreast of the changes and threats that effect such security systems, and update our systems accordingly. The cost and inconvenience level may seem high, but the repercussions that can result in neglecting these security measure may be irreparable if they were to occur.

If you enjoyed this article you may also enjoy: SecureIT - Basic Cyber Defense

Feel free to leave us a comment below!