Business from technology

VTT offers security consulting and assessment of industrial automation systems

• information security gap identification and mapping
• recommendations for improvements
• initial plan for security improvement programs
• identification of workable best practices and policies for information security, and practical instructions for secure ways of working
• implementation support.

Industrial automation lags behind in security best practices

Information security is a relatively new topic within the realm of industrial automation. There is no single de-facto standard available for the practical management of automation-related information security.

Events like the Stuxnet worm & PLC rootkit case discovered in July 2010 have raised awareness of the need for information security in the industrial control systems arena.

The lesson learned is that security cannot be assured given ad hoc or limited attention. Real security requires thorough analysis and planning with concrete goals defined to ensure secure ways of working in all operations. Security considerations need to be included in the whole operations lifecycle and also within R&D. Any task, from material and equipment procurement to the disposal and destruction of old systems and materials, requires security attention and systematic management.

Typical focus areas in a security assessment project:

• asset management
  
• ICT system construction & removal
  
• ICT system upgrading & change management
  
• security-related reporting
  
• construction of security zones & managing data filtering
  
• access control
  
• user and access rights management
  
• malware protection
  
• physical protection
  
• backups
  
• oversight of security incidents
  
• recovery from failures
  
• ICT system & application development and maintenance management.
  

By investing some effort into information security, we can:

• support the continuation of the core business and production, and strengthen business continuity and disaster recovery planning
  
• prevent information security incidents
  
• prevent unwanted production stoppages & business interruption
  
• be prepared to work securely in a state of emergency or during a security incident.