Ethernet Advanced Physical Layer (Ethernet-APL) products are entering the market and pushing Internet protocol (IP) networks down to field device levels. Packet-based IP networks can transmit more data than traditional sensor-level (fieldbus) networks, and offer more functions and visibility to Ethernet APL devices. Nearly all networks, including the Internet, use packet-based communications, and their vulnerabilities extend to other network layers, where they can have potentially devastating effects beyond simply needing to reformat personal devices.
Joe Weiss, managing partner at Applied Control Solutions, and an ISA Fellow specializing in cybersecurity, has been concerned about Level 0 vulnerabilities for many years. He writes about it in his “Unfettered” blog, which covers fieldbus and wireless sensor networks. Bringing packet-level communications further into operational technology (OT) requires appropriate cybersecurity practices, such as those defined in IEC 62443. Fortunately, organizations responsible for developing and maintaining wired and wireless sensor-level networks actively work to address security concerns at these network levels.
Several useful documents on industrial automation security are available from the Industrial Ethernet Security Harmonization Group (IESHG). IESHG members include major standards development organizations, such as OPC Foundation, Profibus-Profinet International, ODVA and FieldComm Group. OPC UA Security Model (IEC 62541-2) and OPC UA Role-Based Security (IEC 62541-18) are both at the committee draft for vote (CDV) stage in their development processes, and have 1Q25 publication target dates.
ISA-84, under Weiss’ guidance, also has a taskforce looking at the issue of sensor-level security.
Though it may appear that standards are stifling product launches, this isn’t the case. By the time a standard reaches CDV, it’s approximately 90% complete. And since many organizations supplying Ethernet-APL products are also active on international standards committees, the timing of these products coming to market and security standards supporting their use are usually well-aligned.
Furthermore, the timing for releasing these standards is fortuitous because regulations are being promulgated to require increased security for any device connecting to a network. The European Union (EU) is first. The European Parliament of the Network and Information Security’s NIS2 directive was approved by its council of ministers on Nov. 10, 2022, published in the EU’s official journal on Dec. 27, 2022, and took effect on Jan. 16, 2023. Implementation occurs in stages with full compliance required by October 2027.
NIS2 requires operators of public or private entities to implement appropriate security tools to protect their systems from cyberattacks, and applies to essential and important facilities, including companies operating in critical infrastructures, such as electricity/gas generation, power storage and transmission, transportation on water, roads and rails, drinking water and wastewater facilities. It also includes digital infrastructure. Essential facilities are selected from a list of seven sectors, including production and distribution of food and chemicals, electrical equipment and machinery.
NIS 2 is supported by the Cyber Resilience Act that addresses two major areas:
- Lack of cybersecurity of products with digital elements, which is reflected by widespread vulnerabilities, and insufficient and inconsistent provision of security updates to address them; and
- Insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity or the know-how to use them securely.
Examples of products with digital elements include end devices (industrial control systems, laptops, smartphones, sensors, cameras, smart robots, routers and switches), software (firmware and operating systems) and components (computer processing units and software libraries).
Similar regulations are in development in other jurisdictions, including the U.S., which is mostly done by government entities.
As with other technologies, security is a two-edged sword. The same is true of the enhanced capabilities of IP-based, sensor-level networks. It will be possible to access orders of magnitude more data, and respond proactively to incidents before than can escalate to impact safety, reliability and production. However, these new capabilities come with increased complexity, including cybersecurity risks that must be managed. It’s our responsibility as automation practitioners to implement security measures in our facilities, while minimizing or hiding the associated complexities from the users of our “magic."