Industrial Security supporting ­digitalization in the cement industry

The toughest climate challenges involve large ­global industries, with no efficient substitutes. One of these produces the material literally under our feet – concrete. The key ingredient in concrete is Portland cement. The total Portland cement volume – making up about 20 % of the concrete by weight (the other main ingredients are sand, aggregate and water) – has more than tripled in the last 20 years (a growth rate of close to 6 % per year), most of the growth being in China.

The global cement industry today is facing drastic challenges and changes. Not only does the environmental impact challenge the industry, but also international competition and technology trends form the cement industry as well.

Amongst other things, cement producers are looking for higher productivity, lower production cost, improved decision support and enhanced safety as well as IT security.

New information technology (IT) together with well-established electrification and automation could support the cement producer in overcoming the drastic challenges and changes.

Already 25 years ago the Siemens Cement Department introduced concepts for “Multimedia, Networking, Internet – and more”. The industry has talked about “Totally Integrated Solution” (TIA), Information Technology (IT) and Networking for the last 15 years.

Today, this aspects are named “Digitalization” or “Industrie 4.0” or “Internet of Things”.

Information technology (IT) is extremely innovative and continuously offers new functions and features.

Most of the trends today come from the private sector. For us it is quite normal to book a taxi via the Internet, download music and ­ebooks, monitor and control the temperature of your house from a distance. Fitness tracker and apps are very popular nowadays. The private person uses them for condition tracking and professional athletes cannot imagine being successful in inter­national competition without them.

The Internet has revolutionized our private behavior already and is entering the industrial ­sector. The cement industry is also concerned. Following the major trends is essential to survive in  ­today’s industrial world. Or would you like to be unprofessional and fall behind?

With totally integrated automation and further digitalization the complete workflow can be monitored and optimized, from crusher to dispatch and from the field level to the incorporation of the corporate management level. The heart of this type of monitoring and optimization process is the comprehensive automation system. Process automation systems like the Siemens Cemat based on Simatic PCS 7 have already been on the market for   more than 40 years. The proven concept and comprehensive experience over the last half century is the cornerstone for further digitalization.

The underlying de facto heartbeat to keep these processes up and running is of course consistent and reliable DATA. The amount of data has increased dramatically in the last decades and will further increase over the coming years.

With any data driven environment, the inherent concern for cyber security (or IT security) plays a crucial part in day to day operations therefore also in the cement industry.

As an example, as per the 2017 Verizon Data Breach Report, a total of 624 incidents with 124 data breaches were reported in the manufacturing sector alone. While this number may seem small when looking at the entire manufacturing landscape, we should note that these were the “reported” incidents. Many times, the operator recognizes and fixes a breach, but these are left unreported. Also, the extent of the breach is often undisclosed.

In 2016, financial and espionage were still the top two motives combining to account for 93 % of breaches.

Attacks like Stuxnet or Shamoo provide evidence that all systems are vulnerable when attackers have the needed resources, skills, and sufficient time. From a risk perspective, Stuxnet provides a metric on the high end of the risk scale. This risk level is not new – we have always known it was possible – but the Stuxnet event transformed this ultimate risk from a remote possibility to something very real. Consequently, it eliminated arguments that we do not have to consider this level of risk.

Another comparison with the last reports has shown a downtick in the percentage of breaches involving external actors, which causes a ­corresponding increase in internal actors. In absolute numbers, however, breaches driven by internal parties have remained relatively constant, with an increase of around 12 %. In an up-to-date security concept the internal actor has to be considered as well. A plant operator has steadily to ask how easy is it to use own hardware e.g. USB stick or computers. Could somebody on the night-shift use the plant control station for private use e.g. games? Are all my passwords secure and according to the latest cyber security regulation?

Sometimes these questions are easy to answer, but sometimes there are surprises to be discovered.

An example of implementation is “Whitelisting” which is often used in process driven manufacturing environments. The concept of “whitelisting” comes from authorized access. However in this case, access is not personnel related, but for data and applications. Only approved and authorized applications are permitted to gain access to the control environment, whereas unapproved applications are blocked. For cement plants in particular, due to the vast prior experience of Siemens in these ­environments, the whitelisting process has been established, proven, solidified and streamlined along the way.

Across the industry, suppliers are adding and improving processes, strengthening partnerships, and adding products to help high-risk customers improve their security position.

The Siemens Plant Security Services (PSS) has the know-how for securing the processes and mitigating any inherent risks that can and may exist in these environments.

The mantra of the Siemens Plant Security portfolio is broken down into three major components – Assess Security, Implement Security and Manage Security. While these main topics are quite comprehensive within themselves with each having their own process and application specific offerings, the combined integration leads to the common theme of “Protecting Productivity”.

For example, with a detailed risk and vulnerability assessment, the cyber threats to a specific cement plant environment are identified. The “Assess Security” report provides recommendations including segmentation into zones and security cells, the security of data communication devices and user authentication, and secure communication, to name a few.

The measures required are then compiled in an action plan (roadmap) showing how the security status of a plant can be raised to a new, higher level.

The next step is “Implement Security” proposed to close the gaps identified. Resources encompassing both hardware (such as firewalls) and software (such as anti-virus and whitelisting) are available for this purpose. Also included are clear instructions and guidelines on IT security. Ultimately, security solutions can only work properly if employees have been educated and trained accordingly. Employee awareness and understanding should be promoted continuously through workshops, web-based training or equivalent measures.

The “Managed Security” portfolio provides real time threat detection and monitoring of day to day operations and alerts the monitored site in the event of any cyber-attacks or threats, thus preventing the cement manufacturing operations from any unwanted process disruptions.

The “Industrial Security Monitoring” (ISM) is one of the portfolio elements offered by the Siemens Plant Security group. Functions of such an “Industry Security Monitoring” are as follows:

A decentralized data collector is placed on the network perimeter of the environment which focusses on collecting and aggregating data from all data dependent devices in that environment. These chunks of data are then sent up to a centralized data receiver which analyzes and correlates the various pieces of information to recognize and/or detect any malicious traffic that may pose a risk to that specific monitored facility . Any “cause for concern” is then reported on a real-time basis to the concerned party.

In addition, Siemens has obtained a cyber­security certification from TÜV SÜD, a German inspection and certification organization, for an automation system based on IEC 62443-4-1 and IEC 62443-3-3. As part of the certification TÜV SÜD tested and verified the security functions implemented in the Simatic PCS 7 process control system, a system that controls and monitors continuous manufacturing processes, such as those in cement plants. With this certificate, Siemens has documented its security approach to automation products showing integrators and operators some of its industrial security measures.

What can be expected in future? The innovation will not come to a stop. Hardware will continue to become less expensive, but more intelligent. Software functionality will increase and become more powerful. In cooperation between digitalization provider and end-user it should be continuously determined how to best utilize the increasing computer power and hosted services over the internet. Shying away from these developments on security grounds alone is no solution, as this course would result in steadily decreasing competitiveness. Defending against threats and attacks is consequently a fundamental prerequisite for the digital transformation. Cement companies with all associated corporations (e.g. concrete mixing plant, stone quarries) would be well advised to conduct a careful review of their data security situation.

//www.siemens.com/cement" target="_blank" >www.siemens.com/cement:www.siemens.com/cement