Connecting such industrial systems to the internet raises important security and privacy questions, Donna Dodson, chief cyber security, Nist (US Nationoal Institute of Science and Technology) warned during a roundtable discussion at InfoSec Europe 2014.
"In industrial system, we have an opportunity to think more about privacy. You start building prototypes [models] of people – but when you start profiling [people] in big data, opportunities blow up. So building privacy protection is very important in smart grids."
Dodson was speaking on a panel discussion looking at the security implications of connecting industrial systems to the internet. The debate has implications outside industrial control, since such systems are part of the internet of things.
Commenting on the risks of putting industrial control systems on the internet, she said: "Security is about people, processes and technology. We need to think about usability and make it much easier to do the right thing, harder to do the wrong thing."
More articles on the industrial internet
In the past, industrial control systems were standalone, where an engineer would visit the system and physically plug in a laptop to manage it. But to improve efficiency such systems are increasingly being connected to the internet.
Unfortunately, it may not be easy to keep these devices secure. "Some products are not designed [for software updates], which creates interesting conundrum in how those devices can be updated," said fellow panel member, Trey Ford, global security strategist, Rapid7.
Barrie Millet, head of business resilience at Eon, warned that strong security cannot be achieved in isolation. "As organisations start to up their game the threats will morph, they'll change and attackers will go down the path of least resistance. While you are looking after your own backyard you also have to look at your overall supply chain and make sure in your contract negotiations you have got some key clauses around how your suppliers are securing their network and their systems and they have to make you aware if they have any breaches and they are security compliant."