This story is about us! Rockwell Automation, Inc is a global leader in industrial automation and digital transformation. We connect the imaginations of people with the potential of technology to expand what is humanly possible, making the world more productive and more sustainable.
- Achieve 62443-3-3 operational technology security certification
- Document the process and make it a service that we can deliver repeatedly to customer manufacturing facilities worldwide
- Risk Assessment
- PlantPAx® Distributed Control System
- Manufacturing OT Cyber Security Design & Implementation
- Achieved the industry’s first plant-wide 62443-3-3 operational technology certification
- Deepened relationship with certification agency TÜV Rheinland and gained expertise about meeting certification requirements
- Improved ability to drive cybersecurity internally as well as for customer manufacturing facilities worldwide
We’re proud to announce that our Milwaukee manufacturing facility has recently been named the industry’s first IEC 62443-certified industrial operations facility.
“This certification confirms to customers that when they buy something from us, it is made in a plant that uses secure manufacturing processes,” says Heath Bewley, Security System Manager, Office of Product Safety & Security. “It also represents our understanding of the importance of cybersecurity for manufacturing facilities. By achieving this certification, we are not only securing our own manufacturing, but we are demonstrating to customers that we can secure theirs as well.”
Challenge
Cyberattacks on industrial organizations are relentless and increasingly sophisticated. And the ever-evolving compliance landscape can make it hard for organizations to maintain compliance with regulations.
Achieving the IEC 62443-3-3 certification was a team effort and a comprehensive response to the growing number of cyberattacks targeting industrial organizations. The reality for organizations in the industrial space—including our own organization—is “not if, but when” a cyberattack will occur.
Alongside Partners like Cisco, Claroty, and Dragos, and through acquisition of Avnet, Oylo & Verve Industrial Protections, we have been providing OT and IT cybersecurity support for industrial organizations for years. We deeply understand the unique challenges of protecting OT environments. And, within our own manufacturing facilities, we face the same challenges as our customers.
Rockwell Automation was driven to pursue the IEC 62443-3-3 certification to adapt to the growing threat and compliance landscape for our own safety and for the safety of our customers.
Solution
Like any industry ‘first’, the road to IEC 62443-3-3 certification was not a simple one. It required a concerted effort from various teams in Rockwell Automation.
At first, we were challenged with where to start. We had to address several complexities: flat networks, legacy technologies, and non-standard security procedures. A lesson we learned early on was the importance of connecting the right players within the company: our Chief Information Security Office, Office of Product Safety & Security, Integrated Supply Chain, and Lifecycle Services teams.
Pursuing the certification began years ago when we launched a risk assessment to identify gaps in the OT cybersecurity strategy. Bewley says, “We performed more than a vulnerability assessment. It was a full-plant OT risk assessment.”
An effective cyber risk assessment analyzes environmental and operational factors such as infrastructure age and stage, financial and staff resources, downtime costs, impacts to customers or public safety of a breach, cybersecurity attack trends and existing protections. Only after a full assessment has been performed can an informed plan for risk mitigation be developed and implemented.
After identifying gaps, we then analyzed the requirements of the IEC 62443-3-3 certification and built out a test plan to figure out how to meet them. We built a test lab to deploy our PlantPAx® distributed control system across operations in our Milwaukee facility. PlantPAx 5.0 system architectures are TÜV certified to the international standard ISA-99/IEC 62443-3-3 which provides guidance on the implementation of an electronically secured system. With this digital twin-esque approach, we gained evidence of the efficacy of our plan to achieve certification.
This testing environment is active and serves as a valuable tool for helping our customers perform their own testing. They trust our testing environment because they know that Rockwell Automation uses it, too.
Result
The culmination of these efforts resulted in the Rockwell Automation Milwaukee facility becoming the first in the industrial operations space to achieve a plant-wide IEC 62443-3-3 certification, following 62443-2-1. John Schilling, Senior Manager, ISC Security and Risk Management says, “This certification gives us credibility as an OT security leader, as well as proof that our products, services, and partners can help customers along their own journey.” He also notes, “Every plant becomes a showcase of our cyber portfolio and shows our customers that we put into practice what we sell.”
The certification has a tangible impact on supply chain operations, too. Bob Buttermore, SVP, Chief Supply Chain Officer says, “Resilient end-to-end supply chain operations are a key pillar of our strategic framework, and our cybersecurity is a key component. We strive to produce secure products without disruption, deliver orders on time...and generate revenue that our shareholders can count on.”
Looking ahead, Rockwell Automation isn’t stopping with this certification. Bewley says, “We’re not just standing still. We’re planning additional security deployments to increase our security capabilities.”
Rockwell Automation cyber and cyber-adjacent teams will continue to work together closely to secure our Connected Enterprise® and help customers across the industrial operations industry achieve cyber-secure plants.
Published April 16, 2024
