This news release falls clearly into the category of Duh!!!
Human social engineering and humans gaining unauthorized access while serving as contractors and the like have long been known to be a cybersecurity risk. But, I’m happy to note that an august group has perceived the obvious.
The Industrial Security Harmonization Group (ISHG) has released a joint industry perspective highlighting a critical truth in industrial cybersecurity: secure communication is not determined by protocols alone, but by how they are deployed and managed in real-world environments.
Or, maybe, it’s along the lines of “it’s not all our fault?”
The ISHG—comprising leading industry organizations including the FieldComm Group, ODVA, OPC Foundation, and PROFIBUS & PROFINET International—collaborates regularly to align security concepts across Ethernet and non-Ethernet communication protocol technologies. Their shared mission is to reduce complexity for end users and promote consistent, effective cybersecurity practices in industrial automation systems.
I once set at an industrial communication organization meeting where an end-user pleaded for application guidelines. He was studiously ignored.
Industrial communication protocols serve as the backbone of modern automation, enabling seamless connectivity between devices, systems, and applications across both process and factory environments. However, many widely used protocols were originally developed without cybersecurity as a primary design consideration.
It now emphasizes a more practical and realistic approach:
- Security is context-dependent — It relies on how protocols are configured, where they are deployed, and the surrounding operational environment.
- Built-in security features are not sufficient alone — Even advanced protocols require correct implementation and maintenance.
- Compensating controls are essential — Network architecture, segmentation (zones and conduits), monitoring, and physical safeguards play a critical role, especially for legacy and non-Ethernet systems.
