Cyber security: Common sense security for industrial engineers

Inside machines: Even the best industrial security products cannot prevent all unwanted traffic and malicious attacks to control systems; there is no such thing as a completely secure control system. Control engineers can reduce cyber incident risk by consistently investing time and effort in security measures. Cyber security advice follows.

05/14/2012


There is no such thing as a completely secure control system. Even the best industrial products on the market cannot prevent all unwanted traffic and malicious attacks. But by investing time and effort into security measures on an ongoing basis, control engineers can significantly reduce the threat of a cyber incident. Background and practical advice follow.

Machines and other systems once enjoyed The acceptance of Ethernet, wireless, and TCP/IP for industrial communication has made it easier to design networks using products from different vendors. Yet, some of the advantages these technologies offer—they are widely known and make it possible to connect your plant floor to your office networks—also take away the inherent security automation professionals relied on for decades. 

As networks become more open and interconnected, plants are at higher risk for cyber attack than ever before. Unintentional incidents, such as a broadcast storm from a malfunctioning office device, can also pose a threat.

Control engineers got their first major wake-up call with the discovery of Stuxnet in July 2010. Thousands of articles have already been written on Stuxnet and its effect on the Iranian nuclear program. Stuxnet was the first major virus to target the industrial sector, but more recent discoveries include Nitro and Nightdragon, designed to steal sensitive data from the chemical and energy industries, and Duqu (aka “Son of Stuxnet”), which is still a mystery. Unfortunately, it is probably only a matter of time until we hear about a newer and larger threat.

Today, automation professionals realize they can no longer ignore network security. But at the same time, deciding where to start can feel like an overwhelming task. While there is no way to completely ensure the security of your control system, there are a few easy and cost-effective steps you can take almost immediately.

Choose and use passwords carefully

Passwords guard access to your data, your equipment, and your programs.  Without the use of good passwords, your network infrastructure is very vulnerable.

Passwords should be:

• Private: Don’t post your password in public places.

• Employee-only: Sometimes, multiple employees need to share a password for equipment. If one of those employees leaves the company, change the password immediately, even if the person leaves on good terms.

• Complex Your password shouldn’t be easy to guess. Don’t pick something common like “password,” “123456,” “qwerty,” or “abc123.” Your child’s name or other personal information is also a poor choice. Instead, come up with a sentence you can remember and use abbreviations to create a mnemonic device. For example, “I want to secure my control system” can become “I12sMcS.” Vary between numbers, symbols, and upper- and lowercase letters for the most security. In fact, an eight-character password with upper- and lowercase letters and numbers has more than 200 trillion possible combinations.  Adding punctuation marks increases the possibilities to more than 500 trillion. 

While some people recommend changing your password frequently, that increases your chance of forgetting it or making a typo when creating the new one. If you change your password frequently, you’re more apt to need to write it down—bringing us back to the importance of keeping your password private.

Restrict Internet access

Can your employees surf the Web from your industrial PC or HMI? When they access Facebook, check their e-mail, or otherwise access the Internet, they are opening the door to viruses and other malware.

A control device with a public-facing address is an even bigger threat. While you might enjoy the convenience of checking your HMI from the road, a hacker might enjoy the convenience of shutting down your machine at a critical time.  If your system has a public IP address that anyone can access, your system is easy to find, and therefore, generally easy to hack. To find out just how easy, visit shodanhq.com—a site that makes it easy for hackers search for and discover PLCs, HMIs, etc., that publicly face the Internet.

A virtual private network (VPN) is a much safer choice. VPNs encrypt, or scramble, sensitive data as it traverses the Internet. They have been commonly used in the office environment for many years, but industrial networks have special requirements. An industrial VPN will have the rugged housing necessary on the factory floor and be able to operate within a wider temperature range. A VPN that is optimized for engineer programming, rather than IT “command line” programming, will also be easier to use.

USB sticks: If you must use them, take precautions

The convenience of USB sticks for transferring files has made them extremely popular. But—as Stuxnet demonstrated—they are also one of the best ways to spread malware.

The only way to completely prevent a virus from spreading through USB sticks is to ban their use on your control system. However, even if you have such a rule in place, there’s no guarantee that your employees will follow that rule. There are a few preventative steps you can take.

The first is to implement a policy that a user must run a USB stick through the IT department before using on a control system device. IT can run the USB through a series of tests to ensure that it is clean of viruses. This takes time on everybody’s part—both the user’s and the IT department’s—and it’s not foolproof. It’s also wise to disable the USB in BIOS of your control PCs.

An additional measure is the use of Common Internet File System (CIFS) Integrity Monitoring. This is an option on some firewall software programs that will alert the system owner as soon as a file is added or changed on a monitored device. The system manager programs the CIFS firewall as to which directories and/or types of files to monitor (for example, .exe and .sys). This will serve as a baseline for the CIFS monitoring.

The next time the CIFS performs a scan, it will notice if any files have been deleted, added, or otherwise changed. This will not prevent infection from occurring, but with faster notification, you can mitigate any damage.

Ongoing security

The steps outlined above are just a few basic recommendations to start the process, but there are additional steps you can take to add layers to your security. An industrial-rated firewall can filter unwanted traffic, and don’t overlook potentially unsecure wireless connections. Advanced security options can include IPS/IDS, patch management, logging and auditing system, and in-depth training for personnel.

- Dan Schaffer is business and development manager for networking and security, and Dan Fenton is product marketing specialist, control and software, both with Phoenix Contact USA; Edited by Mark T. Hoske, content manager CFE Media, Control Engineering, Plant Engineering, and Consulting-Specifying Engineer, at mhoske@cfemedia.com.

Plant Safety and Security Channel: http://controleng.com/safety



No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Leaders Under 40 program features outstanding young people who are making a difference in manufacturing. View the 2013 Leaders here.
The new control room: It's got all the bells and whistles - and alarms, too; Remote maintenance; Specifying VFDs
2014 forecast issue: To serve and to manufacture - Veterans will bring skill and discipline to the plant floor if we can find a way to get them there.
2013 Top Plant: Lincoln Electric Company, Cleveland, Ohio
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Bring focus to PLC programming: 5 things to avoid in putting your system together; Managing the DCS upgrade; PLM upgrade: a step-by-step approach
Balancing the bagging triangle; PID tuning improves process efficiency; Standardizing control room HMIs
Commissioning electrical systems in mission critical facilities; Anticipating the Smart Grid; Mitigating arc flash hazards in medium-voltage switchgear; Comparing generator sizing software

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.