When worlds collide

Does a meeting of the IT group and the controls group always have to result in a collision? Can we avoid the broken glass?


Recently I attended a session with a panel of security experts who were discussing process control system security. There were quite a number of surprising revelations from this gathering including the need to ensure that your facility’s control system isn’t found by a search engine called Shodan. It may sound like the villain of some cyberpunk novels, but can be a real threat to the security of your control system. 

I’d never heard of Shodan, so I was more than a bit taken aback that something like this existed and was regularly being used by hackers to attack industrial control systems. Hearing that the number of systems that can be found using this search engine numbers in the thousands was even more of a shock.

Having worked in this business for a very long time, I know that most of the installed control systems that I’ve been in contact with still have the default administrator’s password in place, so hearing that everyone should go back to their plants and do an audit of this vulnerability was old news. I was surprised to hear from one attendee that in his plant, all of the USB ports of the PCs used in the control system had been sealed with superglue. I’ve never seen even the most draconian IT person suggest that as a security measure.

Which brings me to the topic of this blog: the collisions that occur between the control system group and the IT group.

More often than not, when I am talking to the process controls group about expanding their controls infrastructure, their first question is if we can do it without having to engage the IT people. While they may react that way initially, it doesn't take long for them to realize that such an approach simply isn't practical. It's more important to work through conflicts over issues like security and reliability.

When I talk to the IT people, usually I hear complaints about how uninformed the process control people are about the latest technologies. The folks running the plant get especially concerned when the control system and the corporate systems have to communicate. The concern deepens when some manager wants to view control system data remotely.

A lot of the conflict comes from the need to protect the systems while still making it easy for operators to use. Unless you are in a heavily regulated industry like biotech, your plant probably has generic user names and passwords for functions like operators and technicians. You also have turned off the auto-logout feature and don’t have a requirement that passwords expire. God forbid that operators should have to log in when they start their shift. If you do have individual user names and passwords, they are probably tied to your corporate active directory so if anyone is successful in hacking into that, they automatically have access to the control system. Remote access to the system is probably protected by a VPN if you’re off site, but if you’re on site, you skip that. Consequently, if someone hacks the corporate network, they’ve hacked your control network. You probably haven’t patched your software recently because as the system manager for the control system, you’re also most likely doing a lot of other things that have a higher priority, at least they’re higher priority in your mind. After all, the control system isn’t open to the Internet and even if it is, IT should be guarding that door.

So what’s a control system manager to do to minimize the risks to his or her system? You can start by learning about ICS-CERT and what it has to offer to help you. It even offers free training via the Control Systems Security Program (CSSP). (The training is free, but travel and living costs are on you.) This includes a week long advanced cyber security course that ends with a 12-hour exercise pitting the students against hackers. Best of all, the director of this section within Homeland Security is headed by a former process controls engineer, not some bureaucrat who doesn’t have a clue about what we do. You should also inquire of your control system suppliers if they comply with the Achilles Assurance Platform guidelines or have Achilles Certifications. Finally, you need work through the differences between control systems and IT people so they understand why not all good IT policies are good control system policies and vice versa. This last recommendation has to take place at a high enough level that the decisions made get implemented. 

How has your company coped with this digital divide? Have you and IT made peace? If so how did you do it?

This post was written by Bruce Brandt. Bruce is the DeltaV technology leader at MAVERICK Technologies, a leading system integrator providing industrial automation, operational support and control systems engineering services in the manufacturing and process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, and business process optimization. The company provides a full range of automation and controls services – ranging from PID controller tuning and HMI programming to serving as a main automation contractor. Additionally MAVERICK offers industrial and technical staffing services, placing on-site automation, instrumentation and controls engineers.

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Sister act: Building on their father's legacy, a new generation moves Bales Metal Surface Solutions forward; Meet the 2015 Engineering Leaders Under 40
2015 Mid-Year Report: Manufacturing's newest tool: In a digital age, digits will play a key role in the plant of the future; Ethernet certification; Mitigate harmonics; World class maintenance
2015 Lubrication Guide: Green and gold in lubrication: Environmentally friendly fluids and sealing systems offer a new perspective
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security
Cyber security attack: The threat is real; Hacking O&G control systems: Understanding the cyber risk; The active cyber defense cycle
Designing positive-energy buildings; Ensuring power quality; Complying with NFPA 110; Minimizing arc flash hazards
Building high availability into industrial computers; Of key metrics and myth busting; The truth about five common VFD myths
New industrial buildings: Greener, cleaner, leaner; New building designs for industry; Take a new look at absorption cooling; Offshored jobs start to come back

Annual Salary Survey

After almost a decade of uncertainty, the confidence of plant floor managers is soaring. Even with a number of challenges and while implementing new technologies, there is a renewed sense of optimism among plant managers about their business and their future.

The respondents to the 2014 Plant Engineering Salary Survey come from throughout the U.S. and serve a variety of industries, but they are uniform in their optimism about manufacturing. This year’s survey found 79% consider manufacturing a secure career. That’s up from 75% in 2013 and significantly higher than the 63% figure when Plant Engineering first started asking that question a decade ago.

Read more: 2014 Salary Survey: Confidence rises amid the challenges

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.