Bringing better IT security to the plant floor

Excerpted from the white paper, “Increasing Plant Floor Security Today” by Rockwell Automation, Milwaukee, WI.

Our needs and capabilities for sharing information with others are expanding exponentially. From e-commerce drivers, to communications with the supply chain and other partners, our intellectual property is getting more exposure, while at the same time being more and more core to our competitive advantage.

Technologies like the Internet and wireless continue to tempt us with their promises of connectivity. Even our devices on the plant floor offer web services to outside consumers of information. Lean initiatives have increased the risks of disruption and the accompanying missed opportunity costs that breaches may bring.

THEN
NOW

Operating Systems
Proprietary
Open

Data Communication
Proprietary
Standard Protocols

Information Flow
Segmented
Integrated

Computing Solutions
Monolithic
Modular

Architecture
Closed
Open

Users
Internal
External

The government, through Homeland Security, is reinforcing the needs of security in its defined critical infrastructure, which includes many industries utilizing industrial automation control systems.

Gas & Oil Storage/Delivery

Water Supply System

Banking & Finance

Transportation

Electrical Energy

Telecommunications

Emergency Services

Government Operations

During the past several years, risks have increased because process automation systems that support the manufacturing enterprise have evolved from isolated, proprietary networks and operating systems to interconnected systems of modular computing/control platforms. These interconnected systems are using open architectures and standard protocols to facilitate interoperability with corporate networks and applications, which is a huge advantage for today’s supply chain solutions, but also increases the risk and exposure to industry.

E-business brings with it some key security drivers like:

Authorization: Who are you and are you allowed access?

Authentication: What are you allowed to do and from where are you allowed to do it?

Availability: Can you do what you need to do, when you want to do it?

Non-repudiation: Can we prove you did it? For regulated industries, non-repudiation is critical for tracking changes to individuals.

Privacy: Can we protect your data?

IT evolution and integration across supply chain and enterprise has tremendous advantages, but with increased risk and exposure.

Security Is About Managing Risk

In general, you only need to protect things that have value to your business and you should only apply protection in proportion to the value of the item. This is a very important concept, having too much security creates an unnecessary expense and causes decreased accessibility to those that are authorized to get access. You need to evaluate and balance the level of exposure with the criticality of what is being protected. We should be less concerned with a security breach gaining access to our Kindergarten grades than we would with our current medical or financial records.

In some industries, the barriers are very high to be able to physically get at the factory automation. In those cases, a user has been authenticated and achieved a level of trust just by simply being there, and therefore should only require very low-level barriers to gain quick operator access. In other industries there are no walls and the control items are distributed in the field in plain site of the world (real or cyber). In such industries as these a different approach would seem more reasonable, where strong authentication and authorization technology should be deployed at each control item.

Example: When an employee is working from his home office, it is good security policy to prevent him from accessing the corporate IT network if he enters his password incorrectly three times in a row. This is “good”. On the other hand, do you want to prevent an operator inside a nuclear reactor from shutting down the runaway reactor if he enters his password incorrectly three times? This is “bad”.

The difference between these examples is that the employee working from home is outside the corporate firewall and performing non-essential operations. The operator of the nuclear reactor is inside the control room behind layers of physical security. Does this mean that the operator does not need to enter an appropriate password? Absolutely not! You still need to make sure the operator is authorized and trained to perform the operation and that the operation is not being performed by accident.

It is important to understand who the “enemy” is before you can build a good defense. The ARC survey shows that fully 25% of manufacturing disruptions are addressable and possibly avoidable, since 1 in 8 is caused by an employee mistake. Another 1 in 8 is deliberate and can be caused by any number of reasons (i.e. disgruntled employees or ex-employees, business competitors, hackers, vandalism, etc.). There have been many articles in the press recently about “cyber terrorism” and “cyber attacks”, but the reality is that many business disruptions are caused by people inside the plant and most IT security techniques only focus on threats from outside.

Those 25% include some scenarios like:

An angry technician blocks maintenance access to a controller in another division by changing a password

A sales manager from your competitor discovers your bid on a big RFP and substantially underbids you to win the order

A group of teenagers from China try to explore the control system on a utility grid and deface the web site

A disgruntled job-seeker turns into an eco-terrorist and manipulates the city sewage treatment plant using a laptop and a radio to release millions of gallons of untreated sewage into the surrounding area. (This last example really happened.)

What about the 75% that we haven’t addressed yet? It is very important to remember that no matter how hard you defend against a business disruption, they can and will happen! What will you do if one of these major interruptions occurs? What could we have been doing beforehand to make the recovery easier?

At the top of this list is Business Continuity & Recovery, focused on keeping a company operating, or at least getting it back to operating very quickly after a discontinuity. These discontinuities can include natural disasters, equipment failures, human error, or as in our subject here, a severe security breach.

Having started on the IT end of the enterprise, BC&R historically was used by heavily regulated industries like financial, focusing on continuity of the business systems. The Manufacturing sector, although not a dominant historical user of BC&R planning, is now starting to incorporate its industrial processes in BC plans. Security and Personal Safety are two areas that help to prevent or at least mitigate disasters and business interruptions.

Here are some key suggestions, but there are lots of others if you do a little research on the topic of Business Continuity. Like the Boy Scouts, the theme is, “Be Prepared”.

Develop Incident Response Plans to determine severity of security breach and any immediate actions

Develop Disaster Recovery/Business Continuity Plans to respond to

Severe business interruptions (Less than 50% of manufacturers have plans today.)

Periodically Backup (and secure) off-site all operational plant floor electronic data (designs, prints, tooling, programs, configurations, history and logs). You want it fresh when you need it, not a year old. Tools that are 21 CFR Part 11 compliant can help

Change management / audit trails. According to disaster recovery specialists, over 25% of companies hit by a serious crisis never resume operation. Thirty percent of companies that do initially recover fail within two years.

For full text of the report, go to www.rockwellautomation.com , or visit resource.controlengineering.com .

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.