Cyber security: Common sense security for industrial engineers

Inside machines: Even the best industrial security products cannot prevent all unwanted traffic and malicious attacks to control systems; there is no such thing as a completely secure control system. Control engineers can reduce cyber incident risk by consistently investing time and effort in security measures. Cyber security advice follows.


There is no such thing as a completely secure control system. Even the best industrial products on the market cannot prevent all unwanted traffic and malicious attacks. But by investing time and effort into security measures on an ongoing basis, control engineers can significantly reduce the threat of a cyber incident. Background and practical advice follow.

Machines and other systems once enjoyed The acceptance of Ethernet, wireless, and TCP/IP for industrial communication has made it easier to design networks using products from different vendors. Yet, some of the advantages these technologies offer—they are widely known and make it possible to connect your plant floor to your office networks—also take away the inherent security automation professionals relied on for decades. 

As networks become more open and interconnected, plants are at higher risk for cyber attack than ever before. Unintentional incidents, such as a broadcast storm from a malfunctioning office device, can also pose a threat.

Control engineers got their first major wake-up call with the discovery of Stuxnet in July 2010. Thousands of articles have already been written on Stuxnet and its effect on the Iranian nuclear program. Stuxnet was the first major virus to target the industrial sector, but more recent discoveries include Nitro and Nightdragon, designed to steal sensitive data from the chemical and energy industries, and Duqu (aka “Son of Stuxnet”), which is still a mystery. Unfortunately, it is probably only a matter of time until we hear about a newer and larger threat.

Today, automation professionals realize they can no longer ignore network security. But at the same time, deciding where to start can feel like an overwhelming task. While there is no way to completely ensure the security of your control system, there are a few easy and cost-effective steps you can take almost immediately.

Choose and use passwords carefully

Passwords guard access to your data, your equipment, and your programs.  Without the use of good passwords, your network infrastructure is very vulnerable.

Passwords should be:

• Private: Don’t post your password in public places.

• Employee-only: Sometimes, multiple employees need to share a password for equipment. If one of those employees leaves the company, change the password immediately, even if the person leaves on good terms.

• Complex Your password shouldn’t be easy to guess. Don’t pick something common like “password,” “123456,” “qwerty,” or “abc123.” Your child’s name or other personal information is also a poor choice. Instead, come up with a sentence you can remember and use abbreviations to create a mnemonic device. For example, “I want to secure my control system” can become “I12sMcS.” Vary between numbers, symbols, and upper- and lowercase letters for the most security. In fact, an eight-character password with upper- and lowercase letters and numbers has more than 200 trillion possible combinations.  Adding punctuation marks increases the possibilities to more than 500 trillion. 

While some people recommend changing your password frequently, that increases your chance of forgetting it or making a typo when creating the new one. If you change your password frequently, you’re more apt to need to write it down—bringing us back to the importance of keeping your password private.

Restrict Internet access

Can your employees surf the Web from your industrial PC or HMI? When they access Facebook, check their e-mail, or otherwise access the Internet, they are opening the door to viruses and other malware.

A control device with a public-facing address is an even bigger threat. While you might enjoy the convenience of checking your HMI from the road, a hacker might enjoy the convenience of shutting down your machine at a critical time.  If your system has a public IP address that anyone can access, your system is easy to find, and therefore, generally easy to hack. To find out just how easy, visit—a site that makes it easy for hackers search for and discover PLCs, HMIs, etc., that publicly face the Internet.

A virtual private network (VPN) is a much safer choice. VPNs encrypt, or scramble, sensitive data as it traverses the Internet. They have been commonly used in the office environment for many years, but industrial networks have special requirements. An industrial VPN will have the rugged housing necessary on the factory floor and be able to operate within a wider temperature range. A VPN that is optimized for engineer programming, rather than IT “command line” programming, will also be easier to use.

USB sticks: If you must use them, take precautions

The convenience of USB sticks for transferring files has made them extremely popular. But—as Stuxnet demonstrated—they are also one of the best ways to spread malware.

The only way to completely prevent a virus from spreading through USB sticks is to ban their use on your control system. However, even if you have such a rule in place, there’s no guarantee that your employees will follow that rule. There are a few preventative steps you can take.

The first is to implement a policy that a user must run a USB stick through the IT department before using on a control system device. IT can run the USB through a series of tests to ensure that it is clean of viruses. This takes time on everybody’s part—both the user’s and the IT department’s—and it’s not foolproof. It’s also wise to disable the USB in BIOS of your control PCs.

An additional measure is the use of Common Internet File System (CIFS) Integrity Monitoring. This is an option on some firewall software programs that will alert the system owner as soon as a file is added or changed on a monitored device. The system manager programs the CIFS firewall as to which directories and/or types of files to monitor (for example, .exe and .sys). This will serve as a baseline for the CIFS monitoring.

The next time the CIFS performs a scan, it will notice if any files have been deleted, added, or otherwise changed. This will not prevent infection from occurring, but with faster notification, you can mitigate any damage.

Ongoing security

The steps outlined above are just a few basic recommendations to start the process, but there are additional steps you can take to add layers to your security. An industrial-rated firewall can filter unwanted traffic, and don’t overlook potentially unsecure wireless connections. Advanced security options can include IPS/IDS, patch management, logging and auditing system, and in-depth training for personnel.

- Dan Schaffer is business and development manager for networking and security, and Dan Fenton is product marketing specialist, control and software, both with Phoenix Contact USA; Edited by Mark T. Hoske, content manager CFE Media, Control Engineering, Plant Engineering, and Consulting-Specifying Engineer, at

Plant Safety and Security Channel:

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Safer human-robot collaboration; 2017 Maintenance Survey; Digital Training; Converting your lighting system
IIoT grows up; Six ways to lower IIoT costs; Six mobile safety strategies; 2017 Salary Survey
2016 Top Plant; 2016 Best Practices on manufacturing progress, efficiency, safety
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
What controller fits your application; Permanent magnet motors; Chemical manufacturer tames alarm management; Taking steps in a new direction
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Package boilers; Natural gas infrared heating; Thermal treasure; Standby generation; Natural gas supports green efforts

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on preventing compressed air leaks and centrifugal air compressor basics and best practices for the "fifth utility" in manufacturing plants.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
click me