Cyber security for industrial assets

When it comes to securing industrial networks, policies from the enterprise (IT) and manufacturing sides can differ. Co-authors Gregory Wilcox and Dan Knight, from Rockwell Automation and Cisco Systems, respectively, give specific advice on "computer hardening" and "controller hardening" so the entire manufacturing enterprise can be protected.

08/07/2009


Modernize your cyber security. Source: Reed Business Information

The convergence of manufacturing and enterprise networks is increasing access to manufacturing data, which allows manufacturers to make better business decisions. This business agility provides a competitive edge for manufacturers that embrace convergence. However, challenges come with these opportunities - network convergence exposes manufacturing assets to security threats traditionally found in the enterprise.

Holistic Security

Protecting manufacturing assets requires a "defense-in-depth" security approach that addresses internal and external security threats. This approach uses multiple layers of defense (physical and electronic) at separate manufacturing levels by applying policies and procedures that address different types of threats. For example, multiple layers of network security protect networked assets, data and end points, and multiple layers of physical security help protect high value assets. No single technology or methodology can fully secure industrial control systems. Defense-in-depth layers for securing manufacturing assets include physical, network and application security, as well as computer and device hardening.

In achieving a "defense-in-depth" approach, an operational process is required to establish and maintain the security capability. A security operational process includes identifying priorities, assets, potential internal and external threats and risks, establishing requirements, understanding required capabilities, as well as developing architecture and policies.

Designing and implementing a comprehensive manufacturing security model should serve as a natural extension to the manufacturing process. Users should not implement security as a bolt-on component to the manufacturing process

Manufacturing Security Policies

The key to a successful security strategy is understanding the potential problems that need to be solved, including what to protect and how. Establishing a security policy focused on manufacturing needs provides a roadmap for applying security technologies and best practices to protect manufacturing assets, while avoiding unnecessary expenses and excessive restrictive access. Security services should not inhibit nor compromise the manufacturing operation.
As defined by ISA-99, a security policy "enables an organization to follow a consistent program for maintaining an acceptable level of security." The security policy consists of physical and electronic procedures that define and constrain behaviors by personnel and components within the manufacturing system. A team consisting of IT, operations and engineering professionals should work together to define manufacturing security needs.

Security policy development starts with evaluating potential risks. Conducted by either an internal or external team, the risk assessment process identifies potential vulnerabilities and determines mitigation techniques through procedures and/or technology. For example, a procedure could restrict physical manufacturing systems access to authorized personnel. Technology mitigation techniques could involve changing management software to authorize and authenticate user credentials.

Developing a robust and secure network infrastructure requires protecting the integrity, availability and confidentiality of control and information data. Users should address the following when developing a network:
• Is the network infrastructure resilient enough to provide data availability?
• How consistent is the data? Is it reliable?
• How is data used? Is it secure from manipulation?

IT responsibilities include protecting company assets and intellectual property (IP). IT accomplishes this by implementing an enterprise security policy enforcement to protect data confidentiality, integrity and availability (CIA) - in that order. Although similarities exist for manufacturing security policy enforcement, it must place continuous manufacturing operation as top priority. Manufacturing security policy enforcement protects data availability, integrity and then confidentiality (AIC) - in that order.

Enterprise and manufacturing security policies differ in terms of how they handle upgrades. For enterprise applications like operating system and application software patching as well as antivirus definition updates, users conduct upgrades as soon as possible. Applying upgrades to a running manufacturing server could disrupt operations, resulting in a production loss. Manufacturing security policies should define upgrades as a scheduled activity during manufacturing downtime.

Computer Hardening

IT best practices applied to enterprise computers also should apply to manufacturing computers. Best practices and general recommendations include:
• Keep computers up-
• Deploy and maintain antivirus software, but disable automatic updates and automatic scanning.
• Deploy and maintain antispyware software, but disable automatic updates and automatic scanning. Automatic antivirus and antispyware scanning has caused data loss and downtime at some manufacturing facilities.
• Prohibit direct internet access. Implementing a Demilitarized Zone (DMZ) provides a barrier between the Manufacturing and Enterprise Zones, but allows users to securely share data and services. All network traffic from either side of the DMZ terminates in the DMZ. Traffic does not directly travel between the Enterprise and Manufacturing Zones.
• Implement a separate Active Directory domain/forest for the Manufacturing Zone. This helps ensure availability to manufacturing assets if connectivity to the Enterprise Zone is disrupted.
• Implement the following password policy settings:




• Disable the guest account on clients and servers.
• Require that the built-
• Develop and then deploy backup and disaster recovery policies and procedures. Users should test backups on a regular schedule.
• Implement a change management system to archive network, controller and computer assets (e.g. clients, servers and applications).
• Using Control+Alt+Delete along with a unique username and password to login. Users should require domain credential to access networked computer assets and have unique, non
• Protect unnecessary or infrequently used USB ports, parallel and serial interfaces to prevent unauthorized hardware additions (modems, printers, USB devices, etc.).
• Develop and implement a policy for guest access within the Enterprise Zone.
• Develop and implement a policy for partner access within the Manufacturing Zone.
• Uninstall the unused Windows components, protocols and services not necessary to operate the manufacturing system.

Controller Hardening

Users can secure Rockwell Automation Logix programmable automation controllers (PAC) by physical procedure, electronic design, authentication and authorization software as well as change management with disaster recovery software. Best practices and general recommendations include:
• Physical procedure: This restricts control panel access only to authorized personnel. Users can accomplish this by implementing access procedures or locking the panels. Switching the PAC key to "RUN" prevents remote programming, including remote firmware flash that could corrupt the PAC. To allow program configuration changes, this requires a physical key change at the PAC. Unauthorized access (intentional or unintentional) could not alter the PAC until the key switch is changed from "RUN."
• Electronic design: Implementing the PAC CPU Lock feature denies front port access to the PAC, which prevents configuration changes.
• Authentication, authorization and audit by implementing FactoryTalk
• Change Management with disaster recovery: FactoryTalk

About the Authors:
Gregory Wilcox, business development manager, Rockwell Automation and Dan Knight, industry solutions manager, Cisco Systems , work together to aid manufacturers with manufacturing-IT convergence. Together, Rockwell Automation and Cisco released reference architectures and embarked on a series of market education activities, reaching more than 8,000 stakeholders on four continents to date. Additionally, Rockwell Automation and Cisco delivered jointly collaborated on infrastructure products that directly address the widespread network convergence activities in manufacturing and IT organizations.

 

Related news:

Rockwell Automation/Cisco Systems: Customer needs pave Ethernet's way from factory floor to executive suite

 





No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Your leaks start here: Take a disciplined approach with your hydraulic system; U.S. presence at Hannover Messe a rousing success
Hannover Messe 2016: Taking hold of the future - Partner Country status spotlights U.S. manufacturing; Honoring manufacturing excellence: The 2015 Product of the Year Winners
Inside IIoT: How technology, strategy can improve your operation; Dry media or web scrubber?; Six steps to design a PM program
Getting to the bottom of subsea repairs: Older pipelines need more attention, and operators need a repair strategy; OTC preview; Offshore production difficult - and crucial
Digital oilfields: Integrated HMI/SCADA systems enable smarter data acquisition; Real-world impact of simulation; Electric actuator technology prospers in production fields
Special report: U.S. natural gas; LNG transport technologies evolve to meet market demand; Understanding new methane regulations; Predictive maintenance for gas pipeline compressors
Warehouse winter comfort: The HTHV solution; Cooling with natural gas; Plastics industry booming
Managing automation upgrades, retrofits; Making technical, business sense; Ensuring network cyber security
Designing generator systems; Using online commissioning tools; Selective coordination best practices

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
This article collection contains several articles on the vital role that compressed air plays in manufacturing plants.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.
This article collection contains several articles on strategic maintenance and understanding all the parts of your plant.
click me