Cyber security for industrial assets

When it comes to securing industrial networks, policies from the enterprise (IT) and manufacturing sides can differ. Co-authors Gregory Wilcox and Dan Knight, from Rockwell Automation and Cisco Systems, respectively, give specific advice on "computer hardening" and "controller hardening" so the entire manufacturing enterprise can be protected.


Modernize your cyber security. Source: Reed Business Information

The convergence of manufacturing and enterprise networks is increasing access to manufacturing data, which allows manufacturers to make better business decisions. This business agility provides a competitive edge for manufacturers that embrace convergence. However, challenges come with these opportunities - network convergence exposes manufacturing assets to security threats traditionally found in the enterprise.

Holistic Security

Protecting manufacturing assets requires a "defense-in-depth" security approach that addresses internal and external security threats. This approach uses multiple layers of defense (physical and electronic) at separate manufacturing levels by applying policies and procedures that address different types of threats. For example, multiple layers of network security protect networked assets, data and end points, and multiple layers of physical security help protect high value assets. No single technology or methodology can fully secure industrial control systems. Defense-in-depth layers for securing manufacturing assets include physical, network and application security, as well as computer and device hardening.

In achieving a "defense-in-depth" approach, an operational process is required to establish and maintain the security capability. A security operational process includes identifying priorities, assets, potential internal and external threats and risks, establishing requirements, understanding required capabilities, as well as developing architecture and policies.

Designing and implementing a comprehensive manufacturing security model should serve as a natural extension to the manufacturing process. Users should not implement security as a bolt-on component to the manufacturing process

Manufacturing Security Policies

The key to a successful security strategy is understanding the potential problems that need to be solved, including what to protect and how. Establishing a security policy focused on manufacturing needs provides a roadmap for applying security technologies and best practices to protect manufacturing assets, while avoiding unnecessary expenses and excessive restrictive access. Security services should not inhibit nor compromise the manufacturing operation.
As defined by ISA-99, a security policy "enables an organization to follow a consistent program for maintaining an acceptable level of security." The security policy consists of physical and electronic procedures that define and constrain behaviors by personnel and components within the manufacturing system. A team consisting of IT, operations and engineering professionals should work together to define manufacturing security needs.

Security policy development starts with evaluating potential risks. Conducted by either an internal or external team, the risk assessment process identifies potential vulnerabilities and determines mitigation techniques through procedures and/or technology. For example, a procedure could restrict physical manufacturing systems access to authorized personnel. Technology mitigation techniques could involve changing management software to authorize and authenticate user credentials.

Developing a robust and secure network infrastructure requires protecting the integrity, availability and confidentiality of control and information data. Users should address the following when developing a network:
• Is the network infrastructure resilient enough to provide data availability?
• How consistent is the data? Is it reliable?
• How is data used? Is it secure from manipulation?

IT responsibilities include protecting company assets and intellectual property (IP). IT accomplishes this by implementing an enterprise security policy enforcement to protect data confidentiality, integrity and availability (CIA) - in that order. Although similarities exist for manufacturing security policy enforcement, it must place continuous manufacturing operation as top priority. Manufacturing security policy enforcement protects data availability, integrity and then confidentiality (AIC) - in that order.

Enterprise and manufacturing security policies differ in terms of how they handle upgrades. For enterprise applications like operating system and application software patching as well as antivirus definition updates, users conduct upgrades as soon as possible. Applying upgrades to a running manufacturing server could disrupt operations, resulting in a production loss. Manufacturing security policies should define upgrades as a scheduled activity during manufacturing downtime.

Computer Hardening

IT best practices applied to enterprise computers also should apply to manufacturing computers. Best practices and general recommendations include:
• Keep computers up-
• Deploy and maintain antivirus software, but disable automatic updates and automatic scanning.
• Deploy and maintain antispyware software, but disable automatic updates and automatic scanning. Automatic antivirus and antispyware scanning has caused data loss and downtime at some manufacturing facilities.
• Prohibit direct internet access. Implementing a Demilitarized Zone (DMZ) provides a barrier between the Manufacturing and Enterprise Zones, but allows users to securely share data and services. All network traffic from either side of the DMZ terminates in the DMZ. Traffic does not directly travel between the Enterprise and Manufacturing Zones.
• Implement a separate Active Directory domain/forest for the Manufacturing Zone. This helps ensure availability to manufacturing assets if connectivity to the Enterprise Zone is disrupted.
• Implement the following password policy settings:

• Disable the guest account on clients and servers.
• Require that the built-
• Develop and then deploy backup and disaster recovery policies and procedures. Users should test backups on a regular schedule.
• Implement a change management system to archive network, controller and computer assets (e.g. clients, servers and applications).
• Using Control+Alt+Delete along with a unique username and password to login. Users should require domain credential to access networked computer assets and have unique, non
• Protect unnecessary or infrequently used USB ports, parallel and serial interfaces to prevent unauthorized hardware additions (modems, printers, USB devices, etc.).
• Develop and implement a policy for guest access within the Enterprise Zone.
• Develop and implement a policy for partner access within the Manufacturing Zone.
• Uninstall the unused Windows components, protocols and services not necessary to operate the manufacturing system.

Controller Hardening

Users can secure Rockwell Automation Logix programmable automation controllers (PAC) by physical procedure, electronic design, authentication and authorization software as well as change management with disaster recovery software. Best practices and general recommendations include:
• Physical procedure: This restricts control panel access only to authorized personnel. Users can accomplish this by implementing access procedures or locking the panels. Switching the PAC key to "RUN" prevents remote programming, including remote firmware flash that could corrupt the PAC. To allow program configuration changes, this requires a physical key change at the PAC. Unauthorized access (intentional or unintentional) could not alter the PAC until the key switch is changed from "RUN."
• Electronic design: Implementing the PAC CPU Lock feature denies front port access to the PAC, which prevents configuration changes.
• Authentication, authorization and audit by implementing FactoryTalk
• Change Management with disaster recovery: FactoryTalk

About the Authors:
Gregory Wilcox, business development manager, Rockwell Automation and Dan Knight, industry solutions manager, Cisco Systems , work together to aid manufacturers with manufacturing-IT convergence. Together, Rockwell Automation and Cisco released reference architectures and embarked on a series of market education activities, reaching more than 8,000 stakeholders on four continents to date. Additionally, Rockwell Automation and Cisco delivered jointly collaborated on infrastructure products that directly address the widespread network convergence activities in manufacturing and IT organizations.


Related news:

Rockwell Automation/Cisco Systems: Customer needs pave Ethernet's way from factory floor to executive suite


No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
The true cost of lubrication: Three keys to consider when evaluating oils; Plant Engineering Lubrication Guide; 11 ways to protect bearing assets; Is lubrication part of your KPIs?
Contract maintenance: 5 ways to keep things humming while keeping an eye on costs; Pneumatic systems; Energy monitoring; The sixth 'S' is safety
Transport your data: Supply chain information critical to operational excellence; High-voltage faults; Portable cooling; Safety automation isn't automatic
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Synchronizing industrial Ethernet networks; Selecting protocol conversion gateways; Integrating HMIs with PLCs and PACs
Why manufacturers need to see energy in a different light: Current approaches to energy management yield quick savings, but leave plant managers searching for ways of improving on those early gains.

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.