Cyber security: Common sense security for industrial engineers

Inside machines: Even the best industrial security products cannot prevent all unwanted traffic and malicious attacks to control systems; there is no such thing as a completely secure control system. Control engineers can reduce cyber incident risk by consistently investing time and effort in security measures. Cyber security advice follows.


There is no such thing as a completely secure control system. Even the best industrial products on the market cannot prevent all unwanted traffic and malicious attacks. But by investing time and effort into security measures on an ongoing basis, control engineers can significantly reduce the threat of a cyber incident. Background and practical advice follow.

Machines and other systems once enjoyed The acceptance of Ethernet, wireless, and TCP/IP for industrial communication has made it easier to design networks using products from different vendors. Yet, some of the advantages these technologies offer—they are widely known and make it possible to connect your plant floor to your office networks—also take away the inherent security automation professionals relied on for decades. 

As networks become more open and interconnected, plants are at higher risk for cyber attack than ever before. Unintentional incidents, such as a broadcast storm from a malfunctioning office device, can also pose a threat.

Control engineers got their first major wake-up call with the discovery of Stuxnet in July 2010. Thousands of articles have already been written on Stuxnet and its effect on the Iranian nuclear program. Stuxnet was the first major virus to target the industrial sector, but more recent discoveries include Nitro and Nightdragon, designed to steal sensitive data from the chemical and energy industries, and Duqu (aka “Son of Stuxnet”), which is still a mystery. Unfortunately, it is probably only a matter of time until we hear about a newer and larger threat.

Today, automation professionals realize they can no longer ignore network security. But at the same time, deciding where to start can feel like an overwhelming task. While there is no way to completely ensure the security of your control system, there are a few easy and cost-effective steps you can take almost immediately.

Choose and use passwords carefully

Passwords guard access to your data, your equipment, and your programs.  Without the use of good passwords, your network infrastructure is very vulnerable.

Passwords should be:

• Private: Don’t post your password in public places.

• Employee-only: Sometimes, multiple employees need to share a password for equipment. If one of those employees leaves the company, change the password immediately, even if the person leaves on good terms.

• Complex Your password shouldn’t be easy to guess. Don’t pick something common like “password,” “123456,” “qwerty,” or “abc123.” Your child’s name or other personal information is also a poor choice. Instead, come up with a sentence you can remember and use abbreviations to create a mnemonic device. For example, “I want to secure my control system” can become “I12sMcS.” Vary between numbers, symbols, and upper- and lowercase letters for the most security. In fact, an eight-character password with upper- and lowercase letters and numbers has more than 200 trillion possible combinations.  Adding punctuation marks increases the possibilities to more than 500 trillion. 

While some people recommend changing your password frequently, that increases your chance of forgetting it or making a typo when creating the new one. If you change your password frequently, you’re more apt to need to write it down—bringing us back to the importance of keeping your password private.

Restrict Internet access

Can your employees surf the Web from your industrial PC or HMI? When they access Facebook, check their e-mail, or otherwise access the Internet, they are opening the door to viruses and other malware.

A control device with a public-facing address is an even bigger threat. While you might enjoy the convenience of checking your HMI from the road, a hacker might enjoy the convenience of shutting down your machine at a critical time.  If your system has a public IP address that anyone can access, your system is easy to find, and therefore, generally easy to hack. To find out just how easy, visit—a site that makes it easy for hackers search for and discover PLCs, HMIs, etc., that publicly face the Internet.

A virtual private network (VPN) is a much safer choice. VPNs encrypt, or scramble, sensitive data as it traverses the Internet. They have been commonly used in the office environment for many years, but industrial networks have special requirements. An industrial VPN will have the rugged housing necessary on the factory floor and be able to operate within a wider temperature range. A VPN that is optimized for engineer programming, rather than IT “command line” programming, will also be easier to use.

USB sticks: If you must use them, take precautions

The convenience of USB sticks for transferring files has made them extremely popular. But—as Stuxnet demonstrated—they are also one of the best ways to spread malware.

The only way to completely prevent a virus from spreading through USB sticks is to ban their use on your control system. However, even if you have such a rule in place, there’s no guarantee that your employees will follow that rule. There are a few preventative steps you can take.

The first is to implement a policy that a user must run a USB stick through the IT department before using on a control system device. IT can run the USB through a series of tests to ensure that it is clean of viruses. This takes time on everybody’s part—both the user’s and the IT department’s—and it’s not foolproof. It’s also wise to disable the USB in BIOS of your control PCs.

An additional measure is the use of Common Internet File System (CIFS) Integrity Monitoring. This is an option on some firewall software programs that will alert the system owner as soon as a file is added or changed on a monitored device. The system manager programs the CIFS firewall as to which directories and/or types of files to monitor (for example, .exe and .sys). This will serve as a baseline for the CIFS monitoring.

The next time the CIFS performs a scan, it will notice if any files have been deleted, added, or otherwise changed. This will not prevent infection from occurring, but with faster notification, you can mitigate any damage.

Ongoing security

The steps outlined above are just a few basic recommendations to start the process, but there are additional steps you can take to add layers to your security. An industrial-rated firewall can filter unwanted traffic, and don’t overlook potentially unsecure wireless connections. Advanced security options can include IPS/IDS, patch management, logging and auditing system, and in-depth training for personnel.

- Dan Schaffer is business and development manager for networking and security, and Dan Fenton is product marketing specialist, control and software, both with Phoenix Contact USA; Edited by Mark T. Hoske, content manager CFE Media, Control Engineering, Plant Engineering, and Consulting-Specifying Engineer, at

Plant Safety and Security Channel:

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Pipe fabrication and IIoT; 2017 Product of the Year finalists
The future of electrical safety; Four keys to RPM success; Picking the right weld fume option
A new approach to the Skills Gap; Community colleges may hold the key for manufacturing; 2017 Engineering Leaders Under 40
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Power system design for high-performance buildings; mitigating arc flash hazards
VFDs improving motion control applications; Powering automation and IIoT wirelessly; Connecting the dots
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me