Bringing better IT security to the plant floor

Excerpted from the white paper, "Increasing Plant Floor Security Today" by Rockwell Automation, Milwaukee, WI. Our needs and capabilities for sharing information with others are expanding exponentially. From e-commerce drivers, to communications with the supply chain and other partners, our intellectual property is getting more exposure, while at the same time being more and more core to our co...


Excerpted from the white paper, "Increasing Plant Floor Security Today" by Rockwell Automation, Milwaukee, WI.

Our needs and capabilities for sharing information with others are expanding exponentially. From e-commerce drivers, to communications with the supply chain and other partners, our intellectual property is getting more exposure, while at the same time being more and more core to our competitive advantage.

Technologies like the Internet and wireless continue to tempt us with their promises of connectivity. Even our devices on the plant floor offer web services to outside consumers of information. Lean initiatives have increased the risks of disruption and the accompanying missed opportunity costs that breaches may bring.

Operating SystemsProprietaryOpen
Data CommunicationProprietaryStandard Protocols
Information FlowSegmentedIntegrated
Computing SolutionsMonolithicModular

The government, through Homeland Security, is reinforcing the needs of security in its defined critical infrastructure, which includes many industries utilizing industrial automation control systems.

  • Gas & Oil Storage/Delivery

  • Water Supply System

  • Banking & Finance

  • Transportation

  • Electrical Energy

  • Telecommunications

  • Emergency Services

  • Government Operations

    • During the past several years, risks have increased because process automation systems that support the manufacturing enterprise have evolved from isolated, proprietary networks and operating systems to interconnected systems of modular computing/control platforms. These interconnected systems are using open architectures and standard protocols to facilitate interoperability with corporate networks and applications, which is a huge advantage for today's supply chain solutions, but also increases the risk and exposure to industry.

      E-business brings with it some key security drivers like:

      Authorization: Who are you and are you allowed access?

      Authentication: What are you allowed to do and from where are you allowed to do it?

      Availability: Can you do what you need to do, when you want to do it?

      Non-repudiation: Can we prove you did it? For regulated industries, non-repudiation is critical for tracking changes to individuals.

      Privacy: Can we protect your data?

      IT evolution and integration across supply chain and enterprise has tremendous advantages, but with increased risk and exposure.

      Security Is About Managing Risk

      In general, you only need to protect things that have value to your business and you should only apply protection in proportion to the value of the item. This is a very important concept, having too much security creates an unnecessary expense and causes decreased accessibility to those that are authorized to get access. You need to evaluate and balance the level of exposure with the criticality of what is being protected. We should be less concerned with a security breach gaining access to our Kindergarten grades than we would with our current medical or financial records.

      In some industries, the barriers are very high to be able to physically get at the factory automation. In those cases, a user has been authenticated and achieved a level of trust just by simply being there, and therefore should only require very low-level barriers to gain quick operator access. In other industries there are no walls and the control items are distributed in the field in plain site of the world (real or cyber). In such industries as these a different approach would seem more reasonable, where strong authentication and authorization technology should be deployed at each control item.

      Example: When an employee is working from his home office, it is good security policy to prevent him from accessing the corporate IT network if he enters his password incorrectly three times in a row. This is "good". On the other hand, do you want to prevent an operator inside a nuclear reactor from shutting down the runaway reactor if he enters his password incorrectly three times? This is "bad".

      The difference between these examples is that the employee working from home is outside the corporate firewall and performing non-essential operations. The operator of the nuclear reactor is inside the control room behind layers of physical security. Does this mean that the operator does not need to enter an appropriate password? Absolutely not! You still need to make sure the operator is authorized and trained to perform the operation and that the operation is not being performed by accident.

      It is important to understand who the "enemy" is before you can build a good defense. The ARC survey shows that fully 25% of manufacturing disruptions are addressable and possibly avoidable, since 1 in 8 is caused by an employee mistake. Another 1 in 8 is deliberate and can be caused by any number of reasons (i.e. disgruntled employees or ex-employees, business competitors, hackers, vandalism, etc.). There have been many articles in the press recently about "cyber terrorism" and "cyber attacks", but the reality is that many business disruptions are caused by people inside the plant and most IT security techniques only focus on threats from outside.

      Those 25% include some scenarios like:

      • An angry technician blocks maintenance access to a controller in another division by changing a password

      • A sales manager from your competitor discovers your bid on a big RFP and substantially underbids you to win the order

      • A group of teenagers from China try to explore the control system on a utility grid and deface the web site

      • A disgruntled job-seeker turns into an eco-terrorist and manipulates the city sewage treatment plant using a laptop and a radio to release millions of gallons of untreated sewage into the surrounding area. (This last example really happened.)

        • What about the 75% that we haven't addressed yet? It is very important to remember that no matter how hard you defend against a business disruption, they can and will happen! What will you do if one of these major interruptions occurs? What could we have been doing beforehand to make the recovery easier?

          At the top of this list is Business Continuity & Recovery, focused on keeping a company operating, or at least getting it back to operating very quickly after a discontinuity. These discontinuities can include natural disasters, equipment failures, human error, or as in our subject here, a severe security breach.

          Having started on the IT end of the enterprise, BC&R historically was used by heavily regulated industries like financial, focusing on continuity of the business systems. The Manufacturing sector, although not a dominant historical user of BC&R planning, is now starting to incorporate its industrial processes in BC plans. Security and Personal Safety are two areas that help to prevent or at least mitigate disasters and business interruptions.

          Here are some key suggestions, but there are lots of others if you do a little research on the topic of Business Continuity. Like the Boy Scouts, the theme is, "Be Prepared".

          • Develop Incident Response Plans to determine severity of security breach and any immediate actions

          • Develop Disaster Recovery/Business Continuity Plans to respond to

          • Severe business interruptions (Less than 50% of manufacturers have plans today.)

          • Periodically Backup (and secure) off-site all operational plant floor electronic data (designs, prints, tooling, programs, configurations, history and logs). You want it fresh when you need it, not a year old. Tools that are 21 CFR Part 11 compliant can help

          • Change management / audit trails. According to disaster recovery specialists, over 25% of companies hit by a serious crisis never resume operation. Thirty percent of companies that do initially recover fail within two years.

Top Plant
The Top Plant program honors outstanding manufacturing facilities in North America.
Product of the Year
The Product of the Year program recognizes products newly released in the manufacturing industries.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
September 2018
2018 Engineering Leaders under 40, Women in Engineering, Six ways to reduce waste in manufacturing, and Four robot implementation challenges.
GAMS preview, 2018 Mid-Year Report, EAM and Safety
June 2018
2018 Lubrication Guide, Motor and maintenance management, Control system migration
August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, programming cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
Spring 2018
Burners for heat-treating furnaces, CHP, dryers, gas humidification, and more
August 2018
Choosing an automation controller, Lean manufacturing
September 2018
Effective process analytics; Four reasons why LTE networks are not IIoT ready

Annual Salary Survey

After two years of economic concerns, manufacturing leaders once again have homed in on the single biggest issue facing their operations:

It's the workers—or more specifically, the lack of workers.

The 2017 Plant Engineering Salary Survey looks at not just what plant managers make, but what they think. As they look across their plants today, plant managers say they don’t have the operational depth to take on the new technologies and new challenges of global manufacturing.

Read more: 2017 Salary Survey

The Maintenance and Reliability Coach's blog
Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
One Voice for Manufacturing
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Maintenance and Reliability Professionals Blog
The Society for Maintenance and Reliability Professionals an organization devoted...
Machine Safety
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
Research Analyst Blog
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Marshall on Maintenance
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
Lachance on CMMS
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
Material Handling
This digital report explains how everything from conveyors and robots to automatic picking systems and digital orders have evolved to keep pace with the speed of change in the supply chain.
Electrical Safety Update
This digital report explains how plant engineers need to take greater care when it comes to electrical safety incidents on the plant floor.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Randy Steele
Maintenance Manager; California Oils Corp.
Matthew J. Woo, PE, RCDD, LEED AP BD+C
Associate, Electrical Engineering; Wood Harbinger
Randy Oliver
Control Systems Engineer; Robert Bosch Corp.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
click me