Bringing better IT security to the plant floor

Excerpted from the white paper, "Increasing Plant Floor Security Today" by Rockwell Automation, Milwaukee, WI. Our needs and capabilities for sharing information with others are expanding exponentially. From e-commerce drivers, to communications with the supply chain and other partners, our intellectual property is getting more exposure, while at the same time being more and more core to our co...


Excerpted from the white paper, "Increasing Plant Floor Security Today" by Rockwell Automation, Milwaukee, WI.

Our needs and capabilities for sharing information with others are expanding exponentially. From e-commerce drivers, to communications with the supply chain and other partners, our intellectual property is getting more exposure, while at the same time being more and more core to our competitive advantage.

Technologies like the Internet and wireless continue to tempt us with their promises of connectivity. Even our devices on the plant floor offer web services to outside consumers of information. Lean initiatives have increased the risks of disruption and the accompanying missed opportunity costs that breaches may bring.

Operating SystemsProprietaryOpen
Data CommunicationProprietaryStandard Protocols
Information FlowSegmentedIntegrated
Computing SolutionsMonolithicModular

The government, through Homeland Security, is reinforcing the needs of security in its defined critical infrastructure, which includes many industries utilizing industrial automation control systems.

  • Gas & Oil Storage/Delivery

  • Water Supply System

  • Banking & Finance

  • Transportation

  • Electrical Energy

  • Telecommunications

  • Emergency Services

  • Government Operations

    • During the past several years, risks have increased because process automation systems that support the manufacturing enterprise have evolved from isolated, proprietary networks and operating systems to interconnected systems of modular computing/control platforms. These interconnected systems are using open architectures and standard protocols to facilitate interoperability with corporate networks and applications, which is a huge advantage for today's supply chain solutions, but also increases the risk and exposure to industry.

      E-business brings with it some key security drivers like:

      Authorization: Who are you and are you allowed access?

      Authentication: What are you allowed to do and from where are you allowed to do it?

      Availability: Can you do what you need to do, when you want to do it?

      Non-repudiation: Can we prove you did it? For regulated industries, non-repudiation is critical for tracking changes to individuals.

      Privacy: Can we protect your data?

      IT evolution and integration across supply chain and enterprise has tremendous advantages, but with increased risk and exposure.

      Security Is About Managing Risk

      In general, you only need to protect things that have value to your business and you should only apply protection in proportion to the value of the item. This is a very important concept, having too much security creates an unnecessary expense and causes decreased accessibility to those that are authorized to get access. You need to evaluate and balance the level of exposure with the criticality of what is being protected. We should be less concerned with a security breach gaining access to our Kindergarten grades than we would with our current medical or financial records.

      In some industries, the barriers are very high to be able to physically get at the factory automation. In those cases, a user has been authenticated and achieved a level of trust just by simply being there, and therefore should only require very low-level barriers to gain quick operator access. In other industries there are no walls and the control items are distributed in the field in plain site of the world (real or cyber). In such industries as these a different approach would seem more reasonable, where strong authentication and authorization technology should be deployed at each control item.

      Example: When an employee is working from his home office, it is good security policy to prevent him from accessing the corporate IT network if he enters his password incorrectly three times in a row. This is "good". On the other hand, do you want to prevent an operator inside a nuclear reactor from shutting down the runaway reactor if he enters his password incorrectly three times? This is "bad".

      The difference between these examples is that the employee working from home is outside the corporate firewall and performing non-essential operations. The operator of the nuclear reactor is inside the control room behind layers of physical security. Does this mean that the operator does not need to enter an appropriate password? Absolutely not! You still need to make sure the operator is authorized and trained to perform the operation and that the operation is not being performed by accident.

      It is important to understand who the "enemy" is before you can build a good defense. The ARC survey shows that fully 25% of manufacturing disruptions are addressable and possibly avoidable, since 1 in 8 is caused by an employee mistake. Another 1 in 8 is deliberate and can be caused by any number of reasons (i.e. disgruntled employees or ex-employees, business competitors, hackers, vandalism, etc.). There have been many articles in the press recently about "cyber terrorism" and "cyber attacks", but the reality is that many business disruptions are caused by people inside the plant and most IT security techniques only focus on threats from outside.

      Those 25% include some scenarios like:

      • An angry technician blocks maintenance access to a controller in another division by changing a password

      • A sales manager from your competitor discovers your bid on a big RFP and substantially underbids you to win the order

      • A group of teenagers from China try to explore the control system on a utility grid and deface the web site

      • A disgruntled job-seeker turns into an eco-terrorist and manipulates the city sewage treatment plant using a laptop and a radio to release millions of gallons of untreated sewage into the surrounding area. (This last example really happened.)

        • What about the 75% that we haven't addressed yet? It is very important to remember that no matter how hard you defend against a business disruption, they can and will happen! What will you do if one of these major interruptions occurs? What could we have been doing beforehand to make the recovery easier?

          At the top of this list is Business Continuity & Recovery, focused on keeping a company operating, or at least getting it back to operating very quickly after a discontinuity. These discontinuities can include natural disasters, equipment failures, human error, or as in our subject here, a severe security breach.

          Having started on the IT end of the enterprise, BC&R historically was used by heavily regulated industries like financial, focusing on continuity of the business systems. The Manufacturing sector, although not a dominant historical user of BC&R planning, is now starting to incorporate its industrial processes in BC plans. Security and Personal Safety are two areas that help to prevent or at least mitigate disasters and business interruptions.

          Here are some key suggestions, but there are lots of others if you do a little research on the topic of Business Continuity. Like the Boy Scouts, the theme is, "Be Prepared".

          • Develop Incident Response Plans to determine severity of security breach and any immediate actions

          • Develop Disaster Recovery/Business Continuity Plans to respond to

          • Severe business interruptions (Less than 50% of manufacturers have plans today.)

          • Periodically Backup (and secure) off-site all operational plant floor electronic data (designs, prints, tooling, programs, configurations, history and logs). You want it fresh when you need it, not a year old. Tools that are 21 CFR Part 11 compliant can help

          • Change management / audit trails. According to disaster recovery specialists, over 25% of companies hit by a serious crisis never resume operation. Thirty percent of companies that do initially recover fail within two years.

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2017 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
SCCR, 2018 Maintenance study, and VFDs in a washdown environment.
Welding ergonomics, 2017 Salary Survey, and surge protection
2017 Top Plant winner, Best practices, Plant Engineering at 70, Top 10 stories of 2017
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Setting internal automation standards
Knowing how and when to use parallel generators
PID controllers, Solar-powered SCADA, Using 80 GHz radar sensors

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me