Cyber security for industrial assets

When it comes to securing industrial networks, policies from the enterprise (IT) and manufacturing sides can differ. Co-authors Gregory Wilcox and Dan Knight, from Rockwell Automation and Cisco Systems, respectively, give specific advice on "computer hardening" and "controller hardening" so the entire manufacturing enterprise can be protected.


Modernize your cyber security. Source: Reed Business Information

The convergence of manufacturing and enterprise networks is increasing access to manufacturing data, which allows manufacturers to make better business decisions. This business agility provides a competitive edge for manufacturers that embrace convergence. However, challenges come with these opportunities - network convergence exposes manufacturing assets to security threats traditionally found in the enterprise.

Holistic Security

Protecting manufacturing assets requires a "defense-in-depth" security approach that addresses internal and external security threats. This approach uses multiple layers of defense (physical and electronic) at separate manufacturing levels by applying policies and procedures that address different types of threats. For example, multiple layers of network security protect networked assets, data and end points, and multiple layers of physical security help protect high value assets. No single technology or methodology can fully secure industrial control systems. Defense-in-depth layers for securing manufacturing assets include physical, network and application security, as well as computer and device hardening.

In achieving a "defense-in-depth" approach, an operational process is required to establish and maintain the security capability. A security operational process includes identifying priorities, assets, potential internal and external threats and risks, establishing requirements, understanding required capabilities, as well as developing architecture and policies.

Designing and implementing a comprehensive manufacturing security model should serve as a natural extension to the manufacturing process. Users should not implement security as a bolt-on component to the manufacturing process

Manufacturing Security Policies

The key to a successful security strategy is understanding the potential problems that need to be solved, including what to protect and how. Establishing a security policy focused on manufacturing needs provides a roadmap for applying security technologies and best practices to protect manufacturing assets, while avoiding unnecessary expenses and excessive restrictive access. Security services should not inhibit nor compromise the manufacturing operation.
As defined by ISA-99, a security policy "enables an organization to follow a consistent program for maintaining an acceptable level of security." The security policy consists of physical and electronic procedures that define and constrain behaviors by personnel and components within the manufacturing system. A team consisting of IT, operations and engineering professionals should work together to define manufacturing security needs.

Security policy development starts with evaluating potential risks. Conducted by either an internal or external team, the risk assessment process identifies potential vulnerabilities and determines mitigation techniques through procedures and/or technology. For example, a procedure could restrict physical manufacturing systems access to authorized personnel. Technology mitigation techniques could involve changing management software to authorize and authenticate user credentials.

Developing a robust and secure network infrastructure requires protecting the integrity, availability and confidentiality of control and information data. Users should address the following when developing a network:
• Is the network infrastructure resilient enough to provide data availability?
• How consistent is the data? Is it reliable?
• How is data used? Is it secure from manipulation?

IT responsibilities include protecting company assets and intellectual property (IP). IT accomplishes this by implementing an enterprise security policy enforcement to protect data confidentiality, integrity and availability (CIA) - in that order. Although similarities exist for manufacturing security policy enforcement, it must place continuous manufacturing operation as top priority. Manufacturing security policy enforcement protects data availability, integrity and then confidentiality (AIC) - in that order.

Enterprise and manufacturing security policies differ in terms of how they handle upgrades. For enterprise applications like operating system and application software patching as well as antivirus definition updates, users conduct upgrades as soon as possible. Applying upgrades to a running manufacturing server could disrupt operations, resulting in a production loss. Manufacturing security policies should define upgrades as a scheduled activity during manufacturing downtime.

Computer Hardening

IT best practices applied to enterprise computers also should apply to manufacturing computers. Best practices and general recommendations include:
• Keep computers up-
• Deploy and maintain antivirus software, but disable automatic updates and automatic scanning.
• Deploy and maintain antispyware software, but disable automatic updates and automatic scanning. Automatic antivirus and antispyware scanning has caused data loss and downtime at some manufacturing facilities.
• Prohibit direct internet access. Implementing a Demilitarized Zone (DMZ) provides a barrier between the Manufacturing and Enterprise Zones, but allows users to securely share data and services. All network traffic from either side of the DMZ terminates in the DMZ. Traffic does not directly travel between the Enterprise and Manufacturing Zones.
• Implement a separate Active Directory domain/forest for the Manufacturing Zone. This helps ensure availability to manufacturing assets if connectivity to the Enterprise Zone is disrupted.
• Implement the following password policy settings:

• Disable the guest account on clients and servers.
• Require that the built-
• Develop and then deploy backup and disaster recovery policies and procedures. Users should test backups on a regular schedule.
• Implement a change management system to archive network, controller and computer assets (e.g. clients, servers and applications).
• Using Control+Alt+Delete along with a unique username and password to login. Users should require domain credential to access networked computer assets and have unique, non
• Protect unnecessary or infrequently used USB ports, parallel and serial interfaces to prevent unauthorized hardware additions (modems, printers, USB devices, etc.).
• Develop and implement a policy for guest access within the Enterprise Zone.
• Develop and implement a policy for partner access within the Manufacturing Zone.
• Uninstall the unused Windows components, protocols and services not necessary to operate the manufacturing system.

Controller Hardening

Users can secure Rockwell Automation Logix programmable automation controllers (PAC) by physical procedure, electronic design, authentication and authorization software as well as change management with disaster recovery software. Best practices and general recommendations include:
• Physical procedure: This restricts control panel access only to authorized personnel. Users can accomplish this by implementing access procedures or locking the panels. Switching the PAC key to "RUN" prevents remote programming, including remote firmware flash that could corrupt the PAC. To allow program configuration changes, this requires a physical key change at the PAC. Unauthorized access (intentional or unintentional) could not alter the PAC until the key switch is changed from "RUN."
• Electronic design: Implementing the PAC CPU Lock feature denies front port access to the PAC, which prevents configuration changes.
• Authentication, authorization and audit by implementing FactoryTalk
• Change Management with disaster recovery: FactoryTalk

About the Authors:
Gregory Wilcox, business development manager, Rockwell Automation and Dan Knight, industry solutions manager, Cisco Systems , work together to aid manufacturers with manufacturing-IT convergence. Together, Rockwell Automation and Cisco released reference architectures and embarked on a series of market education activities, reaching more than 8,000 stakeholders on four continents to date. Additionally, Rockwell Automation and Cisco delivered jointly collaborated on infrastructure products that directly address the widespread network convergence activities in manufacturing and IT organizations.


Related news:

Rockwell Automation/Cisco Systems: Customer needs pave Ethernet's way from factory floor to executive suite


The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Pipe fabrication and IIoT; 2017 Product of the Year finalists
The future of electrical safety; Four keys to RPM success; Picking the right weld fume option
A new approach to the Skills Gap; Community colleges may hold the key for manufacturing; 2017 Engineering Leaders Under 40
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Power system design for high-performance buildings; mitigating arc flash hazards
VFDs improving motion control applications; Powering automation and IIoT wirelessly; Connecting the dots
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me