Ensuring plant security without compromising open technology
Use of Ethernet from top-to-shop floor and demand for global access to real-time production data has created the need to implement a security methodology and new security policies. A mere minute of production downtime can translate to the loss of thousands of dollars. But what if your manufacturing systems were hacked and shut down for an entire day? The focus on system security has also been g...
Use of Ethernet from top-to-shop floor and demand for global access to real-time production data has created the need to implement a security methodology and new security policies.
A mere minute of production downtime can translate to the loss of thousands of dollars. But what if your manufacturing systems were hacked and shut down for an entire day? The focus on system security has also been growing due to the steady stream of e-mail attacks.
While most breaches have affected the office environment, the evolution from proprietary to open system architectures is introducing the plant floor to similar risks. According to the Computer Security Institute, the cost of network intrusions for the average company has doubled in the past year (from $976,000 in 2000 to $1,928,000 in 2001 (Fig. 1). The costs of security leaks have also doubled from $67 million in 2000 to $151 million in 2001 (Fig. 2).
Fig. 1. (Above left) The cost of network intrusions has doubled in the past year, from $976,000 in 2000 to $1,928,000 in 2001.
Fig. 2. (Above right) The cost of security leaks has doubled from $67 million in 2000 to $151 million in 2001.
These costs are significant, but the cost of a single security breach could be much higher for the plant floor since assets include more than just business information; they include the manufacturing processes, facilities, equipment, and people.
What if your production recipe was stolen?
What if a cutting machine was shutdown for routine maintenance, then an offsite engineer accesses the process control network via the intranet, monitors the nonfunctioning machine, and selects to activate it?
What if an engineer were to enter the wrong IP address, causing a valve to open, thereby emitting a toxic gas?
Open operation means increased risk
Historically, manufacturing was viewed as an island isolated from other elements within the supply chain. In fact, great care was taken to decouple manufacturing from the risks of supplier shortages and demand fluctuations from customers. While simple to build, this model was both inefficient and unresponsive. End users were unable to exchange data with business systems, and communication was segregated throughout the plant.
Today's production processes are tightly coupled with both upstream and downstream elements within the supply chain. The advantages include both productivity and flexibility improvements, with build-to-order, predictive maintenance, and e-procurement capabilities for MRO supplies being just a few of the programs that can be implemented.
As data from the factory floor becomes more important for daily and real-time business decisions, end users need to take the proper steps to secure these data. This helps ensure that the benefits of a seamless supply chain outweigh the risk and exposure to information security breaches.
Ethernet has played a key role in creating today's tightly coupled manufacturing enterprise. To its credit, Ethernet has many benefits, such as availability, familiarity, and cost. These advantages have made it a popular choice for a wide range of industrial applications. But there are two major aspects to consider — interoperability and security — when using Ethernet in industrial control applications.
Transmission control protocol/internet protocol (TCP/IP) is the network and transport-layer protocol of the internet and is commonly linked with Ethernet in the business world. The TCP/IP protocol suite provides a set of services that two devices may use to communicate with each other over an Ethernet local area network (LAN) or over a wide area network (WAN) that spans the globe.
However, using TCP/IP alone does not guarantee that two devices can communicate effectively, if at all. It only guarantees that application-level messages will be successfully transferred between the two devices. For interoperability, a common, open Ethernet stack such as EtherNet/IP is needed to guarantee data exchange with I/O control capability between two Ethernet devices.
As for the security issue, care must be taken when designing and installing an Ethernet network on the plant floor. Ethernet TCP/IP has a bright future in industrial automation applications. However, it is imperative to secure the plant floor from both external and internal intrusions. Consistently applying a security methodology is one way to minimize the risk attached to open technologies.
Security methodology defines security needs
An organization's security methodology should begin by defining what it wants to protect. In many cases, this includes hard assets, such as the manufacturing process, production equipment, manufacturing facilities, raw material inventory, finished product inventory, personnel safety, and environmental protection.
But it also includes soft assets, such as production schedules, production rates, capacity, yield, customer information, process conditions, set points, product specifications, recipes, operating procedures, and quality data.
While there is more than one way to address an organization's security issues, a security methodology that includes four basic steps — situation analysis, design, implementation, and support/maintenance — is recommended (Fig. 3).
Fig. 3. This block diagram shows a typical LAN security methodology. Devices connected to the plant floor Ethernet are protected by multiple LAN layers and firewalls.
After defining assets, the situation analysis phase involves reviewing an organization's existing security policies, soliciting participation from stakeholders, understanding the functional objectives, understanding threats, analyzing risk, and educating employees.
In a typical application, the three main threats are:
People from inside the process control network who are trying to access remote resources via the internet, extranet, or intranet.
People outside the process control network who are trying to access the process control network via the internet, extranet, or intranet.
The physical connections between the process control network and external networks.
During the design phase, end users will select migration strategies based on the risk analysis performed in the earlier phase. Antivirus software is the most widely used protection strategy (with nearly 100% of all PCs having antivirus protection). Firewalls, which are coming down in price ($500-$10,000 each, depending on functionality), are also very popular.
A typical architecture places firewalls between the internet and the business level network. Since communication between the business systems and the process networks is often based on Ethernet, the question is frequently raised about whether a firewall is needed between these two levels. Regardless of placement, a common mistake is thinking that firewalls are all that is necessary to protect a system. A secure system requires much more. Strict access control procedures, such as a two-way user authentication (for example, a password plus PIN number), are recommended. Security may also involve virtual/private networks (VPNs) for remote access, data encryption, digital certificates, intrusion detection software, or using a separate, redundant network for process control.
Another aspect to plant security involves a focus on inside intrusions, which cause 50% of all security breaches. Inside intrusions could be the result of a disgruntled employee, but more often than not, they are unintentional.
For example, let's say a company provides remote access to the process control network. One wrong keystroke could change an IP address, and consequently alter the parameters of the wrong machine or device. Another inside intrusion could be caused by an attempt to change the recipe at one plant, but inadvertently changing the recipe in another plant. This is especially possible if the intranet does not provide clear location paths.
It's enticing to think about being able to sit in a remote office or the comfort of your home and control the plant. But access to setpoints and equipment controls must be protected by multiple security mechanisms in a LAN or WAN.
If the risk is too great, remote access should be limited to monitoring, advising, modeling, and undertaking what-if analysis on information — not direct interaction with the control environment.
The implementation phase involves applying the hardware and software solutions selected during the design phase. Integral to a successful implementation is the understanding of your process and the needed application functionality identified during the design phase. Firewalls offer many features, which need to be carefully selected and configured by trained personnel with security implementation experience.
Support and maintenance
As the end user begins the supporting and maintaining phase, the most crucial step involves access control. Reusable authorization codes are a common area of concern. Also important are routine updates to the organization's policies, vulnerability analysis, disaster recovery plans, and intrusion detection software. New employees should also be kept up-to-date about their security roles and responsibilities.
Ethernet and other open networking and computing technologies continue to achieve acceptance in manufacturing environments, with real cost and productivity gains for the user. Unfortunately, along with the benefits come the vulnerabilities we've all experienced in the office environment. Keeping the destructive elements away from your valuable manufacturing assets requires a well-planned, well-executed security information methodology.
— Edited by Jack Smith, Senior Editor, 630-288-8783, email@example.com
The author is available to answer questions about this article. He can be reached by phone at 440-646-3105, or by e-mail at firstname.lastname@example.org .