Balancing secure networks and process control systems access

What are automation engineers to do to enhance security while ensuring the need for barrier-free access to the process control system?


Our friends in the information technology (IT) field that take care of the business networks talk a lot about security. I am sure that most people reading this blog had to log in to their workstation with a company provided username and a password that has to be changed every 90 days. The IT folks further program the networks to limit access to the minimal amount of data that is required to get each employee’s job done. Some firms even go as far as limiting which websites can be accessed from a company workstation. All this for a workstation already physically located inside a building with controlled access.

Why all this effort to control what happens at a workstation inside what is essentially a controlled area: the company's building? It's because physical access has proven to be ineffective as a sole means to provide security in a business network.

Do we have other critical workstations that solely depend on physical security? Are you sitting in one right now in your control room? Have you ever asked why you need to have a complicated password to access your e-mail on a computer in the same control room where a simple press of a button on the adjacent computer would stop a multi-million dollar process?

We in the control field have resisted implementing IT style security in our control rooms. We are privileged folks and have no need for frustrating passwords and usernames. Some of us say that adding password protection and log in requirements is a danger in itself. I commonly hear this argument: “What do we do if something critical is happening, and the operator can’t log in?”

This attitude is pervasive in the industry, to the point that the manufactures have default hard-coded passwords in the automation hardware. No one wants to be searching for a programming password when the process has stopped, right? And this has been to our detriment, as some very significant control system security breaches were enabled by exploiting these embedded passwords.

We have taken the position that physical security is an acceptable means of control. Everyone knows everyone in the control room. The danger lies in the modern network, a remote user using generic passwords can exploit the local workstation. It provides virtual physical access or, in other words, a ghost in your control room with access to your process.

So what are we in the automation field to do to enhance security while ensuring our need for barrier free access to the process control system? We can all agree that the IT approach just won’t work for us, which is why we have resisted adopting it.

So what works in our world? Is it appropriate to use facial recognition or finger print scanners to access an operator console? Or just an employee ID card? Maybe we can take a clue from the Minutemen missile controllers, just two buttons far apart, requiring two operators to initiate programming.

What of the emergency situation? For inspiration, step into your legacy distributed control system control room and you likely find an automatic fire suppression system. Although automatic, why does it have a button with the label “break glass in case of fire”? We all know there will be situations that require immediate access.

All these security issues have been solved before in ways that may have already met our unique requirements, let’s look around and find out what works for us. Security doesn’t have to be a burden.

This post was written by Bruce Billedeaux. Bruce is a senior consultant at MAVERICK Technologies, a leading automation solutions provider offering industrial automation, strategic manufacturing, and enterprise integration services for the process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, business process optimization and more.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me