Balancing secure networks and process control systems access

What are automation engineers to do to enhance security while ensuring the need for barrier-free access to the process control system?


Our friends in the information technology (IT) field that take care of the business networks talk a lot about security. I am sure that most people reading this blog had to log in to their workstation with a company provided username and a password that has to be changed every 90 days. The IT folks further program the networks to limit access to the minimal amount of data that is required to get each employee’s job done. Some firms even go as far as limiting which websites can be accessed from a company workstation. All this for a workstation already physically located inside a building with controlled access.

Why all this effort to control what happens at a workstation inside what is essentially a controlled area: the company's building? It's because physical access has proven to be ineffective as a sole means to provide security in a business network.

Do we have other critical workstations that solely depend on physical security? Are you sitting in one right now in your control room? Have you ever asked why you need to have a complicated password to access your e-mail on a computer in the same control room where a simple press of a button on the adjacent computer would stop a multi-million dollar process?

We in the control field have resisted implementing IT style security in our control rooms. We are privileged folks and have no need for frustrating passwords and usernames. Some of us say that adding password protection and log in requirements is a danger in itself. I commonly hear this argument: “What do we do if something critical is happening, and the operator can’t log in?”

This attitude is pervasive in the industry, to the point that the manufactures have default hard-coded passwords in the automation hardware. No one wants to be searching for a programming password when the process has stopped, right? And this has been to our detriment, as some very significant control system security breaches were enabled by exploiting these embedded passwords.

We have taken the position that physical security is an acceptable means of control. Everyone knows everyone in the control room. The danger lies in the modern network, a remote user using generic passwords can exploit the local workstation. It provides virtual physical access or, in other words, a ghost in your control room with access to your process.

So what are we in the automation field to do to enhance security while ensuring our need for barrier free access to the process control system? We can all agree that the IT approach just won’t work for us, which is why we have resisted adopting it.

So what works in our world? Is it appropriate to use facial recognition or finger print scanners to access an operator console? Or just an employee ID card? Maybe we can take a clue from the Minutemen missile controllers, just two buttons far apart, requiring two operators to initiate programming.

What of the emergency situation? For inspiration, step into your legacy distributed control system control room and you likely find an automatic fire suppression system. Although automatic, why does it have a button with the label “break glass in case of fire”? We all know there will be situations that require immediate access.

All these security issues have been solved before in ways that may have already met our unique requirements, let’s look around and find out what works for us. Security doesn’t have to be a burden.

This post was written by Bruce Billedeaux. Bruce is a senior consultant at MAVERICK Technologies, a leading automation solutions provider offering industrial automation, strategic manufacturing, and enterprise integration services for the process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, business process optimization and more.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
Mobile HMI; PID tuning tips; Mechatronics; Intelligent project management; Cybersecurity in Russia; Engineering education; Road to IANA
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me