Balancing secure networks and process control systems access

What are automation engineers to do to enhance security while ensuring the need for barrier-free access to the process control system?


Our friends in the information technology (IT) field that take care of the business networks talk a lot about security. I am sure that most people reading this blog had to log in to their workstation with a company provided username and a password that has to be changed every 90 days. The IT folks further program the networks to limit access to the minimal amount of data that is required to get each employee’s job done. Some firms even go as far as limiting which websites can be accessed from a company workstation. All this for a workstation already physically located inside a building with controlled access.

Why all this effort to control what happens at a workstation inside what is essentially a controlled area: the company's building? It's because physical access has proven to be ineffective as a sole means to provide security in a business network.

Do we have other critical workstations that solely depend on physical security? Are you sitting in one right now in your control room? Have you ever asked why you need to have a complicated password to access your e-mail on a computer in the same control room where a simple press of a button on the adjacent computer would stop a multi-million dollar process?

We in the control field have resisted implementing IT style security in our control rooms. We are privileged folks and have no need for frustrating passwords and usernames. Some of us say that adding password protection and log in requirements is a danger in itself. I commonly hear this argument: “What do we do if something critical is happening, and the operator can’t log in?”

This attitude is pervasive in the industry, to the point that the manufactures have default hard-coded passwords in the automation hardware. No one wants to be searching for a programming password when the process has stopped, right? And this has been to our detriment, as some very significant control system security breaches were enabled by exploiting these embedded passwords.

We have taken the position that physical security is an acceptable means of control. Everyone knows everyone in the control room. The danger lies in the modern network, a remote user using generic passwords can exploit the local workstation. It provides virtual physical access or, in other words, a ghost in your control room with access to your process.

So what are we in the automation field to do to enhance security while ensuring our need for barrier free access to the process control system? We can all agree that the IT approach just won’t work for us, which is why we have resisted adopting it.

So what works in our world? Is it appropriate to use facial recognition or finger print scanners to access an operator console? Or just an employee ID card? Maybe we can take a clue from the Minutemen missile controllers, just two buttons far apart, requiring two operators to initiate programming.

What of the emergency situation? For inspiration, step into your legacy distributed control system control room and you likely find an automatic fire suppression system. Although automatic, why does it have a button with the label “break glass in case of fire”? We all know there will be situations that require immediate access.

All these security issues have been solved before in ways that may have already met our unique requirements, let’s look around and find out what works for us. Security doesn’t have to be a burden.

This post was written by Bruce Billedeaux. Bruce is a senior consultant at MAVERICK Technologies, a leading automation solutions provider offering industrial automation, strategic manufacturing, and enterprise integration services for the process industries. MAVERICK delivers expertise and consulting in a wide variety of areas including industrial automation controls, distributed control systems, manufacturing execution systems, operational strategy, business process optimization and more.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Big Data and IIoT value; Monitoring Big Data; Robotics safety standards and programming; Learning about PID
Motor specification guidelines; Understanding multivariable control; Improving a safety instrumented system; 2017 Engineers' Choice Award Winners
Selecting the best controller from several viewpoints; System integrator advice for the IIoT; TSN and real-time Ethernet; Questions to ask when selecting a VFD; Action items for an aging PLC/DCS
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
click me