Securing Your Plant: Real Risks
Just as IT environments are vulnerable to hackers, worms, and viruses, manufacturers are at risk from a plant's own workers, policies, and procedures. Due to the growth of remote access and the proliferation of Ethernet on the plant floor, workers are often controlling plant operations electronically from various locations. This inevitably leads to security risks and mishaps. As a result, effective management of people in this environment is crucial to help ensure maximum security of plant floor operations.
But before you begin implementing plant floor security, you should be aware that there are a number of common misconceptions:
Manufacturers often shy away from security measures because they believe it is going to be a significant company expense with little or no return on investment. In reality, the significant costs lie in the misuse of technology, not security. Despite popular opinion, it is possible to employ plant-wide security measures in a cost-effective manner by having properly trained people in place who know how to use the technology correctly.
Believing that preventive and detective measures alone can keep a plant secure. In reality, regular patch testing and virus updates aren't enough to effectively protect plant systems. Strong defenses and consistent preventive tactics, combined with well-planned proactive measures, form the framework of a solid plant floor security strategy.
If a company has an IT department, they are effectively addressing the plant's security needs. While it is true that some IT departments are capable of managing the security of plant floor systems, this is not always the case. In an IT environment, downtime is typically not as crucial and failures often don't demand the urgent, immediate corrective action as they do in a manufacturing setting. Therefore, it is important not to rely solely on your IT department to address plant floor security issues since its goals and objectives for uptime and level of response often differ from those in the production department.
It's the responsibility of the software vendor to handle patch certification. Yes, it is the responsibility of vendors to test their products against general patches and give guidance on patch management; however, it is the customer's responsibility to create internal labs and test the compatibility of patches against their own environment. Bottom line: the software vendor can't control the environment and therefore, can't account for all of the variables. However, when evaluating security needs, manufacturers should consider companies that include security functionality in their product offerings.
Also sponsored by Advantech
Starting at $565, Advantech Automation's new ADAM-6060W wireless web-enabled 6-channel relay output is one of the most competitive products on the market. It supports IEEE802.11b wireless LAN, has an embedded web server with built-in web page, supports Modbus/TCP and UDP protocols, and more. www.eautomationpro.com
It's important to note that most security mishaps are the result of a mistake or oversight involving a plant's own internal resources. Having properly trained personnel who know how to use technology is one of the best ways to ensure plant systems are secure. A key component of any successful security strategy is to enforce policies that assign responsibility and accountability to the trained employees. The ability to record activities and track actions to specific system users increases the probability that procedures will be followed consistently and accurately.
Following are some important steps to take when assessing your plant's current security issues and identify potential areas of need:
Reference the technical reports available from the Instrumentation, Systems, and Automation Society (ISA). This organization provides an abundance of valuable resources outlining what manufacturers need to do to secure plant floor systems;
Conduct a risk analysis to identify potential security risks and assess any plant floor problems. Work with a qualified information and control system security consultant who can help outline a strategy and offer recommendations to meet the specific needs of your plant floor environment; and
Assemble an internal team with representation from all of the major business units and develop a comprehensive security plan. This includes members from IT, engineering, operations, and maintenance. If your company is not informed on security risks, engage experts to educate and inform management on this topic.
Once a thorough examination of the facility and procedures is completed, corrective actions can be taken to significantly improve the reliability and security of your plant floor systems.
Bryan Singer is senior business consultant, Rockwell Automation, and chairman of the ISA SP-99 Committee. Rockwell Automation is soon going to announce technology that will embed security solutions into software programs.
For more information on the ISA technical reports visit: www.isa.org .
For information on Rockwell Automation visit: www.rockwellautomation.com .