Cyber security: Common sense security for industrial engineers

Inside machines: Even the best industrial security products cannot prevent all unwanted traffic and malicious attacks to control systems; there is no such thing as a completely secure control system. Control engineers can reduce cyber incident risk by consistently investing time and effort in security measures. Cyber security advice follows.


There is no such thing as a completely secure control system. Even the best industrial products on the market cannot prevent all unwanted traffic and malicious attacks. But by investing time and effort into security measures on an ongoing basis, control engineers can significantly reduce the threat of a cyber incident. Background and practical advice follow.

Machines and other systems once enjoyed The acceptance of Ethernet, wireless, and TCP/IP for industrial communication has made it easier to design networks using products from different vendors. Yet, some of the advantages these technologies offer—they are widely known and make it possible to connect your plant floor to your office networks—also take away the inherent security automation professionals relied on for decades. 

As networks become more open and interconnected, plants are at higher risk for cyber attack than ever before. Unintentional incidents, such as a broadcast storm from a malfunctioning office device, can also pose a threat.

Control engineers got their first major wake-up call with the discovery of Stuxnet in July 2010. Thousands of articles have already been written on Stuxnet and its effect on the Iranian nuclear program. Stuxnet was the first major virus to target the industrial sector, but more recent discoveries include Nitro and Nightdragon, designed to steal sensitive data from the chemical and energy industries, and Duqu (aka “Son of Stuxnet”), which is still a mystery. Unfortunately, it is probably only a matter of time until we hear about a newer and larger threat.

Today, automation professionals realize they can no longer ignore network security. But at the same time, deciding where to start can feel like an overwhelming task. While there is no way to completely ensure the security of your control system, there are a few easy and cost-effective steps you can take almost immediately.

Choose and use passwords carefully

Passwords guard access to your data, your equipment, and your programs.  Without the use of good passwords, your network infrastructure is very vulnerable.

Passwords should be:

• Private: Don’t post your password in public places.

• Employee-only: Sometimes, multiple employees need to share a password for equipment. If one of those employees leaves the company, change the password immediately, even if the person leaves on good terms.

• Complex Your password shouldn’t be easy to guess. Don’t pick something common like “password,” “123456,” “qwerty,” or “abc123.” Your child’s name or other personal information is also a poor choice. Instead, come up with a sentence you can remember and use abbreviations to create a mnemonic device. For example, “I want to secure my control system” can become “I12sMcS.” Vary between numbers, symbols, and upper- and lowercase letters for the most security. In fact, an eight-character password with upper- and lowercase letters and numbers has more than 200 trillion possible combinations.  Adding punctuation marks increases the possibilities to more than 500 trillion. 

While some people recommend changing your password frequently, that increases your chance of forgetting it or making a typo when creating the new one. If you change your password frequently, you’re more apt to need to write it down—bringing us back to the importance of keeping your password private.

Restrict Internet access

Can your employees surf the Web from your industrial PC or HMI? When they access Facebook, check their e-mail, or otherwise access the Internet, they are opening the door to viruses and other malware.

A control device with a public-facing address is an even bigger threat. While you might enjoy the convenience of checking your HMI from the road, a hacker might enjoy the convenience of shutting down your machine at a critical time.  If your system has a public IP address that anyone can access, your system is easy to find, and therefore, generally easy to hack. To find out just how easy, visit—a site that makes it easy for hackers search for and discover PLCs, HMIs, etc., that publicly face the Internet.

A virtual private network (VPN) is a much safer choice. VPNs encrypt, or scramble, sensitive data as it traverses the Internet. They have been commonly used in the office environment for many years, but industrial networks have special requirements. An industrial VPN will have the rugged housing necessary on the factory floor and be able to operate within a wider temperature range. A VPN that is optimized for engineer programming, rather than IT “command line” programming, will also be easier to use.

USB sticks: If you must use them, take precautions

The convenience of USB sticks for transferring files has made them extremely popular. But—as Stuxnet demonstrated—they are also one of the best ways to spread malware.

The only way to completely prevent a virus from spreading through USB sticks is to ban their use on your control system. However, even if you have such a rule in place, there’s no guarantee that your employees will follow that rule. There are a few preventative steps you can take.

The first is to implement a policy that a user must run a USB stick through the IT department before using on a control system device. IT can run the USB through a series of tests to ensure that it is clean of viruses. This takes time on everybody’s part—both the user’s and the IT department’s—and it’s not foolproof. It’s also wise to disable the USB in BIOS of your control PCs.

An additional measure is the use of Common Internet File System (CIFS) Integrity Monitoring. This is an option on some firewall software programs that will alert the system owner as soon as a file is added or changed on a monitored device. The system manager programs the CIFS firewall as to which directories and/or types of files to monitor (for example, .exe and .sys). This will serve as a baseline for the CIFS monitoring.

The next time the CIFS performs a scan, it will notice if any files have been deleted, added, or otherwise changed. This will not prevent infection from occurring, but with faster notification, you can mitigate any damage.

Ongoing security

The steps outlined above are just a few basic recommendations to start the process, but there are additional steps you can take to add layers to your security. An industrial-rated firewall can filter unwanted traffic, and don’t overlook potentially unsecure wireless connections. Advanced security options can include IPS/IDS, patch management, logging and auditing system, and in-depth training for personnel.

- Dan Schaffer is business and development manager for networking and security, and Dan Fenton is product marketing specialist, control and software, both with Phoenix Contact USA; Edited by Mark T. Hoske, content manager CFE Media, Control Engineering, Plant Engineering, and Consulting-Specifying Engineer, at

Plant Safety and Security Channel:

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.