Cyber security for smart mobile devices
Implementing cyber security at the HMI instead of at the mobile devices results in a simpler and more secure system.
With the advent of smartphones, tablets, and other smart mobile devices in consumer markets, it's logical to expect expanded use of these devices in industrial automation system monitoring and control applications. Local in-plant and remote access via such smart mobile devices provides a number of benefits including quicker response to events, lower overall costs for operator interface hardware, and reduced travel expenses. For these and other reasons, smart mobile device usage is rapidly expanding in industrial automation applications.
Mobile devices can provide machine status, synchronized data, equipment efficiency content, location-delivered content, role-based content, fencing control, maintenance-by-proximity, machine control, and other functions via a 4G network or wirelessly. Some companies will supply these devices to their employees, and others will implement a bring-your-own-device (BYOD) policy.
In either case, addressing cyber security issues will be paramount to prevent mobile devices from interfering with automation system operation, stop intruders from pilfering data, and maintain a high level of performance.
Mobile devices raise concerns
Connecting a machine's PLC or programmable automation controller to a remote device, usually via an HMI, to push content and allow remote control demands tight system security (Figure 1). Both automation equipment suppliers and end users fear what might happen if the automation enterprise is hacked or the mobile device is stolen.
Without proper application design, authentication, and security, a mobile device could be compromised and valuable data concerning machine and process operation might be exposed to the outside world. Should that machine or process be connected to the rest of the manufacturing facility and to the enterprise directly or through an HMI, as is often the case, the mobile device could provide a path to all sorts of confidential data.
Tethered PC-based and embedded HMIs are used as the main point of operator interface on many machines. These HMIs not only connect to the main machine or process controller, but in many cases to other machines and processes along with upper level computing systems throughout the enterprise. Thus, particular care must be taken when the HMI is the point of interface for mobile devices, which is the typical scenario.
In the worst case, a hacker could use a mobile device to take control of a machine, a process, or even an entire plant if proper security precautions and application design concepts weren't implemented. This could result in equipment damage, environmental events, and even injury or death. Many prospective users are completely avoiding mobile device connections to automation systems because of cyber security concerns, but there are solutions that can mitigate risks to an acceptable level.
Modern mobile solutions need to be designed with a different thought paradigm than in the past when most interfaces were provided via traditional tethered devices. Smart mobile devices, whether smartphones, tablets, or wearable computers, should be viewed during the application design phase as generic access portals, or more simply as mobile user interfaces.
These smart mobile devices may or may not be physical company assets, and have the potential to show up anywhere within the control system, hence the need for localized or fenced authenticated user content.
Modern control system designers understand the pervasive and widespread nature of these devices, and the futility of attempting to control their use, whether physically within the plant or physically across the globe. Instead of controlling use, designers should therefore control their access to the control system, with the HMI acting as the gatekeeper.
Various companies, including InduSoft, offer tools for smart device content designed into the HMI application delivered securely to a common HTML5 compliant browser, with remote access available via a browser across many different mobile physical platforms.
Actual production or control data is never physically present on the smart mobile device, so it cannot be hacked or spoofed in the traditional manner of accessing a tethered HMI connected to the run-time server. The smart mobile device only presents the information via a safe browser interface per the configuration of the HMI.
During the design phase, it can't be assumed that one smart mobile device brand or platform will always be used, or will never change over the course of the application's lifecycle. Additionally, it can't be assumed that any unique mobile device will always be used by the same user, even if it is registered on the network to that user.
Mobile devices get stolen, lost, or replaced. Neglecting this fact will result in a huge security hole that can never be patched properly until the application is actually redesigned using correct mobile access security assumptions and considerations. To address all aspects of mobile access security, it's important that smart mobile devices used as UAPs (user access portals) are properly registered with the control system domain. Users on registered portals can then be assigned a different privilege level than nonregistered portals.
It is recognized that device registration is not always possible or reliable, especially if the device is not in the proximity of the domain or physically available for inspection. Should authentication of the device be required, this specific use case can be handled by an authenticating device app issued by the company, or by a registered VPN client on the device requiring additional user authentication and credentials.
Registering smart mobile devices is usually accomplished by using the device's MAC address as an allowed device on the network. Generally speaking, this technique restricts control system access to only registered devices, whether they are a personal or a company asset.
Further control system filtering can be done using tools from suppliers such as Tofino Security, which are designed to understand automation communications protocols. These tools can thus prevent unauthorized asset access to the control system, such as a device plugged into a USB port, while leaving the control system operationally unaffected.
Fence me in
Content access restriction should be judiciously exercised for all mobile devices, even if the user has a high privilege level. Authenticated user content as represented through each access portal should be fenced appropriately, so that it's not possible to control or operate machinery or access sensitive data except from specific locations.
An operator or maintenance person should not be able to operate a machine, for instance, except in the proximity of that machine. However, these users should be able to acknowledge alarms, see events, or access certain data as required or needed from anywhere within the plant.
Fencing can be accomplished by allowing user access to the system based on GPS coordinates or Wi-Fi triangulation of their portal. A third measure for proximity confirmation can be a barcode on the specific machine once the device is inside the fence.
Scanning of a barcode by a smart mobile device at a machine or a specific location can allow deeper level access by a maintenance person. After a scan, content control for the maintenance user could transfer machine control to the mobile device within the fence, blocking or disabling the tethered operator interface. This could be used to prevent remote operation of the machine while the operator was physically and locally present (Figure 2).
Fencing also has the advantage of directing alarms and messages to devices and appropriate personnel who are in proximity of an area needing attention, instead of a general plant-wide broadcast of alarms to everyone. Location-directed alarms and messages aren't a security measure per se, but can improve operational safety of the plant or processes.
User level and access management, which is also built into InduSoft Web Studio, can be handled either by configuration at the HMI application level, by LDAP (lightweight data access protocol) services, or both. According to the user privilege level, content can be displayed appropriate to the needs and/or location of the device and user. Finally, as needed, content between the devices and the control system network can be encrypted using a built-in SSL, or with a VPN client application on the device.