Cyber security for smart mobile devices

Implementing cyber security at the HMI instead of at the mobile devices results in a simpler and more secure system.

By Richard Clark July 21, 2014

With the advent of smartphones, tablets, and other smart mobile devices in consumer markets, it’s logical to expect expanded use of these devices in industrial automation system monitoring and control applications. Local in-plant and remote access via such smart mobile devices provides a number of benefits including quicker response to events, lower overall costs for operator interface hardware, and reduced travel expenses. For these and other reasons, smart mobile device usage is rapidly expanding in industrial automation applications.

Mobile devices can provide machine status, synchronized data, equipment efficiency content, location-delivered content, role-based content, fencing control, maintenance-by-proximity, machine control, and other functions via a 4G network or wirelessly. Some companies will supply these devices to their employees, and others will implement a bring-your-own-device (BYOD) policy.

In either case, addressing cyber security issues will be paramount to prevent mobile devices from interfering with automation system operation, stop intruders from pilfering data, and maintain a high level of performance.

Mobile devices raise concerns

Connecting a machine’s PLC or programmable automation controller to a remote device, usually via an HMI, to push content and allow remote control demands tight system security (Figure 1). Both automation equipment suppliers and end users fear what might happen if the automation enterprise is hacked or the mobile device is stolen.

Without proper application design, authentication, and security, a mobile device could be compromised and valuable data concerning machine and process operation might be exposed to the outside world. Should that machine or process be connected to the rest of the manufacturing facility and to the enterprise directly or through an HMI, as is often the case, the mobile device could provide a path to all sorts of confidential data.

Tethered PC-based and embedded HMIs are used as the main point of operator interface on many machines. These HMIs not only connect to the main machine or process controller, but in many cases to other machines and processes along with upper level computing systems throughout the enterprise. Thus, particular care must be taken when the HMI is the point of interface for mobile devices, which is the typical scenario.

In the worst case, a hacker could use a mobile device to take control of a machine, a process, or even an entire plant if proper security precautions and application design concepts weren’t implemented. This could result in equipment damage, environmental events, and even injury or death. Many prospective users are completely avoiding mobile device connections to automation systems because of cyber security concerns, but there are solutions that can mitigate risks to an acceptable level.

Reducing risk

Modern mobile solutions need to be designed with a different thought paradigm than in the past when most interfaces were provided via traditional tethered devices. Smart mobile devices, whether smartphones, tablets, or wearable computers, should be viewed during the application design phase as generic access portals, or more simply as mobile user interfaces.

These smart mobile devices may or may not be physical company assets, and have the potential to show up anywhere within the control system, hence the need for localized or fenced authenticated user content.

Modern control system designers understand the pervasive and widespread nature of these devices, and the futility of attempting to control their use, whether physically within the plant or physically across the globe. Instead of controlling use, designers should therefore control their access to the control system, with the HMI acting as the gatekeeper.

Various companies, including InduSoft, offer tools for smart device content designed into the HMI application delivered securely to a common HTML5 compliant browser, with remote access available via a browser across many different mobile physical platforms.

Actual production or control data is never physically present on the smart mobile device, so it cannot be hacked or spoofed in the traditional manner of accessing a tethered HMI connected to the run-time server. The smart mobile device only presents the information via a safe browser interface per the configuration of the HMI.

During the design phase, it can’t be assumed that one smart mobile device brand or platform will always be used, or will never change over the course of the application’s lifecycle. Additionally, it can’t be assumed that any unique mobile device will always be used by the same user, even if it is registered on the network to that user.

Mobile devices get stolen, lost, or replaced. Neglecting this fact will result in a huge security hole that can never be patched properly until the application is actually redesigned using correct mobile access security assumptions and considerations. To address all aspects of mobile access security, it’s important that smart mobile devices used as UAPs (user access portals) are properly registered with the control system domain. Users on registered portals can then be assigned a different privilege level than nonregistered portals.

It is recognized that device registration is not always possible or reliable, especially if the device is not in the proximity of the domain or physically available for inspection. Should authentication of the device be required, this specific use case can be handled by an authenticating device app issued by the company, or by a registered VPN client on the device requiring additional user authentication and credentials.

Registering smart mobile devices is usually accomplished by using the device’s MAC address as an allowed device on the network. Generally speaking, this technique restricts control system access to only registered devices, whether they are a personal or a company asset.

Further control system filtering can be done using tools from suppliers such as Tofino Security, which are designed to understand automation communications protocols. These tools can thus prevent unauthorized asset access to the control system, such as a device plugged into a USB port, while leaving the control system operationally unaffected.

Fence me in

Content access restriction should be judiciously exercised for all mobile devices, even if the user has a high privilege level. Authenticated user content as represented through each access portal should be fenced appropriately, so that it’s not possible to control or operate machinery or access sensitive data except from specific locations.

An operator or maintenance person should not be able to operate a machine, for instance, except in the proximity of that machine. However, these users should be able to acknowledge alarms, see events, or access certain data as required or needed from anywhere within the plant.

Fencing can be accomplished by allowing user access to the system based on GPS coordinates or Wi-Fi triangulation of their portal. A third measure for proximity confirmation can be a barcode on the specific machine once the device is inside the fence.

Scanning of a barcode by a smart mobile device at a machine or a specific location can allow deeper level access by a maintenance person. After a scan, content control for the maintenance user could transfer machine control to the mobile device within the fence, blocking or disabling the tethered operator interface. This could be used to prevent remote operation of the machine while the operator was physically and locally present (Figure 2).

Fencing also has the advantage of directing alarms and messages to devices and appropriate personnel who are in proximity of an area needing attention, instead of a general plant-wide broadcast of alarms to everyone. Location-directed alarms and messages aren’t a security measure per se, but can improve operational safety of the plant or processes.

User level and access management, which is also built into InduSoft Web Studio, can be handled either by configuration at the HMI application level, by LDAP (lightweight data access protocol) services, or both. According to the user privilege level, content can be displayed appropriate to the needs and/or location of the device and user. Finally, as needed, content between the devices and the control system network can be encrypted using a built-in SSL, or with a VPN client application on the device.

Mobile device use cases

Smart mobile devices are now routinely used in SCADA systems across many industry verticals. These smart devices find their way into industries that need access that is not tethered to a single wired location. Smart devices utilizing multi-touch and multi-gesture interfaces allow the creation of new types of HMI interfaces, which can ease use and increase productivity.

Maintenance users across many varied industries have a particular interest in smart mobile devices. An environmental or other application in a shopping mall (Figure 3), airport, or other large facility will allow maintenance personnel with smart mobile devices to:

  • Control equipment during maintenance intervals or repairs
  • Maintain unmanned sites
  • Adjust system setpoints
  • Operate lighting and program display signage
  • Display alarms and events along with a method to acknowledge each
  • Access data about the system while tuning or adjusting setpoints, and
  • Get maintenance or repair content, diagrams, and information about a particular piece of equipment or process functionality at the location where it is needed.

In addition to maintenance work, operator interface extensions can be added to smart mobile devices. For example, Google Glass can be used to read bar codes in a hands-free fashion. These and other operator interface innovations are increasingly finding their way into applications including machine control, process control, robot programming, CRM and ERP applications, batch and inventory control, and conveying systems.

Mobile smart devices can be used to expand an operator’s or a manager’s ability to safely interact with machines because of the ability to fence the device and provide location-related content based on user access. Creating applications and interfaces for SCADA and process control using proper smart mobile device security and access control is the key to efficient operation while preventing security breaches by untrained personnel or outside actors.

Implementing the cyber security measures listed in the table and described above will go a long way to reducing the risk of intrusion, but users must be aware that some hazards will remain. As with all complex systems with multiple human users and interactions, it’s impossible to anticipate or eliminate all risks. Instead, users must reduce risk to an acceptable level such that gains from the use of mobile devices outweigh possible problems.

If cyber security is the primary design goal, then application safety should be second, with application functionality and operability following in third and fourth places. A properly designed system will take these priorities into account, and implement measures accordingly. The key to security with mobile access is authenticating the device within the system fencing restrictions, authenticating the user of the device to the system, and restricting content to what is needed for the user and area.

Richard Clark is a network security engineer for the InduSoft division of Schneider Electric. 

Key concepts:

  • Mobile devices have moved into industrial applications, for better or worse, in spite of security concerns.
  • Network engineers and administrators often have to play catch-up as uses of mobile devices proliferate.
  • Tools are available to reduce risks associated with mobile devices, but they must be implemented appropriately.

ONLINE

For more information, visit:

www.indusoft.com

www.tofinosecurity.com

Read more on cyber security below.