Open and secure controls

Making control systems more open and interoperable also have made them more vulnerable to malicious acts, internal and external. A control system can be open, interoperable, and secure but that requires stringent attention to system design and plant-wide policies, procedures, and available technologies.

06/01/2004


This article includes online extra material.

Making control systems more open and interoperable also have made them more vulnerable to malicious acts, internal and external. A control system can be open, interoperable, and secure but that requires stringent attention to system design and plant-wide policies, procedures, and available technologies. In recent months, the call intensifies to augment controls and automation security... not only from people with something to sell.

Have you actively participated in your plant-wide security plan, and adapted it appropriately for your control systems? To avoid what some have called "plug and plague," you need take the following steps:

  1. Dispel myths that feed a false sense of security. Common misconceptions include that security is an IT problem and that obscurity (of PLCs, DCS, embedded or other controls) provides security (most breaches are from the inside). Another fallacy is that a firewall is all that's needed for protection (laptops, which can travel, account for the vast majority of virus imports into a system).

  2. Do a security assessment of risk analysis, including those in control engineering, IT, and others. Rank risks and assess present and proposed safeguards. At the center of any plan are plant assets, and, moving outward, are operating system security (and remote access), application security, intrusion detection, anti-virus protection, firewall, and backups/disaster recovery.

  3. Establish rules, communicate and train, and enforce the rules. Visibility and consistency help thwart those who might consider causing trouble, and can help avoid unintentionally opening your systems to attack.

  4. Implement technologies to support security measures. Patches and updates help. For instance, Microsoft says its Windows Server 2003 switches off many functions by default, curtails network access if a password is left blank, and reduces "attack surface" by 60%.

  5. Consider security with any changes; validate and manage updates; and make appropriate changes to related documentation and training. It's not a one-time effort; you need to assess, audit, check, revise, train, and do it all again regularly. Consider security intrinsic to every change.

While mayhem is a mainstay of general media reporting, Control Engineering remains an advocate for helping readers avoid problems; I'd really rather you take security seriously than write about your disasters later. Please read "Technology Update: Cyber security guidance," an Online Extra to this issue. Also, find more tips with links to seven other items (sources for this info) with this piece online, in the June 2004 archive at www.controleng.com .

MHoske@cfemedia.com


More security tips; links to previous coverage

What’s the root cause of most control system security problems? Inadequate or nonexistent security procedures, because the system predates the time when security became a fundamental design requirement, suggests Marcos Taccolini, chief technology officer at InduSoft. He says systems need to be protected through design, development, deployment, and consistent communications to all with system access. Think about points where a system could be vulnerable and take advantage of available technologies, including encryption and passwords (enabled by default). All systems have weaknesses, he says; issues include privacy, data integrity, and authenticity at end devices, in protocol, applications, and network devices.

Taccolini advises that end-users follow client/server security fundamentals, make a secure server, use a firewall to restrict access to server, filter IP addresses, filter by TCP port, authenticate all data, encrypt communications, authenticate the server to clients, audit server logs, restrict physical access to server, stay current with operating system and application updates, document and practice disaster recovery procedures, and run virus-protection software. Make only data required for an intranet available in that server, he adds. Taccolini offered advice at a National Manufacturing Week conference session on security, on Feb. 26, 2004, in Chicago.

For related Control Engineering security reading, see:





No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Sensor-to-cloud interoperability; PID and digital control efficiency; Alarm management system design; Automotive industry advances
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me