Protect control systems from the Internet

The plant control system would seem to be one of the best-protected computer networks from those who might seek to do harm. It is typically so removed from the Internet that hackers and viruses should have a difficult time finding the control system. And that's just fine with most control engineers, who know that any connectivity to the Internet increases the potential for mischief.

08/01/2005


The plant control system would seem to be one of the best-protected computer networks from those who might seek to do harm. It is typically so removed from the Internet that hackers and viruses should have a difficult time finding the control system. And that's just fine with most control engineers, who know that any connectivity to the Internet increases the potential for mischief.

But the front offices want immediate access to data from the plant floor. They either need to be able to reach down to the control networks or have what they want sent up. At the same time, local plant officials are pressed to provide more data via enterprise-wide networks to individuals in other locations.

However, any time access is provided to the control network, the control system is exposed.

Typically, large process industry plants have more than one network dedicated to process automation as well as a plant network, which is used for supplementary operations and maintenance functions. Above that is a network used by various business systems.

Firewalls, which help to secure network traffic by providing application-specific filtering to block malicious communications, should be used to block protocols and ports not used by an application, thereby separating and protecting each network. Firewalls also allow parts of the network to be disconnected in the event of an attack. However, firewall use between the business network and the plant network is much less common than a firewall between plant and control networks.

Three options

Here are three ways to prevent against potential intrusions into process control systems. Which one to follow depends largely upon the amount of risk you can tolerate and the benefit you're seeking.

1. Isolate the network . The safest approach is to keep the control network locked down, allowing only physical access by authorized persons to the operator stations and connected machines. This is the most restrictive approach, preventing access by others in and outside the plant.

Most systems manufacturers are very protective and would be happy to see control networks untouched by the outside world. Emerson, for example, only allows connection to the plant or business networks through a limited set of workstations on the control network that have been specifically set up to provide this connection.

2. Go ahead and connect . The fast, easy, and reckless approach is simply to connect the control network to the plant and business networks and hope for the best. The worst may never happen, but if it does, consequences may be difficult to explain.

3. Make connections in an intelligent, controlled fashion . Several things can and should be done to protect control networks:

  • Use firewalls and routers to segment the network properly. Properly established firewalls block specific messages or message types, enabling network administrators to control what sorts of traffic can flow into and out of a control network. If well-known ports, such as the HTTP and RPC ports, must be open, risk of penetration to the control network increases. Unfortunately, these are the same ports that many applications require to be open.

  • Establish policies and procedures for maintaining firewalls and ensure that they are properly configured. Rules should identify who can change the firewall, define permitted changes and provide for oversight. System security is chiefly a process issue—not a technology issue.

  • Protection provided by firewalls can be enhanced through use of intrusion detection systems, which monitor network traffic to identify inappropriate activity. These systems can help identify when firewalls are ineffective or when an attack is underway through open ports.

  • All the firewalls in the world won't protect a system with weak passwords. Automatically generated passwords are best, but tools are often required to help generate and manage them, such as Password Minder and Password Safe. Finally, keep all non-essential software off computers directly connected to the control network. The more software installed on these computers, the greater the risk of a virus that can disrupt or disable plant operations.


Author Information

Jon Westbrock is senior technologist at Emerson Process Management;




No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Motor specification guidelines; Understanding multivariable control; Improving a safety instrumented system; 2017 Engineers' Choice Award Winners
Selecting the best controller from several viewpoints; System integrator advice for the IIoT; TSN and real-time Ethernet; Questions to ask when selecting a VFD; Action items for an aging PLC/DCS
Robot advances in connectivity, collaboration, and programming; Advanced process control; Industrial wireless developments; Multiplatform system integration
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
click me