Protect control systems from the Internet

The plant control system would seem to be one of the best-protected computer networks from those who might seek to do harm. It is typically so removed from the Internet that hackers and viruses should have a difficult time finding the control system. And that's just fine with most control engineers, who know that any connectivity to the Internet increases the potential for mischief.

08/01/2005


The plant control system would seem to be one of the best-protected computer networks from those who might seek to do harm. It is typically so removed from the Internet that hackers and viruses should have a difficult time finding the control system. And that's just fine with most control engineers, who know that any connectivity to the Internet increases the potential for mischief.

But the front offices want immediate access to data from the plant floor. They either need to be able to reach down to the control networks or have what they want sent up. At the same time, local plant officials are pressed to provide more data via enterprise-wide networks to individuals in other locations.

However, any time access is provided to the control network, the control system is exposed.

Typically, large process industry plants have more than one network dedicated to process automation as well as a plant network, which is used for supplementary operations and maintenance functions. Above that is a network used by various business systems.

Firewalls, which help to secure network traffic by providing application-specific filtering to block malicious communications, should be used to block protocols and ports not used by an application, thereby separating and protecting each network. Firewalls also allow parts of the network to be disconnected in the event of an attack. However, firewall use between the business network and the plant network is much less common than a firewall between plant and control networks.

Three options

Here are three ways to prevent against potential intrusions into process control systems. Which one to follow depends largely upon the amount of risk you can tolerate and the benefit you're seeking.

1. Isolate the network . The safest approach is to keep the control network locked down, allowing only physical access by authorized persons to the operator stations and connected machines. This is the most restrictive approach, preventing access by others in and outside the plant.

Most systems manufacturers are very protective and would be happy to see control networks untouched by the outside world. Emerson, for example, only allows connection to the plant or business networks through a limited set of workstations on the control network that have been specifically set up to provide this connection.

2. Go ahead and connect . The fast, easy, and reckless approach is simply to connect the control network to the plant and business networks and hope for the best. The worst may never happen, but if it does, consequences may be difficult to explain.

3. Make connections in an intelligent, controlled fashion . Several things can and should be done to protect control networks:

  • Use firewalls and routers to segment the network properly. Properly established firewalls block specific messages or message types, enabling network administrators to control what sorts of traffic can flow into and out of a control network. If well-known ports, such as the HTTP and RPC ports, must be open, risk of penetration to the control network increases. Unfortunately, these are the same ports that many applications require to be open.

  • Establish policies and procedures for maintaining firewalls and ensure that they are properly configured. Rules should identify who can change the firewall, define permitted changes and provide for oversight. System security is chiefly a process issue—not a technology issue.

  • Protection provided by firewalls can be enhanced through use of intrusion detection systems, which monitor network traffic to identify inappropriate activity. These systems can help identify when firewalls are ineffective or when an attack is underway through open ports.

  • All the firewalls in the world won't protect a system with weak passwords. Automatically generated passwords are best, but tools are often required to help generate and manage them, such as Password Minder and Password Safe. Finally, keep all non-essential software off computers directly connected to the control network. The more software installed on these computers, the greater the risk of a virus that can disrupt or disable plant operations.


Author Information

Jon Westbrock is senior technologist at Emerson Process Management;




No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Big Data and IIoT value; Monitoring Big Data; Robotics safety standards and programming; Learning about PID
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me