Social media: Why engineers should be anti-social

You should hold the line on controlling or even barring Internet access from your process control system.

06/03/2009


A recent survey says that IT departments are having arms twisted to relax cyber security rules and allow access to social media sites, such as Twitter or GoogleApps. Such changes are not a good idea for your process control system.

The survey, published by SearchSecurity.com , polled 1,300 IT managers around the world. While these were generally “office” IT applications, the results are something to which process control platform operators should also pay attention. A few survey highlights include:

  • 47% report some users are bypassing security policies to access such platforms;

  • 86% are feeling pressure to allow more access to social networking Websites; and

  • Many lack Web application firewalls.

You may be dealing with some of the same issues. More people want access to Twitter, Facebook, MySpace, GoogleApps, and so forth. While those are useful and appropriate for home and even office use, they have no place on your control system networks.

In April 2007, Control Engineering published an article on 10 control system security threats , as outlined by NERC (North American Electric Reliability Corporation). Looking again at the article, two of the threats apply specifically here:

6. Use of a non-dedicated communications channel for command and control.

This would be the case with Internet-based SCADA. This vulnerability also could include inappropriate use of control system network bandwidth for non-control purposes, such as VoIP (voice over Internet).

“Many IT folks have bought the 'converged network’ line and think it’s OK,” says Bryan Singer, chairman of ISA SP99 committee. “We have seen cameras, VoIP, business systems processing payroll, and a whole host of other issues, cause denial of service conditions on control networks. IT professionals typically look at application performance, and near real time for control is a foreign concept. Taking 300-500 ms extra to receive e-mail or a Webpage is largely unnoticeable; 300-500 ms for control messages or safety messages could be disastrous. Often, what is an acceptable level of saturation or utilization from an IT perspective can spell disaster for controls.”

Kevin Staggs, global security architect for Honeywell Process Solutions, warns that well-meaning individuals can make mistakes about infrastructure since “it costs quite a bit of money to add additional channels, and it’s hard to add infrastructure wiring after the fact. But you really need to understand where the information is and where it needs to flow, and lay out your networks accordingly. Keep the control traffic off the business network and vice versa. Don’t use the same channels. It’s really a bad practice.”

Using the control system for non-control communications, says Bob Huba, DeltaV product manager for Emerson Process Management, “regardless of how much 'extra' bandwidth appears to be available, can only lead to problems getting the mission-critical control information distributed as quickly as possible.”

8. Installation of inappropriate applications on critical host computers.

Most importantly, Todd Stauffer, PCS 7 marketing manager for Siemens says, the control system needs to safely and effectively control the process. “The only necessary applications are those that are directly involved with the control of the process. Additional software programs such as e-mail, games, and media players are not necessary and can make the system vulnerable. To harden the system, it is necessary to remove all unnecessary applications and to prevent new ones from being introduced. Unwanted programs or malware can be introduced any time data is exchanged with the world outside of the control system.”

Marilyn Guhr, marketing manager for Honeywell Process Solutions recalls, “A customer was experiencing slow downs on certain operator stations and they couldn’t figure out what was wrong. The 'problem’ was tracked down to a TV hook-up on the operator station.”

Read the complete article: “ 10 Control System Security Threats

Your control system has one job, and that should be all it does. While connections to larger systems and even the Internet may be necessary for various functional purposes, following somebody’s Twitter account in the control room isn’t one of them.

Read the Control Engineering Cyber Security blog .

—Peter Welander, process industries editor, PWelander@cfemedia.com
Process & Advanced Control Monthly eNewsletter
Register here to select your choice of free eNewsletters .





No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Big plans for small nuclear reactors: Simpler, safer control designs; Smarter manufacturing; Industrial cloud; Mobile HMI; Controls convergence
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide
 

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.