Viruses and hackers and worms ... oh my!

Computer viruses and worms are big topics in the IT world. Recent worms and viruses have infected company LANs (local area networks) and even shut down businesses. While these concerns were already important in the IT environment, they had not been as important in the control system environment. With the increasing use of standard Ethernet and Microsoft operating systems in control systems, inf...

11/01/2003


Computer viruses and worms are big topics in the IT world. Recent worms and viruses have infected company LANs (local area networks) and even shut down businesses. While these concerns were already important in the IT environment, they had not been as important in the control system environment. With the increasing use of standard Ethernet and Microsoft operating systems in control systems, infection concerns now have to be considered in control system design and support. As proof of this, several companies have had to stop production because of recent attacks and because of actions taken in response to the attacks.

Part of the modern control system engineer's skill set must include knowledge of how to protect networked control systems. The ISA TR99.01 Technical Report on Security Technologies for Manufacturing and Control systems is a good place to read about technologies you will need to apply.

IT systems generally follow three rules for protection: Defend at the edges, detect in the interior, and protect at each system. Defending at the edges means stopping viruses and worms from entering the local network. This includes establishing firewalls, installing email scanners, closing unused ports, and requiring security access control on any communication through the firewall. Detecting in the interior is scanning of network traffic for suspect and non-normal activity. Detection can also involve scanning server systems to make sure that approved applications, and only the approved applications, are running. Protecting each system uses virus protection software and personnel firewalls or each system. These same rules can be applied to networked control systems with one important exception. The exception is "protecting at each system." Virus protection software requires continual updates of virus and worm electronic signatures. This usually involves downloading identification files and often requires installing software updates. Unfortunately, it is unacceptable to make these changes without extensive testing and revalidation on validated or critical control systems. Updates can occur several times per week, but testing and validation can take weeks, so it is nearly impossible to have current up-to-date virus protection software on validated or critical control systems.

Since we cannot follow the third rule on many networked control systems, the first two rules should be strengthened to take up the load. We can strengthen the first rule by adding firewalls between the control system networks and the rest of the corporate networks. Unprotected control systems are prime targets for infection, and they need multiple layers of protection. Control system networks which connect directly to other business system networks are at risk from viruses and worms and put other corporate systems at risk. Firewalls with limited ports provide one level of protection. Firewalls should be two-way—in addition to protecting control systems from infection by corporate systems, they must protect corporate systems from the control systems. Access control routers can also be added to augment firewall protection. Access control routers allow only specified systems on one side to access systems on the other side. The control system network can also be designed as a Virtual Local Area Network (VLAN) using intelligent switches. VLAN isolates traffic on the VLAN from other LANs, providing an additional measure of protection against broadcast storms and other denial of service (DOS) attacks.

Detection within the control system network should also be applied. This includes using Intrusion Detection Systems on the VLAN.

The cost of adding infection protection to control systems is small and available with off-the-shelf software. Control system professionals need to understand the technologies of infection protection and must work with IT departments to implement secure interfaces between the control networks and the corporate networks.


Author Information
Dennis Brandl is the president of BR&L Consulting, a consulting firm focusing on manufacturing IT solutions, based in Cary, N.C. dbrandl@brlconsulting.com




The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me