Information access versus security
With the information-rich plant-floor environment comes an unwelcome wave of cyber security risks. If information gets into the wrong hands, the consequences—from downtime to lost data—could be serious, even catastrophic. Everyone, from engineers to executives, needs better insight into plant-floor operations to meet today’s productivity goals, and a wave of technology advancements is helping—from information-enabled programmable controllers to modern human-machine interface (HMI) technology, which connects people at any level to data they need.
Cyber security culprits aren’t necessarily those with malicious intent. Sometimes manufacturers overextend access to information technology systems and allow too many employees to gain control of processes. For example, multiple controls engineers simultaneously making real-time updates to the system could jeopardize production. Other times, the risk comes from outside the operation: A curious visitor walks up to an HMI and presses the screen or a trusted third-party transmits a virus through the IT remote access system.
A robust security program helps manufacturers leverage the immense benefits of electronic technology while addressing inherent risks; namely, unwanted and potentially destructive events. However, just as no manufacturing operation is exactly the same, there’s no one-size-fits-all security solution.
A successful industrial control system security strategy begins with a thorough asset-based risk assessment of every aspect of an enterprise. That leads to a custom roadmap containing best-practice-based security policies, and often, advanced technologies that help reduce risk and protect manufacturing assets.
As defined by ISA99, a security policy “enables an organization to follow a consistent program for maintaining an acceptable level of security.” This program consists of physical and electronic procedures that govern personnel, components, and software within the manufacturing system. But the work doesn’t stop there. Highly effective security programs require around-the-clock vigilance, attention to detail, and ongoing investment to address new viruses, worms, and other threats that pop up daily.
Laying the security foundation
Securing a manufacturing facility requires a thorough understanding of all aspects of production. Manufacturers then create multiple layers of security designed to protect networked assets, data, and end points. Understanding each layer is the key to security, which helps increase uptime and, ultimately, the bottom line.
A comprehensive security program lays the foundation for balancing security and access to information. Most manufacturers today can only access one or two system aspects, such as network flow data or communication pathways. Without insight into the other system aspects, engineers don’t have access to a vast range of diagnostic and security capabilities, such as protecting devices, control rooms, highly sensitive areas, and other valuable assets.
Build security in layers
Building the optimal security system starts with a cross-functional team. Controls engineers and IT professionals have to combine their knowledge and expertise to create the most effective security program. But bridging the gap between the two groups is tricky because they have different goals, priorities, and procedures.
For example, when dealing with data, IT professionals value confidentiality, then integrity, and lastly, availability. Controls engineers, on the other hand, prioritize these attributes in the opposite order: availability, integrity, and then confidentiality. Also, IT specialists consider 98% uptime great for their business network, but this is unacceptable to most controls engineers responsible for high-profile processes.
This stems in part from different business models. IT specialists have the luxury of horizontal scalability, meaning they can connect multiple hardware or software entities, such as servers, that work as one logical unit. When multiple servers work together as one, the failure of one has little—if any—effect on operations. Controls engineers, on the other hand, are locked into a vertical scalability model in which entities, such as ovens in a food processing plant, do not work as one logical unit. If one oven fails, it impacts overall production, making individual system uptime critical to many manufacturers.
Forward-thinking manufacturers tackle differences like these by finding common ground and focusing on key priorities. The top priority for everyone on the team is securing the manufacturing facility with policies and procedures, as well as physical and electronic barriers for each production zone to ensure system and process uptime. For example, a security policy for the manufacturing zone should address the control equipment itself, the users of that equipment, the connection between control system components, and the interconnections with the business system and other networks.
This cross-functional team should develop comprehensive rules that address all possible users, whether on-site or remote, machine builders or employees, human resources or engineering.
To physically secure valuable assets, manufacturers may limit access to authorized personnel only and enforce a visitor policy that requires outsiders to be tracked or escorted.
Regardless of who poses the production risk, manufacturers must control who can access the system.
Software can be security enabled to help control access and provide capabilities like authentication and role-based authorization. Such services verify the identity of each user who attempts to enter the automation system and grants access only to those authorized to perform particular actions on a system’s features and resources.
A good security policy goes beyond preventing someone from physically tampering with production. It also means developing layers of network security to help protect control and information data. Firewalls around and within an industrial network block traffic, helping prevent unauthorized or unwanted communications. A demilitarized zone (DMZ) adds another layer of defense by creating a neutral place between the manufacturing and enterprise zones to prevent traffic from directly traveling between the two zones. Both firewalls and DMZs help prevent unwanted people, viruses, and spyware from intruding either zone.
But security can’t be set so high that it unnecessarily restricts legitimate access and necessary control of production. Overly tight security may unnecessarily restrict data, halting the flow of necessary data and ultimately jeopardizing production.
To strike a balance, a security plan should follow two guiding principles designed to help manufacturers evaluate potential vulnerabilities and determine mitigation techniques. The Principle of Least Privileged says that manufacturers should only give users credentials to fill a job function, preventing them from accessing things they shouldn’t control, within a system or a particular machine.
For instance, machine builders shouldn’t be able to access confidential data. Likewise, a human resources manager shouldn’t be able to modify a program for a controller. Manufacturers can control access and authentication using a combination of software, remote access servers, intrusion prevention systems, and Unified Threat Management appliances with advanced and adaptive capabilities. These help monitor, log, and control access while allowing users to only view and manipulate necessary applications.
The second tenet, the Principle of Least Route, means that devices are only given network access to fulfill a function. For example, a manufacturer wouldn’t want a technician starting up Line 1, which is the only process he’s been trained on, to change a program on Line 2. That line may be within the technician’s sight and on his network, but he doesn’t have any responsibility or the necessary training to deal with Line 2. In this scenario, policies help prevent accidents, lost productivity, and other undesirable outcomes.
HMIs open, close doors
The hub of human interaction with technology is the HMI. Much has been said over the years about physically hardening computers so they withstand harsh conditions on the factory floor, but security threats require hardening at a whole new level.
The same best practices that IT professionals apply to enterprise computers should also apply to manufacturing computers. To help protect against system mismanagement, manufacturers should have sound patch management strategies, ample configuration management documentation, and sufficient means to test and roll out anti-virus definitions. Disabling the guest account and implementing a guest policy provides controlled access without compromising security.
Uptime is critical, so manufacturers can’t load computers with too many security tools because this can unnecessarily slow down production. While all computers should deploy and maintain anti-virus and anti-spyware software, manufacturing computers in particular should disable automatic updates and avoid excessive scanning to prevent disrupting production.
Uninstalling unused components like Microsoft Windows programs (such as Outlook Express) and USB ports is another best practice. This helps prevent users from performing tasks unrelated to production, such as checking their e-mail or plugging an unauthorized virus-laden USB memory key into a USB port. While seemingly harmless, such activities can result in viruses or unplanned downtime.
Applying these best practices opens the door to a new level of information access, yielding significant benefits. Through an HMI, operators have a dashboard to securely monitor, manage, and control all aspects of production. Taking a layered approach to security provides the foundation for a robust visualization system that helps ensure operators only perform acceptable tasks and guard recipes, processes, and other critical manufacturing information.
As quickly as information access advances, so do the security threats that can lead to catastrophic losses in productivity, assets, and data. A well-planned, comprehensive security strategy enables manufacturers to strike the right balance that optimizes access without jeopardizing production.
– Brad Hegrat is principal security consultant, Rockwell Automation. Edited by Mark T. Hoske, content manager CFE Media, Control Engineering, Plant Engineering, and Consulting-Specifying Engineer. Reach him at email@example.com.
Software technology tools can help lower cyber security risk (see link below).