Get the latest updates on the Coronavirus impact on engineers.Click Here

Keeping an HMI safe after companies stop updating the software

Keeping a human-machine interface (HMI) up-to-date and safe even after companies stop updating the software behind the HMI can be a tricky process.
By Dave Cronberger July 18, 2019
Courtesy: CFE Media

One of the many unique aspects of the manufacturing industry is its diversity of operating systems in terms of purpose, vintage and version.

Besides the real-time operating system of controls, it could be argued the only other operating system within manufacturing is Microsoft Windows. Although that is technically untrue, it certainly covers greater than 90% of the installed base.

It is impossible to update every version of software or the operating system that might be on a machine. It is often the interface of the machine, or rather, a human-machine interface (HMI) where interactions between humans and machines occur.

This is often due to the applications and drivers that interface to a machine, causing many vendors to halt support when they have revised and updated their product. The machine itself has and continues to provide good service and so, despite the lack of support and security fixes, the software continues to run because the machine continues to run.

Worn out parts

This longevity brings an interesting problem – things just wear out. One case in point is printed circuit boards begin to fail as solder joints crack and flash memory fails when the charge in the gates goes away. This brings an opportunity to move the operating system and application to a virtual machine (VM) on newer server hardware.

The HMI is based on a thin client with a touch screen, the required connections to the machine itself and application servers housed in the plant computer room. In addition to examining the traffic on the network, it is possible to apply certificates on the VM and multifactor authentication on the thin client mounted at the machine. This then makes it possible to use policies to control the applications and devices that can be communicated with regularly. This new method also brings forth the use of other services like domain name services (DNS).

DNS’ role in manufacturing

In manufacturing networks, DNS domain name services continue to play a larger role. Eventually, programs for the control systems will no longer hard code the IP address of a device into the program, but refer to it by name or other some form of identification. This will happen as services like DNS continue to be highly reliable. The ability to trust these kinds of systems is crucial now and, in the future, being able to objectively evaluate the trust of that system and other systems will be critical.

To begin, we must assume that nothing can be trusted. From there, we have to classify devices and applications based on what needs remediation and what can actually be remediated. For those plant floor devices that cannot be reconciled, the network must be used to provide the correct degree of isolation and permissions. For those that can be reconciled, certificates and other methods can be added to further identify and classify what applications can be contacted and used by those devices. These same tools can be used to ensure the operator is the correct administrator and has the appropriate permissions to access the remediated machines.

The next step is remote access.

There is so much demand now to lower service costs that it cannot be ignored. One of the approaches is to put a small device in front of every machine that allows, essentially, out of band connectivity. This can become impractical if we intend to ensure the integrity of our plant floor, because there needs to be entry point control for anyone doing remote access against the machine. We need to insert protections so line of sight, for example, can be maintained on any machine that moves in a three-dimensional space. One needs to ensure the person coming in remotely is indeed who they say they are with the proper credentials.

This is where third party cloud-based services may play a role. Users need a security tool that can operate in a manner that allows anyone from anywhere to access the service so the integrity and identity can be ascertained with certainty. In the existing environment with no controls, the issue really must be addressed. Relying on the air gap – physically separating the network for other systems – is not the answer.

This content originally appeared on ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media,

Dave Cronberger
Author Bio: Dave Cronberger is a solutions architect for Internet of Things at Cisco.