Networks: Production machinery needs better security

Machinery and production systems are increasingly managed over the Internet, making enterprise networks and common network interfaces potentially more vulnerable than ever. Corporate firewalls provide access security against Internet attacks from the outside world. The most harmful programs capable of paralyzing automation systems may be introduced internally. See photo. Links provide help.

By Control Engineering Staff August 28, 2008

Machinery and production systems are increasingly managed over the worldwide Internet via Ethernet. Security is obviously of critical importance throughout the network, but enterprise networking and common network interfaces are potentially more vulnerable than ever. There is, however, an economic solution capable of providing effective protection devices for a distributed architecture, according to Torsten Rössel, director of business development for Innominate Security Technologies AG .

Corporate firewalls provide access security against Internet attacks from the outside world. The most harmful programs capable of paralyzing automation systems, says Rössel, are often introduced internally. A report by the PA Consulting Group says the average damage caused by viruses or worms is around€1.5 million ($2.4 million), and growing at 50-100% per year since the year 2000, according to CERT . Rössel says that defeating such threats must be part of the security strategy of every automated production enterprise.
Rössel points out that it is common in Ethernet-based production networks to find that security issues receive too little consideration. Given the growing connectivity between production and office networks, it is imperative that potential interactions, security consequences, and maintenance costs be considered. As with the development of industrial switches, evaluating the equipment requirements for automation include determination of durability, long life, production availability, ease of use, assembly, installation, and administration.
The consequences of production interruption in the industrial sector, he says, are more serious than office network failures. Firewalls can protect corporate networks from most external intruders. External service technicians have access, however, and employees and visiting consultants with laptops can inadvertently (or deliberately) introduce malicious software behind the external firewall. The so-called security cordon of firewalls at border crossings between departments often does not provide adequate protection. Effective decentralized approaches are required — referred to as “defense in depth” and “endpoint security” in the literature — as are corresponding systems for the security of endpoint devices. In principle, architectures with small, distributed security systems are preferred.
In a 2006 study, industrial network planners Roewaplan AG in Germany compared the total cost of distributed and centralized security architectures. In a centralized approach, production system wiring leads to high initial investment costs. The concentration of data terminals in the production area is usually low, so that the utilization of switch and router modules for a centralized architecture is not high enough to be cost-effective.
Machinery and production systems today are being interconnected to the outside world via Ethernet-based networks Rössel concludes, and this trend ensures high flexibility and cost savings. The traditional network interfaces are vulnerable, however, as much as corporate network access over the Internet.
For help, also see:

Cyber security for control systems: More tips, warnings from INL

10 Control System Security Threats

C.G. Masi , senior editor
Control Engineering Machine Control eNewsletter
Register here and scroll down to select your choice of eNewsletters free.