Protect control systems from the Internet

The plant control system would seem to be one of the best-protected computer networks from those who might seek to do harm. It is typically so removed from the Internet that hackers and viruses should have a difficult time finding the control system. And that's just fine with most control engineers, who know that any connectivity to the Internet increases the potential for mischief.

08/01/2005


The plant control system would seem to be one of the best-protected computer networks from those who might seek to do harm. It is typically so removed from the Internet that hackers and viruses should have a difficult time finding the control system. And that's just fine with most control engineers, who know that any connectivity to the Internet increases the potential for mischief.

But the front offices want immediate access to data from the plant floor. They either need to be able to reach down to the control networks or have what they want sent up. At the same time, local plant officials are pressed to provide more data via enterprise-wide networks to individuals in other locations.

However, any time access is provided to the control network, the control system is exposed.

Typically, large process industry plants have more than one network dedicated to process automation as well as a plant network, which is used for supplementary operations and maintenance functions. Above that is a network used by various business systems.

Firewalls, which help to secure network traffic by providing application-specific filtering to block malicious communications, should be used to block protocols and ports not used by an application, thereby separating and protecting each network. Firewalls also allow parts of the network to be disconnected in the event of an attack. However, firewall use between the business network and the plant network is much less common than a firewall between plant and control networks.

Three options

Here are three ways to prevent against potential intrusions into process control systems. Which one to follow depends largely upon the amount of risk you can tolerate and the benefit you're seeking.

1. Isolate the network . The safest approach is to keep the control network locked down, allowing only physical access by authorized persons to the operator stations and connected machines. This is the most restrictive approach, preventing access by others in and outside the plant.

Most systems manufacturers are very protective and would be happy to see control networks untouched by the outside world. Emerson, for example, only allows connection to the plant or business networks through a limited set of workstations on the control network that have been specifically set up to provide this connection.

2. Go ahead and connect . The fast, easy, and reckless approach is simply to connect the control network to the plant and business networks and hope for the best. The worst may never happen, but if it does, consequences may be difficult to explain.

3. Make connections in an intelligent, controlled fashion . Several things can and should be done to protect control networks:

  • Use firewalls and routers to segment the network properly. Properly established firewalls block specific messages or message types, enabling network administrators to control what sorts of traffic can flow into and out of a control network. If well-known ports, such as the HTTP and RPC ports, must be open, risk of penetration to the control network increases. Unfortunately, these are the same ports that many applications require to be open.

  • Establish policies and procedures for maintaining firewalls and ensure that they are properly configured. Rules should identify who can change the firewall, define permitted changes and provide for oversight. System security is chiefly a process issue—not a technology issue.

  • Protection provided by firewalls can be enhanced through use of intrusion detection systems, which monitor network traffic to identify inappropriate activity. These systems can help identify when firewalls are ineffective or when an attack is underway through open ports.

  • All the firewalls in the world won't protect a system with weak passwords. Automatically generated passwords are best, but tools are often required to help generate and manage them, such as Password Minder and Password Safe. Finally, keep all non-essential software off computers directly connected to the control network. The more software installed on these computers, the greater the risk of a virus that can disrupt or disable plant operations.


Author Information
Jon Westbrock is senior technologist at Emerson Process Management;




The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me