1 August 2002
Securing a future
By Andreas Somogyi
Even devoid of meaning, the name sounds harsh and unpleasant. However, the person who brings down your network, wipes out valuable data, or damages an entire production line might not be a bored, disheveled twenty something locked in his basement with a top-of-the-line PC and criminal intentions.
It might be Lisa in maintenance. Or the new guy down the hall whose name you still can't remember. Most likely, it will be entirely accidental.
As companies evolve toward e-manufacturing, today's plants are becoming more integrated—from shipping to receiving (horizontally) and shop floor to business-level systems (vertically). The reasoning is simple: The tighter the connection between each application, the more information plants can collect, share, and analyze.
By adopting a close-knit architecture, many manufacturers have inadvertently exposed themselves to external and internal network security risks. Fortunately, this isn't cause for insomnia or paranoia.
Historically, companies have viewed manufacturing as an island, detached from other elements in the supply chain. In fact, companies took extreme care to isolate manufacturing from the perceived risks of supplier shortages and demand fluctuations from customers.
While simple to build, this model was both inefficient and rigid. End users were unable to exchange data with business systems, and segregated communications ran throughout the plant.
Today's production processes are tightly coupled with upstream and downstream elements within the supply chain. Those who have embraced the future of manufacturing are now implementing build-to-order, predictive maintenance, and e-procurement programs.
As data from the factory floor becomes more important for daily and real-time business decisions, end users need to take the proper steps to secure this data. This helps ensure that the benefits of a seamless supply chain outweigh the risk of and exposure to information security breaches.
Methodology outs madness
The first step in securing data, networks, and information systems is to define what needs protection. This will vary from company to company. In many cases, it includes hard assets such as the manufacturing process, production equipment, manufacturing facilities, raw material inventory, finished product inventory, personnel, and the environment.
Soft assets such as production data—schedules, rates, capacity, yield—customer data, process conditions, set points, product specs, recipes, operating procedures, and quality data also need protection.
While there is more than one way to address an organization's security issues, the methodology Rockwell Automation uses boils down to four basic areas: situation analysis, design, implementation, and support and maintenance.
After defining assets, the situation analysis phase involves reviewing an organization's existing security policies, soliciting participation from stakeholders, understanding the functional objectives, understanding threats, analyzing risk, and educating employees.
In a typical application, the three main threats are people inside the process control network, people outside the process control network—maybe remotely located—who are trying to access the network, and people outside the company's corporate network.
The person who brings down your network, wipes out valuable data, or damages an entire production line might not be a bored, disheveled twenty something locked in his basement with a top-of-the-line PC and criminal intentions.
Firewalls, which are coming down in price—$500 to $10,000 each, depending on functionality—are also popular.
A typical architecture places firewalls between the Internet and the business-level network. Most think a firewall is all that is necessary to protect a system. A secure system requires much more. Strict access control procedures such as two-way user authentication—password plus PIN—is best.
Security may also involve virtual private networks for remote access, data encryption, digital certificates, intrusion detection software, and the like.
Remote access too risky
The implementation phase involves applying the hardware and software solutions selected during the design phase. Integral to a successful implementation is understanding your process and the needed application functionality identified during the design phase.
For example, firewalls offer many features that need careful consideration prior to selection. Personnel with security implementation experience should configure them.
As the user begins the support and maintenance phase, the most crucial step involves access control. It's enticing to think of being able to sit in a remote office or the comfort of one's home and control the plant, but access to set points and equipment controls needs to be controlled by multiple security mechanisms in a local- or wide-area network.
If the risk is too great, remote access should be limited to monitoring, advising, modeling, and undertaking what-if analysis on information rather than directly interacting with the control environment.
Reusable authorization codes are another common area of concern. Also important are routine updates to the organization's policies, vulnerability analysis, disaster recovery plans, and intrusion detection software. New employees must be aware and keep up to date on their security roles and responsibilities.
The question this entire discourse begs is: "Is the move to an open, integrated architecture worth it?" And the answer is definitely, "Yes."
A tightly coupled enterprise has the potential to be infinitely more agile, lean, and productive than what is possible with disjointed proprietary systems. The advantages far outweigh controllable risks.
Once planned security measures are in place, a company can focus internally and capitalize on a seamless, integrated supply chain. Continuous network uptime and faster return on investments are just the beginning of the potential results. IT
Andreas Somogyi manages the industrial network solution business for Rockwell Automation. Write him at firstname.lastname@example.org.
Return to Previous Page