Log In   |  Register Free Newsletter Subscription
Skip navigation
Zibb
Subscribe to Manufacturing Business Technology
FirstLight 
Email
Print
Reprints/License
RSS

Plant-floor security, by the numbers

Count the ways to secure your plant-floor data, networks, and operations

By Nancy Bartels, senior editor -- Manufacturing Business Technology, 3/1/2005 7:00:00 AM

Now that connectivity has come to the plant floor and the old black boxes that powered controllers are giving way to commercial off-the-shelf software, questions about securing data on the plant floor are more pressing than ever. Plant-floor security involves IT and the still-critical business of keeping products and employees safe and secure. To do the job right, you need people with expertise in both IT and operations. Getting your arms around security issues is a big job. There are no quick fixes or simple solutions, but there are some basic parameters that can define the territory.

2 separate but equal challenges

  • Security

  • Safety

Security and safety are interrelated issues. In general, you want to keep your people and environment safe and your physical and intellectual property secure. Sometimes the same procedures will do both. Remember that focusing on one of these and not the other leaves you vulnerable.

One truism: Security is about managing risk. You can never make your plant 100-percent secure. The question is, what is the level of risk your company is prepared to accept?

7 false assumptions

  1. Security issues on the plant floor are the same as in corporate IT and the front office.

  2. Current corporate security policies are all that are needed for the plant.

  3. As long as the firewall is okay, we're okay on the plant floor.

  4. IT has this all figured out and will take care of it.

  5. There are no new issues at the plant level.

  6. If there are, I'm in trouble until the new standards and technologies rescue me.

  7. Because no one knows about my plant-floor network, I have "security by obscurity."

Source: Rockwell Automation

2 rules of thumb for security strategy

  • You only need to protect things that have value to your business, and you should only apply protection in proportion to the value of the items.

  • Plant-floor security is not a destination, but a continuous process.

5 pillars of a sound security plan

  1. People trained in the correct policies and procedures

  2. Policies that clearly define what compliance means and how it is to be carried out

  3. Processes that define the activities outlined in the policies, including products, tools, and methodologies

  4. Procedures that clearly define the steps involved in applying the processes and technologies

  5. Products that address your particular security needs

Source: Rockwell Automation

4 top threats and their causes

  • System breakdown that can halt operations—e.g., viruses, worms

  • Data loss due to insufficient or nonexistent backup

  • Information theft due to lack of access control

  • Manipulation of records due to lack of access control and ID procedures

Source: SFW LLC

Eighty-one percent of the respondents to a recent survey by the FBI and the Computer Security Institute said the most likely source of a security breach was inside the company.

3 reasons to be concerned about plant-floor IT security

  • Successful cyber attacks on process and SCADA systems have increased tenfold since 2000.

  • There are between 100 and 500 unreported attacks every year.

  • Half of those attacked experienced losses of more that $1 million.

Source: Cisco Systems

7 reasons why attacks have increased

  1. There is more alignment of process control and corporate IT systems.

  2. There are more powerful and malicious cyber threats—e.g., worms, viruses, and hackers.

  3. Corporate IT security measures often are not applied to process control systems.

  4. Demands for access to information continue to increase, so that companies need to be connected to the Internet, supply chain partners, wireless applications, and their own extended enterprises.

  5. Intellectual property is becoming more of a competitive advantage.

  6. Web services increase application exposure.

  7. Lost business opportunity results from disruption, and nonperformance is increasing.

Source: Cisco Systems & Rockwell Automation

The first 5 steps to securing your plant floor (and the rest of your operation)

1. Build awareness. Be the bearer of bad tidings if you must. Let senior management know that security is about more than protecting e-mail from viruses. Start getting your plans and policies in place today.

2. Conduct a risk analysis:

a. What assets are you trying to protect?

b. What is their value?

c. What are the potential threats to these assets?

d. What is the impact of a security breach on these assets?

3. Do a detailed audit:

a. Review present policy documents and reports.

b. Gather "people" information. Who knows what about your security?

c. Test your policies and procedures.

d. Evaluate the results.

e. Prioritize the necessary fixes.

Did your security audit tell you that your plant is an accident waiting to happen? What do you do next?

4. Start building rings of defense around your most critical systems.

5. Implement a business continuity and recovery plan.

Source: Info-Tech Research Group

1 rule of security diplomacy

You and your corporate IT staff will have to work together to ensure plant-floor security. You will have to learn to speak one another's language and recognize one another's concerns and constraints. Plant-floor security is a job you will have to handle together.

7 questions to ask about your facility's security

  1. Have I identified the potential threats?

  2. Have I conducted background checks on employees, vendors, and other parties?

  3. Do I have a system for controlling login names and passwords?

  4. Have I implemented policies regarding computer usage and ensured they are followed?

  5. Have I considered enterprisewide information encryption?

  6. Do I control who has physical access to my servers and computers?

  7. Have I trained my employees on security policies and procedures?

Source: SFW LLC

7 more steps to securing plant-floor data

  1. Physically mark computer stations as "classified" so it is easy to see if an unauthorized person is trying to access it.

  2. Add a security layer, such as keycards, to classified workstations.

  3. Physically secure rooms that are hosting classified servers with their own access control systems.

  4. Add network security measures, such as firewalls, to classified servers.

  5. Ensure passwords and roles are being used appropriately and that passwords are changed on a regular basis.

  6. Make sure you back up data regularly. Keep copies off-site. Make sure they are as secure as on-site copies.

  7. Keep up with security and patch updates.

Source: SSW LLC

5 steps to sound patch management

  1. Future-proof your firewall and virus protection systems. Make sure they are adaptable and capable of meeting the challenge of the next virus out there.

  2. Test your patches. Make sure they won't disrupt your processes when installed.

  3. Prioritize your patches. Talk to your system vendor. How critical is the patch? Does it have to be installed right now?

  4. Adhere to open standards. Don't tweak your system and inadvertently create more security holes.

  5. Have a designated patch manager who "owns" the system. Ideally this manager understands both the control and IT environments.

Source: Cisco Systems

2 questions your system should ask potential users

  • Who are you and are you allowed access? (Authorization)

  • Are you allowed to do this procedure from this machine? (Authentication)

3 questions you should ask your system

  • Are you available? Can I do what I need to do when I want to do it?

  • Can you prove I did it? For regulated industries, this documentation is critical for tracking changes.

  • Can you protect my data and my privacy?

Source: Rockwell Automation

6 steps to take after an IT security breach occurs

  1. Don't wait for the breach to happen. Have an emergency response plan in place before you need it.

  2. Remove the affected server or computer from the network. Isolate the problem.

  3. Identify the breach and understand its magnitude. How bad is it?

  4. If you can't identify the magnitude of the breach, try to track down the hackers. The magnitude may not always be apparent, and finding the hackers immediately may help in identifying the complexity of the problem—especially if it is an inside job. Either way, you should try to catch them so they can't do further damage. But be aware that hackers often use a process whereby shutting down the machine will erase all traces that would lead to them.

  5. Take out the device drivers.

  6. Insert them into another computer and use "read-only" mode to analyze the problem without destroying information that might shed light on the case.

Source: SFW LLC

The two-wall security strategy

You should secure your plant-floor network behind two walls of security.

  • The outer wall defends your whole enterprise from the outside world. It consists of firewalls; virtual private networks (VPN); virus protection; and other IT security tools.

  • The inner wall is an additional layer of protection for your plant-floor IT systems, composed of an additional firewall and other security tools focused exclusively on the plant floor.

21 steps to securing your SCADA system or plant-floor network

  1. Identify all connections to your network: LAN, WAN, Internet, wireless networks, modems, and business partners.

  2. Disconnect all unnecessary connections; isolate the plant-floor from other networks where possible; and minimize the number of necessary connections.

  3. Evaluate and strengthen the security of the remaining connections between the plant floor and the other networks. Conduct vulnerability analysis of the remaining connections. Implement firewalls and intrusion detection systems at the plant-floor level. Don't assume IT has done it!

  4. Remove or disable unnecessary services to the plant floor. Use routers and switches to limit Internet access, e-mail, and remote billing if not required. Limit access to only authorized personnel.

  5. Do not rely solely on proprietary protocols. Security systems should use several layers of protection so that the failure of any one system doesn't allow the system to be breached.

  6. Implement the security features provided by vendors. Don't disable the features you have paid for!

  7. Establish strong controls over any medium used as a "back door" to your plant-floor network—for example, maintenance systems connected by modem.

  8. Implement intruder detection systems and establish 24/7/365 monitoring. Alert network administrators, log incidents, and audit daily.

  9. Perform technical audits of devices and networks to identify security concerns. Many commercial tools are available to identify common vulnerabilities.

  10. Conduct physical surveys of remote (unmanned) sites. A remote location connection to the network can easily be tapped.

  11. Establish "red teams" to identify possible attack scenarios. Use various people to provide a broader perspective. Plant security is not about just one thing.

  12. Define security roles, responsibilities, and authority for managers, system administrators, and users. Define the escalation path and emergency notification.

  13. Document your network architecture and identify systems that contain critical information. Add "levels" of security to these areas.

  14. Establish a rigorous and ongoing risk management process. Risk assessments form the basis of your network protection strategy.

  15. Build a network protection strategy based on "defense-in-depth." Multiple layers minimize single points of failure and limit incident impact.

  16. Clearly identify security requirements. Establish a formal training program to inform employees of policies, procedures, and responsibilities.

  17. Establish a "configuration management" process. Hardware and software changes could introduce network vulnerabilities.

  18. Conduct routine self-assessments, including scheduled scanning for vulnerabilities, automated auditing, and individual performance (not during production).

  19. Establish system backups and disaster-recovery plans. Be prepared. No security system is perfect.

  20. Establish policies and conduct training to minimize inadvertent disclosure of security information. People can be a weak link in your plan.

  21. Set expectations for security performance and hold individuals accountable. This is a senior management job.

Source: U. S. Dept. of Energy, Office of Energy Assurance.

(A complete copy of the report containing these recommendations is available at http://oea.anl.gov/documents/21StepsBooklet.pdf)

3 final tips

  • Manage passwords and change them when employees leave.

  • Leave the controller key-switch in RUN and remove the key!

  • If you use commercially available infrastructure components, be sure they support security/management features.

Source: Rockwell Automation

Email
Print
Reprints/License
RSS
Talkback
Sponsored Links
Reed Business Information Resource Center

Featured Company

Related Resources

Advertisement

Related Microsite Content

Related Links

Advertisement
ARCbanner
NEWSLETTERS
Mid-Day Report
Innovation Strategies
Intelligent Manufacturing
Lean Enterprise



Please read our Privacy Policy

About Us   |   Advertising Info   |   Site Map   |   Contact Us   |   FREE Subscription   |   Affiliate Links   |   RSS
© 2009 Reed Business Information, a division of Reed Elsevier Inc. All rights reserved.
Use of this Web site is subject to its Terms of Use | Privacy Policy
Please visit these other Reed Business sites