Log In   |  Register Free Newsletter Subscription
Skip navigation
Zibb
Subscribe to Manufacturing Business Technology
FirstLight 
Email
Print
Reprints/License
RSS

Search for a safe haven

Security solutions serve particularly vulnerable manufacturing and supply chain operations

By Malcolm Wheatley, senior contributing editor -- Manufacturing Business Technology, 2/1/2005 12:00:00 AM

Five years ago, sign manufacturer Everbrite LLC reckoned it had a surefire way to stop any bad guys from using the Internet to get at its desktop PCs. Internet access was banned, period.

With a prestige customer base of Fortune 1000 companies, explains Data Communications Administrator Cindi Herzog, the Greenfield, Wis.-based company decided it just could not risk having its IT systems compromised by viruses, worms, hackers, or other threats.

As a policy, it promised security. But it also left the company and its employees unable to exploit the full power of the Internet. So when customers began to demand Web server access to Everbrite-related information, recalls Herzog, it was time to find a less-restrictive approach to security.

The answer? A firewall from Check Point Software Technologies—a security fix that these days protects not just the Web server, but also Everbrite's now happily Web-connected employees, including its road warriors needing remote access. "We're locked down as tightly as we can be," says Herzog. "And when new threats are announced, within minutes I can give my boss a report of the attacks we've been experiencing."

For Check Point Product Manager Bill Jensen, it's a familiar story. With IT systems and networks that stretch from enterprise applications to supervisory control systems on the factory floor, the cost of a security breach in manufacturing is high.

"The security risks facing manufacturers are much greater than those facing other businesses," Jensen warns. "A law firm might find itself unable to access its e-mail for a while—but a manufacturing company might have to stop production."

It's not just that manufacturers face high consequential losses from security glitches. What's worse, adds Sachar Paulus, chief security officer for enterprise vendor SAP AG, is that manufacturers also are especially vulnerable.

"Manufacturers are part of integrated supply chains, reliant upon collaborative trading scenarios and technologies such as RFID," Paulus points out. "From a security perspective, this blurs the boundaries—which is unfortunate, given that a large part of any security strategy relies first on defining and protecting those boundaries."

The sharp boundary between the factory floor and the rest of the enterprise also is evaporating. "Go back 10 years, and just about every network on the shop floor was proprietary, and virtually every automation system was proprietary as well," says Michael Bush, manager of the security division of Rockwell Software.

But with open systems now finding their way onto the factory floor in increasing numbers, a dual threat has emerged. Not only are open systems inherently less secure than proprietary ones, says Bush, but the IT people responsible for them are less experienced in security issues. "Enterprise people have been dealing with open systems for years—but open systems are still relatively new to the plant automation people."

The result? All too often, says Lance Travis, an analyst with Boston-based AMR Research, "you'll find plant automation systems left running [24/7] don't get patched, and actually run on older hardware under operating systems such as Windows NT, for which security fixes are no longer produced."

A world at risk

Even so, how real are the risks? Greater than might be imagined, says Justin Lowe, a consultant with PA Consulting Group, London, and coauthor, The myths and facts behind cyber security risks for industrial control systems, a study carried out with Canada's British Columbia Institute of Technology. According to Lowe, few companies adequately lock down the connection between the plant floor and the corporate network, leaving open some startling vulnerabilities. "We're getting to the point where a firewall [between the business enterprise and plant] ought to be present—but it rarely is," says Lowe.

Some would go even further. Christine Adams, director of cross-industry standards and best-practice body with the Chemical Sector Cybersecurity Program—and an applications and IT infrastructure executive with Dow Chemical, Midland, Mich.—advocates almost complete separation between the plant floor and the corporate network.

Despite the allure of manufacturing control systems and enterprise applications communicating, bringing them any closer together than they already are "is simply too dangerous," she says. "Even though the flow of data usually is one way—from the manufacturing control system to the enterprise application—it's critical that the link be highly secured."

Even at the enterprise level itself, while technology advances may offer manufacturers welcome new capabilities, they also are opening up a whole new can of worms in terms of security vulnerabilities. Francis deSouza, chief executive for messaging solutions supplier IMLogic, likes to tell a story about a PC manufacturer, renowned for its supply chain prowess and customer service, that a year or so back found itself infected by a particularly virulent virus.

"The IT department was surprised, because they'd spent a lot of money on virus protection," says deSouza. "How did the virus get in? They found there was a lot of unsanctioned instant messaging going on. They shut it down—only to get howls of protests from parts of the business such as supply chain and customer support, which relied on it for fast and reliable communication."

Instant messaging is now allowed—but with a management application from IMLogic not only keeping it secure, but also archiving it for knowledge management and compliance purposes.

RFID's rub

Another example involves radio-frequency (RF) "bleed over" or "leakage." Manufacturers are making use of RF technology for network communications and applications such as RFID tagging. Yet the very thing that makes the technology so attractive— that it confers for widely dispersed devices to communicate without interconnecting wires—also is its security Achilles' heel.

"When you have a radio wave, you can't control where it goes," says Jeff Aaron, senior product manager of wireless security vendor Airespace. "It can bounce off walls, it can bounce off people, and it can find its way out into the parking lot or onto the street. And potentially, people can be out there reading it."

But when talking security, the word "potentially" takes on new significance. It's not difficult to list threats—Airespace itself, for example, lists dozens of them in a recently published paper it prepared for customers and prospects. The trick is to figure out which threats are worth protecting against, and which aren't.

"As a security researcher, my job is to identify an area of vulnerability and notify people about it," explains Darrin Miller, a security specialist in the critical infrastructure assurance group at Cisco Systems."But what tends to get lost in the noise is the likelihood of that vulnerability being exploited—it's not as bad as the doom-and-gloom merchants make out. You shouldn't ignore the cyber aspects of a threat or attacker, but if someone wants to do serious damage, there are probably better ways to do more harm, with less risk."

So getting a handle on the real level of threat is important. And not surprisingly, high-priced consultants in the business of evaluating security and threat assessments report roaring trade. Yet site audits by top-dollar consultants aren't the only way of identifying and evaluating threats.

SAP, for example, recently launched a remote security check service—SAP Security Optimization—that probes a company's systems for approximately 200 known weaknesses over a period of two days.

"Between 70 percent and 80 percent of a business's security requirements can be achieved just by configuring its applications correctly," says SAP's Paulus. During beta testing of the service with live customers, it was found the level of correct configuration tended to be about 20 percent to 30 percent. "We're seeing a lot of interest from the marketplace, and we are increasing the number of people employed to deliver the service," he says.

Even so, a service delivered entirely automatically has to be less costly than one requiring humans. Enter Qualys, which offers vulnerability identification and management as an on-demand Web service used by DuPont, Hershey Foods, and Hewlett-Packard, among others. Some 4,000 vulnerabilities are probed for at the moment, explains CTO and VP of Engineering Gerhard Eschelbeck, with about 20 new ones being added each week.

"This kind of penetration and vulnerability audit usually was done once a year, as a consultancy engagement. Now that it's automated, customers can do it themselves, and do it quickly—which is important, as new vulnerabilities are emerging all the time," he says. "We scan pretty much all the digital assets—from low-end networks on the shop floor to business applications. VPN [virtual private network], VoIP [Voice-over Internet Protocol], wireless—whatever it is, it doesn't matter: we scan it."

But don't overlook the human side of security management, urges Bill Moore, an analyst with ARC Advisory Group, Dedham, Mass. A few basic measures, tools, and security practices go a long way toward reducing the risk from security threats. "There's an old saying that 80 percent of security relies on stopping people from doing stupid things," says Moore.

At one manufacturer Moore is aware of, a virus infected the corporate network because an engineer was frustrated at the amount of time it took for antivirus protection to load when turning his PC on—and so disabled the protection. At another, hackers accessed the network through a modem left hooked up so that employees could dial in from home to check on jobs on the shop floor.

But can a corporate network ever be truly secure? Some security vendors, such as Utimaco, believe as long as information is stored on networks in plain text format, hackers will have an incentive to try and access it. Encrypt the data, and much of the incentive disappears. "Within eight to 10 years, you won't find companies of any significant size continuing to store information in plain text," predicts Walter Loiselle, Utimaco's CTO.

The Department of Defense encrypts stored data using Utimaco technology, and among commercial organizations, financial institutions also are signing up, says Loiselle. The data stored on every one of the laptops belonging to the Territorial Savings Bank of Honolulu, for example, is encrypted using Utimaco technology, as is sensitive information on its corporate network, explains Gary Kahn, Territorial's information security officer. Encryption, he believes, is security's final line of defense. "And if it's good enough for a financial institution, with all the compliance and regulatory requirements it must meet, it ought to be okay for a manufacturing company," Kahn concludes.

Email
Print
Reprints/License
RSS
Talkback
Sponsored Links
Reed Business Information Resource Center

Featured Company

Most Recent Resources

Advertisement

Related Microsite Content

Related Links

Advertisement
Wonderware
NEWSLETTERS
Mid-Day Report
Innovation Strategies
Intelligent Manufacturing
Lean Enterprise



Please read our Privacy Policy

About Us   |   Advertising Info   |   Site Map   |   Contact Us   |   FREE Subscription   |   Affiliate Links   |   RSS
© 2009 Reed Business Information, a division of Reed Elsevier Inc. All rights reserved.
Use of this Web site is subject to its Terms of Use | Privacy Policy
Please visit these other Reed Business sites