Manufacturers are reaping benefits from the convergence of operations and information technology. No longer is information collected with pen and paper. No longer does someone enter data into a spreadsheet from handwritten notes, risking incorrectly entered values. And no longer is data analyzed that’s hours or even days old.
Instead, manufacturers are imagining the possibility of real-time, contextual data available at their fingertips. They’re imagining The Connected Enterprise.
And none of it can be achieved without a communications infrastructure for information sharing. In other words: EtherNet/IP™ technology. Whatever your goals are for The Connected Enterprise, they begin with a network infrastructure that is transparent to its users, secure from threats and capable of real-time delivery of information.
But providing access to information changes the threat landscape. This territory is shaped by malicious hackers, as well as virtuous employees who are all too often unfamiliar with the impact of their seemingly everyday actions. Dangers range from product contamination to loss of intellectual property.
Make no mistake: Open, accessible information is a necessary risk for the future of manufacturing.
Today, you can quickly track and analyze the source of ingredients or components in a finished product, batch or lot. You can understand the conditions under which each product was created and know its final destination. You can have your cake, know where its flour came from, identify if it contains allergens, AND eat it too!
We can do this with confidence because there are ways to minimize security risks, protecting the recipe and protecting your brand. However, the approach to mitigating security risks in a converged plantwide network must be holistic and multilayered, evaluating both external and internal threats.
Protected Environments Spur Innovation
Network security can seem complex. Scratch that - network security IS complex.
But, looking at it through the lens of a manufacturer can better explain some important concepts. Let’s look, for instance, at a hypothetical cookie manufacturer wanting to move from a manual way of measuring ingredients, configuring equipment and reporting on production, to an automated system that can be accessed remotely using EtherNet/IP technology.
After performing an audit of the facility, our manufacturer has discovered the first two opportunities to enhance security. First, all employees do not need the same physical access to production servers and clients. Second, employees outside of the plant will need to be authenticated and authorized to keep out malicious individuals.
Our cookie manufacturer has learned that implementing EtherNet/IP technology will cause employees to interact with equipment in unfamiliar ways. Everyone knows the USB port, for instance, but a USB port on an HMI server or client, while seemingly mundane, requires rules for how it should be used.
What security risk is there in a USB port? The thumb drives appear harmless to who found it until a virus or spyware has been downloaded onto the network that communicates information directly between the manufacturing and enterprise network. That’s intellectual property up for the taking, enabling a competitor to shortcut R&D investments.
And it is not just thumb drives. Often USB ports are viewed as charging stations for phones, music players, etc. Our virtuous employee is unware that these devices can transport viruses and spyware.
That’s why it’s important to limit physical access of devices, machines and control rooms to authorized personnel. For example, a lockout/tagout device will help keep unauthorized access from open ports like a USB.
Because our cookie manufacturer wants to be unhindered in refining and learning from the newly automated process, they want employees to view information from anywhere, anytime. But providing access to employees outside the plant, or even on tablets from anywhere within, means potentially opening up access to a malicious individual also trying to access the network remotely.
What our manufacturer has begun to discover is the importance of network security. In this case, authentication solutions can restrict remote access based on the level of authorization a user has, even completely restricting certain users and providing read-only access to others.
The lesson: protect the physical layer, authenticate and authorize users, and use the appropriate solutions resulting from the initial review of the facility.
Safety in a Complex World
Of course, our hypothetical cookie manufacturer lives in a simpler world than our own. Manufacturers have different types of technology deployed in their plants, and will need to think about security in terms of the devices and applications actually used.
How? A logical topology of the plant should take into consideration each zone from the cell/area zone to the enterprise zone. When connected to an enterprise business system, consider an industrial demilitarized zone that secures sharing between the plant and the larger organization.
Luckily, best practices exist to help navigate the secure deployment of EtherNet/IP technology. To learn more about what you need for a secure industrial network, check out the Design Considerations for Securing Industrial Automation and Control System Networks and the Industrial IP Advantage e-learning series.
EtherNet/IP is a trademark of ODVA, Inc.