Securing the Plant Floor

By Rich Ryan, Vice President, Business Development, Global Manufacturing Solutions, Rockwell Automation May 6, 2005

Recent headlines such as “Is Your Factory Data Safe?” and “Can’t Happen at Your Site?” point to a growing focus on the need for plant-floor security. This isn’t just “crying wolf” but rather a reality check on the current state of affairs, with printed magazines reflecting what control system managers already see firsthand: The factory floor is ripe for security disasters, and anyone with a computer poses a threat.

The challenge we have as manufacturers is in knowing what to protect and how to protect it. In many cases, companies need to protect the systems that provide value to the business, but we need to apply protection in proportion to the risk and value. Having too much security (if there is such a thing) can create unnecessary expenses and restrict accessibility to those with authorized access. But, the lack of security puts people, processes and profits at risk.

So, companies need to evaluate and balance the level of exposure with the business criticality of what is being protected. It’s important to remember that no matter how hard one defends against business disruptions, they can and will happen. The simple act of giving an IP address to a plant-floor device makes it a potential target.

But that doesn’t mean we shouldn’t leverage available technologies to improve manufacturing productivity. It’s possible to build systems that leverage contemporary IT technology, but to apply it blindly without understanding the consequences of the threats isn’t a good business risk.

Identifying the Culprits

The outer layer of the enterprise, normally protected by the IT domain, is essentially the outer fortress wall of the plant floor. This wall employs technologies like firewalls, encryption and patch management to protect us from people we don’t know (i.e., hackers, crackers and script kiddies). Think of what happens when you buy a new PC, take it home and plug it into your DSL or cable modem line. You immediately find that your system is vulnerable to the outside world. The same risks occur in the production system, especially when you“open up” your manufacturing system by connecting it to the corporate IT network and theInternet. By working closely with corporate IT, most manufacturing managers find that this outer fortress wall is properly protected, but knowing how the protection works can help with securing the factory floor as well.

Inside the fortress wall, we find a different problem. Here we’re concerned about critical manufacturing and process knowledge like production schedules, production rates, customer information, process conditions, product specifications, recipes, operating procedures and quality data. Inside we see the need for an additional barrier that isolates and filters plant-floor network traffic from the rest of the enterprise, ensuring that errant or misdirected network traffic (email, SPAM, DOS attacks) is blocked from causing potential harm to intellectual property and production assets.

This is where we need to protect ourselves from people we do know—our employees and partners—not worrying as much about intentional attacks as the accidental ones. This is where companies typically get complacent with security policies. Encryption may not be a critical need here, but capabilities like authentication and role-based authorization are valuable. The issue goes beyond network security to encompass data security, data integrity and network loading as well.

Identifying a Process

So, how do we protect the information inside the perimeter? One way is to implement user authentication at the door between the inner and outer areas, using role, location and process-based authentication. Think of it as the definition and enforcement of who can do what and from where:

  • Who — Would you want your human resource manager modifying a PLC program or forcing an output? Depending on the roles established on the plant floor, engineers and technicians are probably the only ones who should touch the equipment, and these people can be identified by name. We refer to this as role-based security.

  • Where — Would you want engineers forcing an output on a critical process from their office? You would want them close to the process, forced to go to the PC or panel attached locally, so they could quickly ascertain whether they’ve done the right thing. We refer to this as location-based security.

  • What — You wouldn’t want technicians starting up Line 1, which is the only process they’ve been trained on, to change a program on Line 2. Although within their sight, they don’t have any responsibility or training on Line 2. Accidents caused by these types of oversights are commonplace on the plant floor. Isolating to this level is called process-based security.

Having plant-floor technologies with authentication built in makes the application of security much easier. Luckily, many technology tools providers and service consultants, have begun to focus on security as a business critical issue, and can help plan and build an effective defense, using concepts like authentication.

More Than Just Products

Security is not just about technology. According to a white paper written by global networking experts MCI, Inc., The True Meaning of Security , security is only 20% technology. The remaining 80% percent involves process and procedure. This concept is referred to as the “four Ps of security”:

  • People are educated (and follow) the processes and procedures laid out in policies.

  • Policies are put in place by management and describe how people are expected to comply with the processes and procedures.

  • Processes define life cycle activities that are customized in policies and procedures (processes can include products, tools and methodologies).

  • Procedures are the detailed steps involved in applying processes and technology.

The essential message here is that security cannot be assured through products alone. While technology today can provide a baseline for security on many levels, the best-laid plans can be quickly undone by one employee who shortcuts a security process, shares a password or ignores a policy.

Finally, it’s important to see security as an ongoing investment. The challenge we have as manufacturers is in knowing what to protect and how to protect it. Systems, software, employees and other aspects of the business are continually evolving. To properly apply the above policies and maintain a consistently secure environment, companies have to evolve the application of security, too. For companies just starting to think about security, this may seem daunting. But, in the long run, what you secure now will support your future.