Securing the Plant Floor


Recent headlines such as “Is Your Factory Data Safe?” and “Can’t Happen at Your Site?” point to a growing focus on the need for plant-floor security. This isn’t just “crying wolf” but rather a reality check on the current state of affairs, with printed magazines reflecting what control system managers already see firsthand: The factory floor is ripe for security disasters, and anyone with a computer poses a threat.

The challenge we have as manufacturers is in knowing what to protect and how to protect it. In many cases, companies need to protect the systems that provide value to the business, but we need to apply protection in proportion to the risk and value. Having too much security (if there is such a thing) can create unnecessary expenses and restrict accessibility to those with authorized access. But, the lack of security puts people, processes and profits at risk.

So, companies need to evaluate and balance the level of exposure with the business criticality of what is being protected. It’s important to remember that no matter how hard one defends against business disruptions, they can and will happen. The simple act of giving an IP address to a plant-floor device makes it a potential target.

But that doesn’t mean we shouldn’t leverage available technologies to improve manufacturing productivity. It’s possible to build systems that leverage contemporary IT technology, but to apply it blindly without understanding the consequences of the threats isn’t a good business risk.

Identifying the Culprits

The outer layer of the enterprise, normally protected by the IT domain, is essentially the outer fortress wall of the plant floor. This wall employs technologies like firewalls, encryption and patch management to protect us from people we don’t know (i.e., hackers, crackers and script kiddies). Think of what happens when you buy a new PC, take it home and plug it into your DSL or cable modem line. You immediately find that your system is vulnerable to the outside world. The same risks occur in the production system, especially when you“open up” your manufacturing system by connecting it to the corporate IT network and theInternet. By working closely with corporate IT, most manufacturing managers find that this outer fortress wall is properly protected, but knowing how the protection works can help with securing the factory floor as well.

Inside the fortress wall, we find a different problem. Here we’re concerned about critical manufacturing and process knowledge like production schedules, production rates, customer information, process conditions, product specifications, recipes, operating procedures and quality data. Inside we see the need for an additional barrier that isolates and filters plant-floor network traffic from the rest of the enterprise, ensuring that errant or misdirected network traffic (email, SPAM, DOS attacks) is blocked from causing potential harm to intellectual property and production assets.

This is where we need to protect ourselves from people we do know—our employees and partners—not worrying as much about intentional attacks as the accidental ones. This is where companies typically get complacent with security policies. Encryption may not be a critical need here, but capabilities like authentication and role-based authorization are valuable. The issue goes beyond network security to encompass data security, data integrity and network loading as well.

Identifying a Process

So, how do we protect the information inside the perimeter? One way is to implement user authentication at the door between the inner and outer areas, using role, location and process-based authentication. Think of it as the definition and enforcement of who can do what and from where:

  • Who %%MDASSML%% Would you want your human resource manager modifying a PLC program or forcing an output? Depending on the roles established on the plant floor, engineers and technicians are probably the only ones who should touch the equipment, and these people can be identified by name. We refer to this as role-based security.

  • Where %%MDASSML%% Would you want engineers forcing an output on a critical process from their office? You would want them close to the process, forced to go to the PC or panel attached locally, so they could quickly ascertain whether they’ve done the right thing. We refer to this as location-based security.

  • What %%MDASSML%% You wouldn’t want technicians starting up Line 1, which is the only process they’ve been trained on, to change a program on Line 2. Although within their sight, they don’t have any responsibility or training on Line 2. Accidents caused by these types of oversights are commonplace on the plant floor. Isolating to this level is called process-based security.

Having plant-floor technologies with authentication built in makes the application of security much easier. Luckily, many technology tools providers and service consultants, have begun to focus on security as a business critical issue, and can help plan and build an effective defense, using concepts like authentication.

More Than Just Products

Security is not just about technology. According to a white paper written by global networking experts MCI, Inc., The True Meaning of Security , security is only 20% technology. The remaining 80% percent involves process and procedure. This concept is referred to as the “four Ps of security”:

  • People are educated (and follow) the processes and procedures laid out in policies.

  • Policies are put in place by management and describe how people are expected to comply with the processes and procedures.

  • Processes define life cycle activities that are customized in policies and procedures (processes can include products, tools and methodologies).

  • Procedures are the detailed steps involved in applying processes and technology.

The essential message here is that security cannot be assured through products alone. While technology today can provide a baseline for security on many levels, the best-laid plans can be quickly undone by one employee who shortcuts a security process, shares a password or ignores a policy.

Finally, it’s important to see security as an ongoing investment. The challenge we have as manufacturers is in knowing what to protect and how to protect it. Systems, software, employees and other aspects of the business are continually evolving. To properly apply the above policies and maintain a consistently secure environment, companies have to evolve the application of security, too. For companies just starting to think about security, this may seem daunting. But, in the long run, what you secure now will support your future.

Consulting-Specifying Engineer's Product of the Year (POY) contest is the premier award for new products in the HVAC, fire, electrical, and...
Consulting-Specifying Engineer magazine is dedicated to encouraging and recognizing the most talented young individuals...
The MEP Giants program lists the top mechanical, electrical, plumbing, and fire protection engineering firms in the United States.
Exploring fire pumps and systems; Lighting energy codes; Salary survey; Changes to NFPA 20
How to use IPD; 2017 Commissioning Giants; CFDs and harmonic mitigation; Eight steps to determine plumbing system requirements
2017 MEP Giants; Mergers and acquisitions report; ASHRAE 62.1; LEED v4 updates and tips; Understanding overcurrent protection
Power system design for high-performance buildings; mitigating arc flash hazards
Transformers; Electrical system design; Selecting and sizing transformers; Grounded and ungrounded system design, Paralleling generator systems
Commissioning electrical systems; Designing emergency and standby generator systems; VFDs in high-performance buildings
As brand protection manager for Eaton’s Electrical Sector, Tom Grace oversees counterfeit awareness...
Amara Rozgus is chief editor and content manager of Consulting-Specifier Engineer magazine.
IEEE power industry experts bring their combined experience in the electrical power industry...
Michael Heinsdorf, P.E., LEED AP, CDT is an Engineering Specification Writer at ARCOM MasterSpec.
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me