"Efficient--and Vulnerable," Feature Article, September 2005

FEATURE FOCUS: Risk Management

efficient—and vulnerable

We recognize the danger posed by intruders to our control systems, but how about the well-intentioned insider?

by Bryan Singer

Think of what happens when you buy a new PC, take it home, and plug it into your high-speed Internet line for the first time. You immediately enter a world where you can track down information in seconds, rather than in hours or days. Such a capability can overwhelmingly increase the productivity of your time. But you also find that your system is exposed to the outside world. Now you have to guard against information thieves and pranksters who seem to have no motive except self-entertainment for the damage they try to do.

The same risks and rewards occur in the modern production system. Internet-based technology has amply increased the productivity of factories, but the simple act of giving an Internet protocol access to a plant-floor device makes it a potential Internet target. Everything on Internet-based systems, from trade secrets to the main control system of a production line, needs protection from this new set of risks.

No longer does a miscreant have to enter your premises to take or copy documents in order to steal your intellectual property or disrupt business operations. Anyone, anywhere, with a computer can do it over the Internet. Saboteurs—those who bear you a grudge and those who think damage is funny—can reach into your system by the same route.

Logging on from a console inside the control room is proof of having passed several layers of security. But, there must be some means of identification to establish what tasks this person may perform.

In managing risk of any kind, including risk associated with our information systems, the challenge we have as manufacturers is in knowing what to protect and how to protect it. Companies need to protect the systems that provide value to their businesses, but they must apply protection in proportion to the risk and value. Manufacturers face the dual challenge of protecting information on the shop floor as well as the production processes themselves. As a result, manufacturers must possess the necessary capabilities to prevent common security problems while also managing wanted change and responding to unwanted change.

However, there is no such thing as invincible security. Despite the best protection available, there are still vulnerabilities that may or may not be known within an organization. The human element of security always leaves the possibility of error, and no plan can protect against new threats to the environment. Consequently, once all the possible prevention methods are in place, companies must focus on "Plan B" activities, which will enable the company to recover if a security event does occur. "Plan B" activities include incident response, post-incident analysis, and business continuity planning.

Too little security, of course, puts people, processes, and profits at risk. Having too much security at the wrong time can pose risks of unnecessary expenses or restrict accessibility to authorized people during emergencies. Companies need to evaluate and balance the level of exposure with the value of what is being protected.

For example, for dial-in access to the corporate IT network, it is often a good idea to deny access to any caller who gets his password wrong three times in a row. But is striking out on three a good idea, if it bars an operator racing to shut down a runaway reactor? Unique needs and risks require a unique balance of security measures.

Security for the Factory Floor

Technologies like firewalls and encryption protect us from people we don't know—hackers and crackers. Most manufacturing managers find that these defenses can help with securing the factory floor.

Inside the firewall, we're protecting critical manufacturing and process knowledge such as production schedules, production rates, customer information, process conditions, product specifications, recipes, operating procedures, quality data, and historical data from sensors and control systems. Here we see the need for an additional barrier that filters network traffic and isolates the plant floor from the rest of the enterprise, ensuring that errant network traffic, including e-mail, is blocked from causing potential harm to intellectual property and production assets.

Inside the firewall we also need to protect ourselves from people we do know—our employees and partners. In these cases, it is not necessary to worry as much about intentional attacks as about accidental attacks. This is also where companies typically get complacent with security policies. Encryption may not be a critical need here, but capabilities like authentication and role-based authorization are valuable in ensuring the security of the plant.

Consider the operator trying to tame the runaway reactor. Logging on from a console inside the control room is proof of having passed several layers of security. Even so, there must be some means of identification to establish what tasks this person entering the network is authorized to perform.

Identifying a Process

So, how do we protect the information and processes inside the perimeter? One way is to implement user authentication at the door between the inner and outer areas, using role, location, and process-based authentication. Think of it as the definition and enforcement of who can do what and from where.

Depending on the roles established on the plant floor, engineers and technicians are probably the only ones who should touch the equipment, and user access should be limited to these people.

If there is a critical process that must be overseen by engineers, they may need to be close to the process. Having plant floor technologies with authentication built in makes the application of security much easier. Many technology providers and service consultants, including Rockwell Automation, have begun to focus on security as a critical business issue, and can help plan and build an effective defense, using concepts like authentication.

No Shortcuts

Security is not just about technology. A white paper titled "The True Meaning of Security," issued by a company that knows about global networking, MCI Inc., concludes that security is only 20 percent technology. The remaining 80 percent involves what the paper calls "the four Ps of security"—People, Policies, Processes, and Procedures.

People must know security processes and procedures, and must follow them. Continual training is necessary to keep employees informed and aware of what they must do to protect the factory and its information.

Policies are put in place by management and describe how people are expected to comply with the processes and procedures, and management must enforce those polices and procedures. Processes are the systematic series of actions needed to accomplish a goal—in this case, to protect business assets. Procedures are the detailed steps that carry out the security policy.

The essential message here is that, while technology today can provide a baseline for security on many levels, the best-laid plans can be quickly undone by one employee who shortcuts a security process, shares a password, or ignores a policy. Applying the four Ps of security requires a company-wide investment in training and constant communication with employees. But, it offers the best return and creates an environment that stresses security as a critical business function.

It's important to see security as an ongoing investment. Systems, software, employees, and other aspects of business are continually evolving. To properly apply the four Ps and maintain a consistently secure environment, companies have to evolve the application of security, too.

For companies just starting to think about security, this may seem daunting. But, in the long run, what you secure now will support your future.

Bryan Singer is a senior business consultant at Rockwell Automation and chairman of the Instrumentation, Systems, and Automation Society's SP-99 committee on manufacturing and control systems security.