getting more attention. As Redmond, Wash.-based software giant Microsoft Corp. has proven in the IT world, the operating system is a critical component that can be exploited by hackers. Its applications packages are also vulnerable, as are those of other suppliers in both industrial and front-office markets.
 
This software is as important as firewalls when managers are building the walls that isolate their equipment. “You only need one weak link to get in,” says Ganesh Devarajan, Associate Security Analyst for TippingPoint Technology’s DV Labs group. “Operating system vulnerabilities play a big role. After them come application program vulnerabilities.”

A number of operating systems now partition tasks so that a problem in one section can’t jump to another section. That largely eliminates the ability of malicious software to spread throughout a facility. This technique, sometimes called padded cell technology, was first used in aircraft and defense applications. It’s now expanding rapidly into industrial applications.

“When you have a secure operating system, it lets you create systems with far higher security,” says Dave Kleidermacher, chief technology officer at Green Hills Software Inc., of Santa Barbara, Calif. “Even if someone hacks in through your browser, you can isolate nodes.”

In environments where migrating to newer, more secure operating systems isn’t viable, there are software tools that can isolate sections. For example, these tools prevent messages from entering unauthorized areas and a critical area with expensive equipment. “If one sub-net is not supposed to talk to another, we ensure that they don’t
communicate,” Devarajan says.

Ongoing challenges

The task of setting up networking security systems is a bit like being given a pet, it’s a gift that keeps on giving. Those who create viruses and other maladies will constantly be finding new vulnerabilities, and equipment in the plant is likely to change.

That’s increasingly true in flexible factories, where the links between equipment change continuously. In facilities that remain constant, constantly creating the same product, there will still be alterations.

“This is a dynamic field, and you’re never really finished. Even if hardware is static, there will be changes in software that open potential vulnerabilities,” Pederson says.

Software upgrades are one area of constant revision. Improvements come sporadically, and they may not always provide enough benefit to warrant installation. But patches are another story. Many of them will be critical from the security side, closing openings that weren’t recognized until well after the program was shipped.

In industrial applications, patches are often installed months after they’re issued. That creates opportunities for those who want to exploit openings that can often be attacked successfully using free programs accessible online to anyone. Software and service providers are providing systems that step in during these gaps.

“We put a security device outside the network. It monitors traffic so things can’t enter and attack ports that haven’t been patched,” Devarajan says. The 3Com company provides intrusion detection tools.

That was important for IESO late last year, when a virus sprang up quickly. “When there was an issue with Microsoft’s Web browser, something was released into the wild and there wasn’t a patch out. We took advantage of the TippingPoint tools to make sure it didn’t come into our network,” Blakely says.