Open networks have helped many companies to significantly boost productivity, but they’ve also opened up the potential for problems that come with broader access. Safeguarding industrial networks from viruses, hackers and even employees unauthorized to get into protected areas continues to get more focus, but with a twist.

Security is now being examined with more of an eye toward controlling costs. As companies race to upgrade their protection technologies and processes, their actions are being examined more closely, with less chance that information technology managers can dictate in the name of security what others can or can’t do. For many, that’s a significant change from a time when security was considered something of a black art that couldn’t be quantified for cost justification.

Concern about security is still new for many companies. The transition from proprietary industrial networks to Ethernet and Transmission Control Protocol/Internet Protocol (TCP/IP) that cut costs and opened communications throughout the enterprise didn’t bring all the issues of Internet security to the production environment. But it did open the door for far more security issues than plant managers were used to.

As with physical security, giving more people access to a network raises a number of complex issues. “Companies need to think about why they need a door. By opening it up, what are they trying to do and how far should they open it?” says Jeremy Bryant, networking specialist at automation vendor Siemens Energy & Automation Inc., in Alpharetta, Ga.
Controlling who comes in through these portals and keeping track of what they do once they’re in is coming into the spotlight at many companies. Security in plants has often been run by the Information Technology (IT) staffs that handle front-office networks. That trend has increased as the use of Ethernet and TCP/IP protocols expanded from the business side to the production facility.

In today’s uncertain economy, these groups are coming under more scrutiny. Executives who have given IT staffs a fairly loose leash are now reining them in, demanding more accountability for expenditures.

“After the Y2K and dot-com era, people got away with a blank check mentality. But lately, companies are saying they need better cost justification. Unless management sees benefits, IT projects won’t get budgeted,” says Bryan Singer, vice president of professional services at Wurldtech Security Technologies Inc., a Vancouver, British Columbia, Canada-based provider of industrial cyber security solutions.

Shifting focus

 Now that Ethernet is taking over the industrial networking space, the focus for industry consortia and other groups is beginning to shift to security. Compatibility and other issues are closer to being resolved, freeing time to address other facets of networking. Most observers feel that there’s high potential that extortionists and other criminal types may take aim at industry. Making sure that industrial control networks aren’t shut down is becoming a major effort for many industry groups.

“We’re taking a look at the spectrum of cyber security tools. We’re also examining the language to put into requests for proposal so that companies can get some commonality in their proposals,” says Michael Torppey, technical manager for the Process Control Systems Forum. Torppey is senior principal at Noblis Inc., the Falls Church, Va., company that manages the PCFS.

There are myriad tools and a number of different processes that provide varying degrees of success in different environments. But there aren’t many ways for companies to know whether their investments in either time or effort are paying off.

Some techniques and tools overlap, and processes that are very effective in one organization may have little impact in another. Picking the right elements is a key factor when security initiatives begin. Once managers have determined their strategies and made their moves, it’s often difficult to determine how to invest in further upgrades and improvements. “Measuring the success of security is a very big challenge,” Singer says.

Though it’s not easy, it’s a necessary part of efficient management. When money is tight, companies need solid rationales for investing time and money in security. That begins with determining which aspects of the business warrant extra attention. “Companies need to perform a risk analysis, taking a look at revenue-producing activities. They need to determine how much impact each type of attack could have on their company,” Torppey says.

Many companies haven’t really looked at their production facilities with the same focus on risk aversion that’s been given to front-office operations. “Disaster recovery is part of any business continuity plan, but nothing that mirrors that exists in many manufacturing sites,” ...