track of these changes, the results can be as disastrous as when front-office files are hit by viruses or other attacks.

“Often, there are small changes and applications that migrate throughout the plant. You can find that if you lost a PLC, replacing it is not as easy as starting from scratch. It’s more complex than, say, replacing a Web server,” Hegrat says.
One bright spot for plant managers is that the availability of tools that meet industrial needs is growing. “Last year, we saw a number of improvements in technical areas and introduced new concepts in the crossover space between control systems and IT,” Torppey says.

People and processes

 It’s rare that an in-depth discussion of network security doesn’t get around to human factors. If employees don’t take security seriously, doing things like picking easy-to-guess passwords or taping them to screens, even the best strategy and equipment won’t do much good.

Just as business and manufacturing processes separate market leaders from the rest of the pack, the processes for implementing network security will have a key role in reducing the number of problems caused by network disruptions.
“Most problems are not necessarily technically related. Many are process- and people-oriented, so buying technology won’t have any impact. Addressing that comes down to organizational structure and training,” Hegrat says. He notes that just because an HMI has the ability to browse the Web doesn’t mean that operators should use that function.

Limiting access to equipment within the plant is another way to reduce the potential for error. Most studies say that a fair number of network problems are caused by employees, often those who feel they’re doing something for the benefit of the company. An employee who thinks he can improve quality by altering a couple of machines can cause serious problems. “In control systems, security can include anything that causes a disruption in the process, whether it’s internal or external, malicious or not,” Hegrat says.

Keeping well-meaning employees, as well as those with malicious intent, away from most systems in the plant is an important aspect of protection schemes. Most employees only need to talk to one or two machines in the facility. “Some people need to talk to certain equipment. It’s easy to limit them to only that equipment,” Hegrat says. One way to accomplish that is to limit password access to specific devices, he adds.

Though using Ethernet throughout the entire enterprise makes it possible for front-office personnel to inadvertently impact operations on the production line, most observers say that’s not much of an issue in most facilities. In reality, few office people will be able to do much damage in the factory. “People in the front office usually don’t have the software to access a programmable logic controller. If they do, the firewall shouldn’t have them in the IP addresses allowed, so they shouldn’t be able to get in,” Hegrat says.

“Corporations don’t treat someone who sticks their password onto the computer with a sticky note the same as someone who hangs their access card next to the front door, but it’s the same thing,” says Shaye Shayegani, senior field applications engineer at Lantronix Inc., a device networking solutions provider based in Irvine, Calif.

Companies can also use these passwords to establish a tiered structure for human access. Many companies give most employees similar access levels, but that’s often not the best approach. “Passwords are about authorization for what you can and cannot do, like applying domain policies that determine things like who can upload or download programs,” says Bill Lewins, a requirements analyst at Rockwell Automation in Milwaukee.

Alternatively, companies can restrict personnel to specific systems or limit the ways they can communicate. “We limit people to certain computers and protocols,” says James Davis, senior application engineer at Opto 22. He notes that as a way to provide additional security, the server automatically records everyone who accesses control programs.

While controlling people’s access is a big aspect of security, many companies do their best to automate communications so that people aren’t involved unless their decision-making input is required. “Machine-to-machine communications are easier, since the machines always follow procedure. They make sure they only send and accept messages from authorized equipment,” adds Shayegani.