Configuring for Security
The most important thing you can do to secure your network involves people.
We’re beginning the second year of Automation World’s Industrial Ethernet Review. Actually meant to cover all the technologies associated with Ethernet, this Special Report takes a dive into various hot topics concerned with industrial networking based on Ethernet.
Security has perhaps been the greatest concern for engineers and information technology (IT) professionals since the first industrial networks were put in place to connect machines and plant control to other devices. Once a wire is connected to a controller, the possibility exists for unauthorized entry that could result in catastrophic situations. Now that most networks are also connected to the Internet, that potential entry is expanded to the entire world.
Contributing Editor Terry Costlow will be writing all four quarterly issues of the IER. This month, he dives into the security issue by interviewing several acknowledged experts in the field. The actual technologies are fairly well known - even though they can always bear repeating. The most essential security measures have nothing to do with technology. The most important thing you can do to secure your network involves people. Make sure that appropriate security policies are in place and that people are regularly reminded of them and their importance. Simple things such as not writing passwords on sticky notes attached to computer monitors can save you much grief. We are reminded again that engineers must learn networking skills in addition to control and manufacturing skills.
Follow-up Webcast The information featured in this month’s publication will be expanded into a Webcast on March 8 with a stellar lineup of speakers. This will also be an excellent opportunity for you to ask them the hard questions. You can register for the Webcast at www.automationworld.com/webcasts.
Isolationism, Cultured Staffs Help Protect Networks
Awareness of industrial network security issues is on the rise, but much work is still needed to keep factory systems safe from cyber attackers.
It’s no longer a secret that industrial networks are susceptible to viruses and hacker attacks. But though awareness has risen, actions taken to prevent problems still range from minimal to those that have isolation and many layers of protection.
As broader use of networking and closer ties to front offices have helped drive a shift to Ethernet, this change also brings the increased threat of viruses, hack attacks and other issues that plague corporate information technology departments. Well-intentioned employees can cause as many problems as malicious people, whether they’re disgruntled employees or nefarious outsiders.
Although the threat is now widely understood, security is often pushed back by more pressing concerns. “Those who aren’t focused on security know it’s important, but it’s just not a focus for them. Generally that changes when something occurs that makes them more aware,” says Bill Lewins, a requirements analyst who focuses on software security for Rockwell Automation Inc., the big, Milwaukee-based automation vendor.
There’s some good news for those who view network security as an issue that can wait until tomorrow, since attacks aren’t increasing rapidly at present. But the downside is that those who take the time to burrow into manufacturing networks know what they’re doing.
“We’re no longer seeing a spike in incidents, but their severity is going up. As in information technology (IT), we’re seeing more focused, intelligent attacks that have a goal of making as much money as possible,” says Eric Byres, chief executive officer of Byres Security Inc., an industrial security services and consulting firm based in Lantzville, British Columbia, Canada.
A growing number of those attacks are extortion. Hackers who show that they can get into critical portions of a network, then ask for cash not to deploy their programs. A handful of utilities have paid extortion, and it’s unlikely that manufacturing companies won’t also be targeted. These attacks are more difficult to defend against than hackers out for kicks, forcing a change in protective schemes.
“It’s important to set up a tiered structure, with each cell protected from the others,” says Todd Stauffer, Process Automation marketing manager at automation solutions provider Siemens Energy & Automation Inc., in Spring House, Pa.
Hands-on Approach to Controls -
Radiator Specialty Co. relies on industrial personal computers and Ethernet networking technologies for its packaging machinery operations.
Radiator Specialty Co., makers of Gunk, Liquid Wrench, and other well known products aimed at car and consumer markets, takes an unusually hands-on approach to packaging machinery controls at its Charlotte, NC, headquarters facility. The firm’s controls specialists are big believers in industrial PCs.
“I believe an IPC gives me far better control over machine designs,” says electrical technician Shawn Lahart. “IPC manufacturers that specialize in open technologies have the kind of technological focus that aligns best with ours.”
This controls preference runs so deep that on the last two packaging machines the firm purchased, it specified a change from PLC controls architecture to a PC-based design incorporating controls components from Beckhoff Automation (www.beckhoff.com).
“With the PLC approach, we couldn’t easily or cost effectively upload and download parameters to the controllers,” says Murray Williamson, engineering manager at Radiator Specialty. “With Beckhoff’s TwinCAT software and IPC hardware, the transfer of parameters and settings is a breeze. Most of the functions we use are already included in TwinCAT.”
A critical deciding factor for the Beckhoff approach was the Automation Device Specification (ADS) messaging protocol, which Beckhoff calls the “nerve system.” ADS-enabled devices - that is, any PC running TwinCAT and all Beckhoff BC Bus Controllers - are automatically scanned by TwinCAT System Manager. I/O data is imported via ADS and is mapped to the PC quickly, which greatly reduces programming time.
Four of the plant’s filling and packaging lines are controlled by Beckhoff C6320 or C5102 IPCs communicating via BK9000 Ethernet TCP/IP/I-O Bus Couplers. A variety of Beckhoff control panels equipped with touchscreens are used as the HMI. The Beckhoff IPC runs both the machine control and the line’s HMI. I/O Bus Couplers are deployed around the lines in a distributed I/O architecture to reduce wiring efforts.