analyzing the error message,” Singer relates.

The tools for securing the plant are readily available. But the issue often comes down to who is in change of the security system. “The number-one challenge is people and organizational structure, not technology,” says Brad Hegrat, senior network security engineer for vendor Rockwell Automation Inc., in Milwaukee. “There are plenty of tools to technically secure the environment, but there is a huge ownership challenge.”

The IT group thoroughly understands security, but IT personnel don’t always know how the plant operates, nor do they share the plant’s priorities of constant availability. “When it comes to patch management, things get tricky. The process used for desktops cannot be used for plant systems,” says Bob Mick, vice president of emerging technology for ARC Advisory Group Inc., in Dedham, Mass. “Corporate IT is good at collecting data and monitoring threats, but the plant guys are trying to optimize their processes. So they see what’s affecting them differently.”

Because the plant puts its greatest emphasis on availability, security can become an afterthought, even a threat to optimization. “Plant operators are not really tuned into security—the engineer is concerned about reliability,” says Roy Kok, vice president of marketing for Kepware Technologies Inc., Portland, Maine, a supplier of communication software for automation. “You have the traditional problem that engineering owns the plant, and IT owns the business applications. The IT network is too intrusive. For automation, intrusive means it can potentially do things that can disrupt the plant operation.” An intrusion for the automation system can shut things down and potentially cost someone an arm.

Blending goals

The best solutions for securing the plant usually come through strong communication between plant operators and IT personnel. One of the more popular emerging solutions is the creation of a team consisting of plant engineers and IT staff. This team takes on the responsibility for securing the plant, and no decisions are made without input from both control engineers and IT staff.

Many plants stick with the age-old solution of isolation. Add a few PCs, but keep the plant from touching the outside world. “Some systems get left alone. Power plants have systems that don’t touch the Internet,” says Dave Kennedy, practice lead for profiling and e-discovery at SecureState, a security technology firm in Cleveland. “They’re making the whole plant environment its own island. You have the latest software, but sometimes it is still its own island.”

While control engineers and IT personnel hold different views of how to secure the plant, companies are solving the clash through mixed teams and simple communications. The problem tends to be cultural, not technical. Successful solutions only come when plant engineers and IT people understand each other’s different priorities.

To view the accompanying article to this story,"Tactics for Plant Security", go to www.automationworld.com/feature-4258

To view the accompanying article to this story,"Office/Plant Security Clash", go to www.automationworld.com/feature-4259