Is Internet of Things Control via SCADA Too Risky?

Jan. 24, 2022
Ben Manlongat of system integrator Outbound Technologies explains the risks of remotely accessing SCADA data—even if it's "read only"—and how to secure this critical automation system component.

Read the full transcript below 


David Greenfield: Welcome to the Automation World Gets Your Questions Answered podcast, where we connect with industry experts to get the answers you need about industrial automation technologies. And you can find even more answers by subscribing to automation world at Subscribe AutomationWorld.com.

I'm David Greenfield, Director of Content for Automation World. and the question we'll be answering in this episode is, what risks are associated with Internet of Things control over SCADA. And joining me today to answer this question is been men long gap of outbound technologies in industrial automation system integrator. So thanks for joining me today, Ben.

Ben Manlongat: Awesome. I'm very happy to join thank you for the invitation.

David Greenfield: So then, you know, one of the biggest benefits of having Ethernet Access on the plant floor is the ability to remotely connect to plant floor systems, of course. But despite the benefits of remote access, there's also the heightened risk of cyber attacks as with any internet connected system. So as a system integrator, what do you consider to be the biggest risks a manufacturer faces when connecting their SCADA system to an internet accessible network?

Ben Manlongat: I'd like to think the biggest risk is any cybersecurity threats, any type of control of your system, if anyone was able to read the data, how does that affect your business? If someone was to intercept that data? So the biggest thing I think about is the data that's going into the internet, or what is leaving the plant floor? If even if it is read only? How can that harm you if your competitor was to get that information? And if it was control? What can someone do to your operations, that would cause a lot of harm? There are different things that I would think about. So some actual examples of some big risks. So externally, if you were to think from your home, from your office, or from your phone, how you're making that connection to the plant floor, there's different things to think about, do you have a VPN connection to the plant floor or to your office network or to your plant floor network? Is that connection encrypted? Is there any third party software involved, there's been some big breaches of third party software that people have been using, where the third party software has been hacked, passwords have been released or leaked. And then now anyone can get access to your network, where you're planning for through that third party software, if you do use a VPN is multi factor authentication turned on is definitely something I would recommend is multi factor authentication, because not only do they need your password to access the plant floor VPN, but they also need your cell phone or some sort of device that you carry on you. So those are the external threats. And then even on the inside from the plant floor, there's also internal threats is your plant floor network completely off the office network is your plant floor network that's that's sending data to the internet is that also on Wi Fi, because someone on site can now get access to the network or someone local to your building, if on Wi Fi can hack into there and get access to your plant floor equipment and cause some damage caused some harm. And then outside of the network side, there's also some big risks on the device. So is your device only transmitting tags that are read only are the tags that are available Read Write of it, if they are read, right, and those tags are there, then that's where you have the ability to do control from anywhere on the network, locally or off site. Some other areas that you can look at are is the programming port on the network if the programming ports on the network, and if the device is has tags that's read only read read write, but if that programming port is available on the network, someone can access that programming port and cause some problems. There's other areas look at too isn't the device on the actual programming on the device? Is there actually safety logic programmed in the controller that prevents from any large problems on the control side? So do you have protection in place on the PLC side or the controller side that prevents problems from happening? So there's a lot of different things that could go wrong, a lot of things that could potentially be a problem, but these are some examples of areas that I would look at to help prevent those cybersecurity risks.

David Greenfield:  Thanks, man. I really like that you mentioned the multi factor authentication aspect as well. And in this case with a VPN in addition to the control aspects, the more specific control aspects that you mentioned, because I think it goes to show that a lot of steps that we take with a lot of personal business activities outside of work that it uses a lot of the same protection factors that are Use with banking and other account access controls are also applied in industrial control applications as well. So there's a lot of advocates in industry for having only read only data coming from SCADA via the internet, as you mentioned, in your response. In other words, that means, you know, basically no remote control commands or direct access to the system are allowed externally. So based on your work with, you know, clients and industry, where do you fall in this discussion? Where do you come down on this argument for or against? And why?

Ben Manlongat: Yeah, I think for read only data coming from SCADA over the internet. I think the answer it depends. It'll depend on the business and the information that's going to the network. And if it's worth it, I always look at is, is it worth the risk of any potential breach or any potential competitor getting this information? And if the answer is it adds more value to your business to your company, and the information going to the cloud, to some sort of analytics software in the Cloud or machine learning software in the Cloud? If it adds great value more than the risks? And I would say, yeah, look into the read only side. But be just always be careful. Always be careful. Because once that connection is on the internet, are you taking the proper safety precautions and proper IT security, the proper firewalls is the right is the right infrastructure in place to really protect you from the risks.

David Greenfield:  So you're basically implying them too, that it might be possible to attack read only SCADA connections for potential system exploit. Is that is that the case that the even read only needs to be protected?

Ben Manlongat: Yes, yes, yes, yes. Don't think that because everything is read only, that everything is safe. And then a quick example of how someone can quickly attack a read only SCADA system from anywhere on the network is, again, if that comms port is open, that comms port can be hacked by anybody, you can get access to it, you can have any laptop on that network, get to the comms port of the device, and then start making programming changes. Once those programming changes are in they can take control of your system. The other thing is a lot of controllers, a lot of devices, they have predefined read only tags. But I've seen some controllers, in our experience, that many controllers also have pre defined Read Write tags. So just because you think your system is read only, and just because SCADA shows read only really pay attention to the devices, you're talking to make sure that coms port is protected. And also make sure that there's no available device tags that are pre defined by the manufacturer for already being available to control. So those are some risks I'd be aware of.

David Greenfield: Interesting. Thanks for clarifying that. Ben, that's, that's helpful to understand. So, you know, with the push for digital transformation of industry and you know, industry 4.0 Internet of Things, connectivity that we're all hearing about, obviously, do you see the ability of remote control command, you know, via the internet being an integral aspect of industry? 4.0? Or do you see that as something of an unnecessary risk that some manufacturers are choosing to make?

Ben Manlongat: I'll use the answer. It depends. Again, it depends on the business depends on the goals. We are working today with a customer that does see value in remote control of their system. This this might not be for everybody. But the reason why this customer it's a medical device manufacturing company. And what they're looking to do is right now all their machines, all their production machines on the weekends, they're not running they don't have the manpower don't have the staff to keep the production machines going their CNC machines, what they're looking for doing or why they reached out to us outbound technologies, and Amazon Amazon's helping with this do is they they're looking to investigate if they were to add control, to remotely start stop. Look at these CNC machines on the weekends, the reduce manpower and the ability to run a full production schedule over the weekend, it's going to add almost 33% of additional profit to their bottom line. So here's an example of where remote control can help a manufacturing facility make more money, but also it does increase risks. So that just pay attention to the pros and cons of remote control because every use case is different.

David Greenfield:  And of course you know there are no absolutes. I think we've all learned that when it comes to cybersecurity, or securing a system that's in any way connected to the internet. But is it in your experience as a system integrator, is it possible to really adequately protect internet connected SCADA systems for remote control usage?

Ben Manlongat: The quick answer is yes, there is different there are different ways to configure an internet connected plant floor for remote access for remote control for Read Only viewing. But the way that as an example, here's one way that we would potentially advise a customer. So if they were looking to do read only have zero chance of remote control, I believe we believe that this configuration is is limits your risk. So to connect to the Internet to connect to the plant floor, set up a VPN. So that VPN is a private connection, it's encrypted. It has a username and password that's encrypted, any traffic that leaves that VPN into the internet is encrypted. So even if someone was to see the traffic, they wouldn't be able to read it or understand it. Along with that VPN connection. We also recommend multi factor authentication, where not only do you need to know the username and password, which could get stolen or hacked by somebody, you also need to have that person's cell phone, another device, like a pager that sits in a pouch in your pocket, and it gives you a special key code that may change every three minutes. So multi factor authentication connected to a VPN. And if you're really looking for only read only, that what we would recommend, again, this adds more cost to the project is put in, don't connect directly to your controllers that are performing operations. So if you're looking to do read only, and you'll get information into the cloud to do AI machine learning, to use that do any analytics in the cloud, what we would recommend is two different options, you put a different device, a separate device on the plant floor that only has input connections to your plant floor equipment. So this device that you would connect, you would not even have the ability to do any control. Because it's not connected anything to do any control, it's only reading information from plant floor, you're connecting that to the VPN network, and that's going to the cloud. The other option is to put again, a third party or another device on the plant floor and use a serial connection. So with that serial connection going from that new device on the plant floor, that serial connection to your controller, that is a lot less riskier than an Ethernet connection, where you can do more you can you can get on the comms port, the the communication port, the programming port and do do do other work that do have some harm that way. So we would set up that other device to be a read only device on your network. And that standalone device keeps you safe because that standalone device won't be able to control your system.

 David Greenfield: So thanks for explaining all the various you know, tools and methods that manufacturers have available to them to secure their systems. But can you explain how outbound technologies as a systems integrator, for example, works with their clients in the manufacturing industries to assess and secure their SCADA system?

Ben Manlongat: If they're already connected to an internet accessible network, what I would recommend for anyone looking for a systems integrator to work with is really find someone that had that has the experience working on plant floor equipment. One of the reasons why I say this is that medical device company that was looking for help with getting their data to the cloud. They were working with Amazon on a project and for three months, they were working with a systems integrator, they were trying to get the plant floor equipment that CNC machine information into the cloud. And for three months, they couldn't get anything working. So we recommend is where we see we provide value to IoT to the industry for dot O 's, we really have that 2526 years of plant floor experience talking to multiple devices. And where Amazon and this medical device company saw value in us is after we had our first kickoff meeting where we got introduced to what the scope of work for the customer was what the other company couldn't do. In three months. We got up and running in 30 minutes. So really when you're looking for a systems integrator, look for someone with the right experience that matches your technology on the planet. floor if you're plant floor and this is the other reason why the medical device company likes us, many times, plant floors have numerous different types of controllers. You have Allen Bradley, you have Siemens, you have Ge, you have Bristol Babcock, you have Emerson. So really finding that control systems integrator that has the various experiences, to connect, to work to to perform connections from your plant floor to the internet, would be a very important thing that I would look into. What we like to do when we get on site is we like to go in, we like to understand the scenario, we like to listen, listen to what the business goals are, the operations goals are, what are they really trying to achieve, and then from our experience, provide suggestions. So we'll suggest different opportunities to achieve their goals. And then with those suggestions, it's really important for the customer, the business to understand the pros and the cons of their decisions. So not only do we go in there with solutions, we really identify the business goals, offer different opportunities to achieve those goals through controls through automation, from our systems integrator team, and then we really help them understand the pros and cons. So that's why we think the right systems integrator, you should really should pay attention to how you select them.

David Greenfield: Okay. And on the flip side of of this question, oh, how do you work with manufacturers who insist on keeping their systems as disconnected from the internet as possible? And do you see that as a viable stance for a manufacturer in today's digital world, so to speak? Or do you advise them on how to connect securely to maintain their business moving forward?

Ben Manlongat: Yes, I do think that there are a number of manufacturers where it would not add benefit to their business, to go into the cloud, go into IoT go into the internet. However, instead of just quickly saying, you know, what, that are manufacturing plant or facility, going to the internet is just not right for us. I really would invite each manufacturer to investigate IoT investigate industry four dot O, and really understand the benefits and put that to $1 amount. So as an example, that medical device company that we're working with, that's looking into industry for Dotto to remote control, they're looking into how is this going to improve their bottom line? If they do remote control? How does it improve their ability to increase their utilization of all their machines, even on the read only side, gain the analytics into cloud? What type of analytics is going to go into Amazon, AWS? And what kind of machine learning? What kind of advice is Amazon AWS going to provide to this business to improve their operations? So what I would recommend to manufacturers? Yes, it's likely that industry 4.0 might not be the right fit for you. But do you think that it's worthwhile to take a 30? minute, two hour four hour look and investigate? Okay, this, these are the potential benefits in $1 amount on how it will improve your bottom line profit. And if that if it does increase your bottom line profit, then look into the risks, then look into the costs and see if going into industry for not Oh, IoT, then look into potentially Is it a good long term strategy to move in that direction. And if you do see the benefit of doing that, keep in mind, if your competition is always do is also doing this assessment, and they're finding a way to to see the benefit, and also finding a way to make this work. You don't want to be five years down the road with your competition advancing, and you're still in the same method or same way you're doing business. So just something to look at. It might not be right for everybody. But I do think there's value in looking into it.

David Greenfield: Absolutely. Thanks for explaining that, Ben. So I think we've got time for one last question. And I guess what I'm interested in, though, is, you know, we all are, I hope we all realize at this point that cybersecurity is really a constantly evolving issue and that any safeguards you put in place today won't necessarily be as effective tomorrow is attackers keep developing ways are around the safeguards that we instantiate. So given that, how complicated and or expensive is it for manufacturers to really adequately protect and maintain the protection of their network connected systems?

 Ben Manlongat: Personally, I don't think it's too complicated. I don't think it's too expensive because once it's been identified that industry for Dotto IoT is valuable to the company and that value it brings to the company is related to $1 amount, you'll you'll notice that the benefits that could potentially bring to your company is is greater than the costs for maintaining your cybersecurity or or keeping a good IT infrastructure safe. What I do recommend is not only looking at a systems integrator to come in and give you help on the plant floor connecting those devices to the Internet is we have many customers many examples where you want to form a great relationship with your systems integrator who understands the plant floor technology, the OT operational technology, who that's our side the systems integrator is the plant for devices, but also for a great relationship with an IT company and it advisor. Because between the two of us where we understand the plant for devices, the risks they're a great amazing IT consultant will also provide you added security, safety on your network on your VPN on your firewall. So I think the costs aren't aren't great compared to the benefits for most manufacturing facilities. But I do recommend finding partners on the systems integrator side and also finding a good partner on the IT side.

 David Greenfield: Well, thank you for joining me for this podcast, Ben. And thanks of course to all of our listeners and please keep watching this space for more installments of Automation World Gets Your Questions Answered. And remember that you can find us online at AutomationWorld.com. And subscribe to our print magazine at SubscribeAW.com to stay on top of the latest industrial automation technology insights, trends, and news.

Companies in this Article