It’s no longer a secret that industrial networks are susceptible to viruses and hacker attacks. But though awareness has risen, actions taken to prevent problems still range from minimal to those that have isolation and many layers of protection.
As broader use of networking and closer ties to front offices have helped drive a shift to Ethernet, this change also brings the increased threat of viruses, hack attacks and other issues that plague corporate information technology departments. Well-intentioned employees can cause as many problems as malicious people, whether they’re disgruntled employees or nefarious outsiders.
Although the threat is now widely understood, security is often pushed back by more pressing concerns. “Those who aren’t focused on security know it’s important, but it’s just not a focus for them. Generally that changes when something occurs that makes them more aware,” says Bill Lewins, a requirements analyst who focuses on software security for Rockwell Automation Inc., the big, Milwaukee-based automation vendor.
There’s some good news for those who view network security as an issue that can wait until tomorrow, since attacks aren’t increasing rapidly at present. But the downside is that those who take the time to burrow into manufacturing networks know what they’re doing.
“We’re no longer seeing a spike in incidents, but their severity is going up. As in information technology (IT), we’re seeing more focused, intelligent attacks that have a goal of making as much money as possible,” says Eric Byres, chief executive officer of Byres Security Inc., an industrial security services and consulting firm based in Lantzville, British Columbia, Canada.
A growing number of those attacks are extortion. Hackers who show that they can get into critical portions of a network, then ask for cash not to deploy their programs. A handful of utilities have paid extortion, and it’s unlikely that manufacturing companies won’t also be targeted. These attacks are more difficult to defend against than hackers out for kicks, forcing a change in protective schemes.
“It’s important to set up a tiered structure, with each cell protected from the others,” says Todd Stauffer, Process Automation marketing manager at automation solutions provider Siemens Energy & Automation Inc., in Spring House, Pa.
Building the tiers
This structured scheme begins with a basic element common even in simple home networks. “Any safety-aware user will put a firewall in front of a device,” says Nate Kube, chief technology officer of Wurldtech Security, a Vancouver, British Columbia, Canada, industrial cyber security firm.
However, that’s where the similarity ends. Installing firewalls for complex industrial networks involves many different factors. Many factory floor networks include a number of older devices with slow data transfer speeds and small buffers, if they even have buffers. If they get too much data too quickly, buffer stacks can overflow, causing serious problems.
As part of their job, firewalls attached to this type of equipment must protect it from these problems as well as others. “Firewalls should provide rate limiting specific to the device, they should do packet filtering to protect the controller from malformed packets and they should automatically configure themselves to what they’re protecting, so the engineer doesn’t need to know what the firewall is doing,” Kube says.
Though firewalls are a powerful first line of defense, they aren’t a panacea. “Putting in a firewall is helpful, but there have to be other levels of security beneath that, with layers of defense going down to programmable logic controllers (PLCs),” Byres says.
Another layer of protection comes when networks and their nodes are isolated. One aspect of this segregation is to prevent any problems from getting into a factory network. The other benefit is that if something gets in, its impact will be limited to just a few nodes. There are a number of different ways to set equipment apart from gear that might cause problems. One of the first is to minimize links with front office systems that deal with far more outside links. That can be done with different techniques.
“If you’re not on the Internet, you’ve got a high level of security. We connect to the outside world through a workstation, not a switch, which helps keep our network highly separated from other local area networks (LANs) in the company,” says Bob Huba, Delta V product manager at automation vendor Emerson Process Management’s Systems and Solutions Division, in Austin, Texas.
An alternative approach keeps hardware deployment down, yet still serves to minimize interaction between the company’s corporate and manufacturing networks. “We segregate the control network from the company network, using one port for corporate access and putting all plant floor I/O (input/output) on the other segment,” says James Davis, senior application engineer at Opto 22, an automation vendor based in Temecula, Calif.
Some isolation techniques offer system improvements as well as security. “We also close off all ports except those being used by a specific user, which improves security and saves bandwidth,” Davis says.
When engineers are trying to isolate or even connect equipment, they often bump into challenges not often seen in traditional front office networks, where most hardware is fairly new. “A lot of equipment has lifetimes of 15 years, so Ethernet was slapped onto its back by people who don’t have much knowledge about an Ethernet stack,” says Wurldtech’s Kube. These one-of-a-kind interfaces often require special treatment, he adds.
The shift to well-known Ethernet and transmission control protocol/Internet protocol (TCP/IP) technologies opened doors for problems, and usage of other common technologies also brings problems as well as headaches. Using Windows-
compatible software helps with costs, compatibility and ease of use, but the familiarity it offers for design engineers and maintenance personnel also simplifies the challenge hackers face.
That’s prompted some companies to focus on protecting hardware that runs these programs. “We can essentially lock down the end points, like the application servers with Windows-based HMIs (human-machine interfaces), and provide protection without knowing the signature of a virus,” says Dan Knight, industry solution manager at Cisco Systems Inc., the big San Jose, Calif.-based network equipment company. That also makes it easier to deploy patches on a schedule that suits the facility, he adds.
Commonly used software is infiltrating more and more aspects of industrial control programs. That can bring unexpected problems for those charged with protecting factory nets. “Popular programs like the Microsoft SQL Server database are prone to attacks, but often, people don’t remember or even know they’re running them. Many human-machine interface programs use a SQL database, and SQL databases are being used to store more historical data and engineering data,” says Siemens’ Stauffer.
Though protection against outside entities is a big part of network security, managers must also safeguard equipment from problems that come from inside the company. Assaults can come from employees or contractors with malicious intent, but problems are often caused by employees who don’t realize their actions can cause problems.
One of the most common of these unintentional actions stems from the use of notebooks. Portable computers make it simpler to access many different pieces of equipment using a common hardware platform, reducing costs and helping engineers work with a single user interface.
But problems often arise when employees take notebooks home for remote plant monitoring, or use them to do a little Web browsing while they’re on break. If the notebook picks up a virus or other malicious software, this program can easily hit the plant the next time the laptop is used on the factory floor.
Some providers avoid this issue by simply eliminating portable units. “We don’t use floating equipment like notebooks, we use workstations that are dedicated,” Emerson’s Huba says. Those workstations handle configuration and maintenance, he explains.
Technical issues are critical for protection, but they’re only one layer of the tiered scheme. An unavoidable truth is a corporate culture that puts on emphasis on security, coupled with good training, will probably have more impact than any hardware or software. “Training and getting the culture going are still the most critical things. The technology by itself is useless,” Byres says.
One of the first steps is to make sure staffers recognize the importance of security to the company’s bottom line. For example, passwords are the keys to the networks, but password protection is often lax. That’s because companies often ignore those who treat passwords casually.
“Corporations don’t treat someone who sticks their password onto the computer with a sticky note the same as someone who hangs their access card next to the front door, but it’s the same thing,” says Shaye Shayegani, senior field applications engineer at Lantronix Inc., a device networking solutions provider based in Irvine, Calif.
Companies can also use these passwords to establish a tiered structure for human access. Many companies give most employees similar access levels, but that’s often not the best approach. “Passwords are about authorization for what you can and cannot do, like applying domain policies that determine things like who can upload or download programs,” says Rockwell’s Lewins.
Alternatively, companies can restrict personnel to specific systems or limit the ways they can communicate. “We limit people to certain computers and protocols,” says Davis, at Opto 22. He notes that as a way to provide additional security, the server automatically records everyone who accesses control programs.
While controlling people’s access is a big aspect of security, many companies do their best to automate communications so that people aren’t involved unless their decision-making input is required. “Machine-to-machine communications are easier, since the machines always follow procedure. They make sure they only send and accept messages from authorized equipment,” says Shayegani, at Lantronix.
Another aspect of dealing with the human element is to safeguard software. Proprietary programming is often a big element in a company’s portfolio, so making sure it isn’t compromised is a key element for success.
“OEMs (original equipment manufacturers) and large customers want to protect their intellectual property. The machines can be duplicated fairly easily, but the code behind them is not nearly as easy to duplicate,” Lewins says.
Here, internal problems are most likely to cause problems. A key issue is to make sure that the critical software that turns a standard piece of equipment into an efficient tool for the company’s products isn’t altered by someone who wants to tweak a step. “You want to protect your code from well-intentioned employees. You don’t want someone altering code, since it rarely causes problems,” Lewins says.
A related aspect is to provide ways to make sure that maintenance personnel and operators know which piece of equipment they’re working on. In complex networked systems, it’s easy to alter the wrong machine. “People need ways to make sure they’re not altering production line 1 when they actually want to alter line 2,” Lewins says. Restricting employees only to equipment they know is important to avoid this type of accident, he adds.
Blending all these technologies and human factors into a coherent strategy isn’t a challenge that’s going to be solved overnight. IT managers must be called in, along with other groups, to create a cohesive approach. Suppliers provide some help, but their aids can’t be considered light reading. “We’ve got a 200-page configuration manual that explains the steps for setting up a secure distributed control system,” Stauffer says.
For more information, search keyword “security” at www.automationworld.com.