3 Tips for Safe and Effective Virtualization

July 7, 2014
Like most technology advances, some risks come with the benefits of virtualization. Here are three tried and true tips for protecting your systems as you adopt virtualization.

Platform virtualization has come of age in process control. The benefits are overwhelming, particularly for systems that include more than a dozen PCs. You’ve no doubt seen a lot of information about these benefits, including easier system management, longer computer hardware life, and having fewer PCs to buy and maintain. There are also pitfalls you may not know about.

Here are a few ideas that will make your projects more successful:

Copy like a pro. Copying a virtual machine (VM) is easy. After all, it’s just a collection of files on a hard drive. You can create a library of computer nodes and duplicate as needed to build new systems or expand existing ones. But think first. If a virtual node has been connected to a network or exposed to files from USB drives, it could contain malware. Copy that node, and you also copy the risk.

Matt Gibson, a senior technical leader in charge of teams investigating cybersecurity and process control issues at the Electric Power Research Institute (EPRI) explained to me why this is important. Matt has dealt with security and control issues for decades, starting as an electronics warfare specialist in the Navy, and continuing throughout his career in the nuclear power industry. He recommends learning the template management features of the virtualization software you choose for your projects. Create your new VMs and templates from “known fresh media.” That is, installation software that you can trace back to the source. If you use prebuilt virtual machines, get them from verifiable sources. Enforce a “one-way movement of VMs from creation to retirement.” Never copy or recycle VMs that have been used in the field. Instead, use a clean template when you upgrade a node, add to your system or create nodes for a new system. If you work with a system integrator, never accept systems that contain copies of nodes that have been used in the field, even if they come from another system in your company.

Don’t break the rules. When you copy a virtual node, you are also copying the operating system and all of its other software. Backup copies are okay, but if you want multiple copies of a PC to run simultaneously, you must have the appropriate licenses. Licensing for operating systems and other software can be complex, but it’s worth the effort. You do not want software to “time out” during a startup!

Protect yourself. Virtual systems are every bit as vulnerable to attacks by viruses and hackers as “real” ones. Virtualization software from VMWare, Microsoft and others contains security features that aren’t available for physical machines. You should learn and use these capabilities, but they aren’t a substitute for basic cybersecurity. Choose antivirus software that has robust features to protect virtual systems as well as physical ones, and keep it up to date. If you work with a system integrator or vendor, make sure that they have training and experience with these issues.

The foundation of cybersecurity is creating a network that protects each level of your control system. Fortunately, you can include VMs and virtual network switches in your system design just like their physical counterparts. It’s even okay to mix virtual and physical nodes – as long as you keep safety and security in mind.

What do you think? Have you had a good – or bad – experience with virtualization? Are there issues that most people aren’t thinking about today? Share your thoughts, questions and experiences in the comments section below.

James Cage is an automation solution integrator at Avid Solutions Inc. He has served clients in a variety of industries for more than 24 years as an engineer, consultant and product manager. Contact James at [email protected] or follow him on twitter at @JamesDCage. For more information about Avid Solutions, visit Avid’s profile on the Industrial Automation Exchange.

Sponsored Recommendations

C2-08DR-4VC

CLICK PLUS discrete/analog combo module, Analog Input: 2-channel, current/voltage, Analog Output: 2-channel, current/voltage, Discrete Input: 4-point, sinking/sourcing, Discrete...

MSD-SLC16G

CLICK industrial memory card, 16GB microSD. For use with all products with microSD memory card slot.

C0-12DRE-D

CLICK Ethernet Analog PLC, 24 VDC required, Ethernet and serial ports, Discrete Input: 4-point, DC, Analog Input: 2-channel, current/voltage, Discrete Output: 4-point, relay, ...

C2-FILL

CLICK PLUS option slot cover.