Security Is a Journey

March 13, 2007
“Security is the journey, not the destination,” declares Bradford H. Hegrat, senior network security engineer with automation vendor Rockwell Automation Inc.’s ( Components and Packaged Applications Group, in Cleveland.
Yet, managing risk can’t be done by a “point solution,” notes Keith Stewart, product manager with the Security Technology Group for Cisco Systems Inc. (, the San Jose, Calif.-based network equipment vendor. Stewart believes that information technology (IT) security and network security must become part of the framework of every deployed application and technology. That entails embedding security into the network fabric itself, he remarks. “Organizations are embracing this notion of embedding security into other technologies—it’s the only long-term solution that makes sense.”But it also makes sense that security strategies cover all manufacturing and corporate assets—and that the production environment and automation systems be isolated from the rest of the enterprise, Dan Knight thinks. That means allowing only necessary information to flow between production and the rest of the enterprise, emphasizes Knight, Cisco’s industry solution manager. Also, only give appropriate individuals access to critical systems, he adds.From an automation engineer’s standpoint, though, what is the main IT-based risk to the control system and enterprise? It’s the integrated nature of technology, network and software infrastructures, responds Rockwell’s Hegrat. Not surprisingly, IT and automation engineers have different opinions on computing and network assets applied in the manufacturing and control-systems spaces, he remarks. “But convergence trends in recent years have gradually brought IT and the plant floor closer.”  Moving the two groups nearer this past year was Microsoft Corp. ( ending its Windows NT support, observes Dennis Brandl, principal of BR&L Consulting (, Cary, N.C. “With NT, you could set up an isolated system. You had your own account and passwords.” Now, though, companies are moving to Windows 2003 and 2007 Servers—and that means the newer technology needs to be integrated with the corporate security systems, Brandl explains.Forced cooperationThat need forces manufacturing and IT to cooperate. Recalling that the NT systems typically were “islands of security,” Brandl believes that the integration of these systems is truly a major change. “Manufacturing and corporate security systems have to work together—because they don’t have a choice.”Just because companies deal with the internal security issues, though, external dangers also still exist. And that concerns
Robert C. Webb, P.E., a San Carlos, Calif.-based automation and licensing consultant. “The solutions they (vendors) are bringing are great, except for the majority of core automation components. One example is a conundrum most of the suggested best practices have created. One side is keeping your system up-to-date with the latest patches, virus signatures and so forth,” says Webb, also managing director of the Instrumentation, Systems and Automation Society’s (ISA’s,
) SP99 Committee on Manufacturing and Control Systems Security. Of course, keeping systems updated is a great idea. “But we all know that most of the PLCs (programmable logic controllers) and other core components can’t be updated regularly,” Webb states. Why? “We don’t have the internal defense capability to expose a network to contact with the outside world.” Without properly designed networks and procedures, companies expose their legacy equipment and technologies to problems, he stresses.On its journey to foster better security and answer Webb’s
and others’ alarms, the ISA-SP99 committee continues “slogging through the very hard part of writing a standard,” committee member Brandl says. “We have SP99’s Part 4 (‘Specific Security Requirements for Manufacturing and Control Systems’) starting up,” Webb notes.     
C. Kenna Amos, [email protected], is an Automation World Contributing Editor.