Plants are taking two approaches to proactive security. For one, theyâre creating a wall, or demilitarized zone (DMZ) between the companyâs business system and the plant system (see chart at right). The business end of the information technology (IT) world is much more vulnerable than the plant side. For example, the plant control system doesnât have e-mail, which is one common way that viruses and other malicious programs can enter a system. Secondly, control vendors are working to identify vulnerabilities in software before those vulnerabilities are discovered by bad guys.
A secondary DMZ blocks viruses that can enter the business system through e-mail, and then migrate across the enterprise. âMajor accounts are deploying a secondary DMZ between the business system and the factory,â says Mike Bush, program manager at controls vendor Rockwell Automation Inc., in Milwaukee. âYou have a wall between the business and the outside world, but you also have a wall between the business and the plant. The second DMZ wonât allow a connection to the Internet.â
To further cut the business system from the plant system, some plants are putting the upgrade server inside the secondary DMZ. âWe also recommend that plants put their upgrade server in a demilitarized zone between the business systems and the control system,â says Kevin Stagg, engineering fellow for cyber security at automation vendor Honeywell Process Solutions, in Phoenix.
âThe frequency of patches is definitely increasing, and so is the risk of losing production,â says Rashesh Mody, chief technology officer at software supplier Wonderware, an Invensys Systems Inc. company based in Lake Forest, Calif. âPeople want to do the patches without interrupting production.â
One version of proactive security is the effort to detect and patch system vulnerabilities before they are detected by the outside world. âPatching is a little like closing the door after the horse got out,â explains Rockwellâs Bush. âWe have network and security services and we do vulnerability tests so we can lock the barn before the horse gets out.â
See the main story that goes with this sidebar:Fixing Software On The Fly