The threat existed with proprietary networks, but it’s grown significantly as shared networks are used to link the front office and factory floor. The British Columbia Institute of Technology (BCIT) has begun keeping track of attacks, providing a clearinghouse for those who want to see what has happened and how it was handled.
“We keep a database that currently has about 110 confirmed incidents, but that’s just the tip of the iceberg, since there’s no obligation for people to report security breaches,” says Eric Byres, Research Manager for Critical Infrastructure Security at the BCIT Internet Engineering Lab, in Burnaby, British Columbia, Canada.
The impact of those breaches can be quite serious. Unlike attacks in the front office, infiltration into manufacturing operations can cause severe problems. “If you’re down two hours without e-mail, it’s annoying. But if the shop floor network is down for two minutes, you can kill people,” says Bryan Singer, an engineer at Milwaukee-based Rockwell Automation Inc., who heads ISA-SP99, a committee of the Instrumentation, Systems and Automation Society (ISA) that is developing cybersecurity standards.
A growing number of companies are taking preventive steps, but they’re often baby steps. A survey by industry analyst firm ARC Advisory Group Inc. found that nearly three-fourths of manufacturing companies are implementing security strategies. But most are still in the early stages. The top three steps are writing security programs, auditing for rogue connections, and establishing security and training programs. “Almost everyone realizes there’s a problem, but activity for those three steps is still below 50 per cent” says Bob Mick, vice president of emerging technologies at ARC, headquartered in Dedham, Mass.
But the growth in awareness isn’t entirely a good thing. “The hacking community is just waking up to the realization that there’s new territory here,” Byres says.
Increased attention from hackers will add to a problem that already exists. To date, most known attacks have come in a fashion that has worked well in office settings. Once a virus is unleashed, it is often carried by known friends.
“Most security problems come not from outside attackers with ill will, but from employees and others who don’t realize they have viruses,” says Scott Westlake, manufacturing team director at San Jose, Calif.-based Cisco Systems. He notes that protecting the interior of the network, where people are trusted, is as important as safeguarding the outer perimeters.
Commonly cited examples of attacks from inside are an employee who logs in from an infected home computer or takes a company laptop home and picks up a virus that’s unleashed when that notebook is used in the factory. The prevalence of problems caused by trusted carriers points up the need for getting employees, vendors and others involved in security.
All operations throughout the company, as well as interactions with some equipment makers and others, must be involved. And that includes senior management. “It’s a top-down issue. Until upper management steps in, security is almost a novelty,” says Barry Baker, engineering services manager, Industrial Networking Solutions, at National Instruments Corp., in Austin, Texas.
Byres says there are four core steps for securing a facility. The first is to determine what’s important, an effort that requires strong support from upper management. If security is included in that list, companies need to look at the behavior needed to make sure security is addressed. “Once those steps are taken, the main thing is to train people,” Byres says. The final step moves into the technical realm with the installation of firewalls and other tools. Engineers must borrow knowledge from the information technology (IT) function.
Preventing trusted people from bringing in viruses requires a fair amount of education. Most observers feel that is the key to any security program. “Ninety percent of the solution is better policies and training. The number one reason for security breaches is people who don’t understand how breaches occur,” Byres says.
Regardless of the technical solutions that are implemented, people will sometimes turn them off or go around them if they don’t understand that their actions can cause serious problems. “If people aren’t well trained, some technical solutions can be subverted in just a few months. People won’t pay attention to turning a firewall on or off, or when they perform a backup,” says SP99’s Singer.
The training requires cooperation between groups that sometimes exist in silos. Among the most critical are IT personnel, who may understand the office environment, and plant floor managers who understand how the plant floor operates. The differences between front office IT and similar products on the shop floor are dramatic.
“Once you take someone with a pure IT background through the plant, they quickly realize that this is not a raised-floor computer room. That sounds trite, but it’s the key to establishing a dialogue,” says Eric Cosman, co-lead for the Manufacturing Control Systems Project Team for the Chemical Sector Cyber Security Program, a group sponsored by the Chemical Cyber Security forum to focus on risk management and reduction to minimize the potential impact of cyberattacks on business and manufacturing systems.
Confidentiality is important in offices, so systems often require passwords that must sometimes be entered several times per day so that no one enters data under another name, for example. But on the shop floor, there may be emergencies when it is important to let someone else access a workstation that controls equipment that may be malfunctioning and could cause problems. “In times of duress, someone in the factory may not remember the password. The risk is less from not having a password than if you can’t do something when you need to,” Cosman says.
Though there are differences between the front office and factory floor, IT people can still use techniques they are familiar with. “There’s a lot of difference in how things are implemented, but a lot of the tools are similar,” Cisco’s Westlake observes.
While equipment may include functions that will help improve security, Singer notes that technical advances alone won’t alter the need for proper training and well-understood guidelines. “Equipment has lifetimes of 10 to 15 years, so if all vendors immediately addressed it perfectly on every piece of equipment, things would not change for 10 to 15 years,” Singer says.
Well-trained employees are key for security, but networks can’t be protected without some technical tools. Leading the way is a well-known technology that seems to work quite well. “We’ve seen better success using firewalls to separate the shop floor from the front office than using anything else,” Singer says.
He is blunt about problems with some alternative technologies. Some people have tried layer 3 or layer 4 switches or virtual LANS with varying degrees of lack of success,” Singer says. Running virus scans is also ineffective, because these programs can choke a programmable logic controller (PLC) for several minutes.
One key is to spot so-called “rogue connections” that haven’t been accounted for by the security team. Rogue links are often set up for beneficial reasons. For example, equipment manufacturers may open connections so they can troubleshoot hardware. “That’s convenient, but those connections provide openings for possible attacks,” Mick says.
Searching to find these connections isn’t always easy. “A lot of people talk about scanning for rogue devices. You’ve got to know what you’ve got before doing that. Some older devices don’t react well to being scanned,” Cosman says.
Staying ahead of hackers requires constant vigilance. Vendor updates and patches are not easy to handle, but they must be installed onto equipment. “Unfortunately, there are new viruses created every day, so you do need to upgrade periodically,” Westlake advises.
However, installing patches requires a lot of effort. First off, the late-night shutdowns used for the front office aren’t necessarily downtime. “When you’re running 24/7 for 52 weeks a year, it’s very difficult to find a window for updates,” Cosman says.
Then there’s the challenge of getting patches that are designed for the factory, where equipment is often customized. That makes it much more difficult to install patches without upsetting equipment.
“Another factor is that a lot of software is unique, so a good level of testing is needed to make sure a patch won’t impact existing software,” Mick says.
Most equipment makers test patches so that customers only have to examine small aspects that might be unique to their facilities. The approval cycle used to be slow, but as awareness rises, delays are shrinking. “Vendors have been good about narrowing the window between when the patch is out and when it’s fully tested,” Cosman says.
Though major improvements are being made, security risks continue to grow. The convenience of wireless technologies such as ZigBee and others that are making their way onto the plant floor is offset by additional challenges.
“We see wireless as a huge growth sector, and it has many benefits. But it also means someone can sit in the parking lot and log onto an unsecured network,” says Baker, at National Instruments. Requiring authentication and authorization are a couple ways to reduce these threats, he adds.
For more information, search keyword “security” at www.automationworld.com.