Protect Automation Against Cyber Threats

In the not-so-distant past, process automation systems were designed for functionality and performance—not security. They typically operated in isolation from the rest of the company in an environment of implicit trust.

System components were purchased as proprietary black boxes and there was very little concern for interconnectivity with other systems. So when legacy systems are included in common networks, they are often the weak point in total network security.

Today’s networked control systems most often use the same hardware architectures, software and networks as corporate office and administrative networks. The use of common networks means that vital production and process control systems can be exposed to the same spam, virus and security threats that corporate information technology (IT) departments have been facing for years.

It’s tempting to suggest that because they have the knowledge and experience, corporate IT people should be responsible for total network security, including that of automation and control systems. But this is wrong. The problems are different and the urge to delegate responsibility is misleading. There are definite differences of goals and objectives, differences in assumptions of what needs to be protected, understanding of what “real-time” performance and “continuous operation” really mean, and knowledge of how some well-intentioned software-based security solutions can interfere with real-time automation and control systems.

Beyond just common architectures, many business networks may now be connected with process networks, boasting the “sensor to boardroom” interface that Foxboro—now an Invensys business—first made famous. Unless significant security precautions are taken, this may open the door for hackers and viruses to enter the production and process environments.

No mail, no games

Most experts agree that automation networks should be completely separated from business networks using routers and firewalls specifically designed for the applications. Users and applications should be limited to those specifically required for the process—no e-mail, no games, no Internet browsing. Often, control room personnel need e-mail and business applications, and budget-conscious administrators may suggest network commonality. But that’s short-sighted. It simply exposes the automation network to a plethora of problems. Parallel installation of separate networks is not a luxury—it should be mandated.

Network security comes from proper design, operation and maintenance to provide regularly updated protection. Good network security environments include high security routers and firewalls that block outside intrusion but do not affect required performance. Operators, supervisors and administrators should have the ability to interact with the system without constantly getting tied up with arduous, tedious and prolonged procedures. If it’s too difficult, knowledgeable people will quickly find a way around the system—the well-intentioned, honest but impatient insider.

Well thought out system security should prioritize and manage network traffic, restrict outside traffic and give preferential treatment to control traffic. The system must have the ability to prevent problem situations before they occur. Plug-in memory ports must not be generally accessible. There should be preconfigured groups and group policies that define desktop and console behavior.

Regular and consistent network management is the key to security protection. As they say about quality, business performance, and even about life—Network Security is a journey, not a destination!

Jim Pinto is an industry analyst and commentator, writer, technology futurist and angel investor. You can e-mail him at: Or review his prognostications and predictions on his Web site:

More in Control