During that same period, manufacturing and control systems have evolved from isolated networks based on proprietary technologies to standards-based networks connected to the rest of the enterprise.
It is now very difficult to know who is authorized, when they are to have access to electronic information, and what data they should be able to access. Partners in one business venture may also be competitors in another business. However, because manufacturing and control systems equipment are directly connected to the process, loss of trade secrets or interruption in the flow of information are not the only consequences of a security breach. Far more serious are the potential loss of production, environmental damage or compromise to the safety of an operation.
Standards for security
The ISA-SP99 Committee was formed to establish standards, recommended practices, technical reports and related information that will define procedures for implementing electronically secure manufacturing, control systems and security practices, and for assessing electronic security performance.
The Committee’s focus is to improve the confidentiality, integrity and availability of components or systems used for manufacturing or control and provide criteria for procuring and implementing secure control systems.
Authorization and authentication are fundamental to access control. They are distinct concepts, but are often confused because of the close relationship between the two. Proper authorization is, in fact, dependent upon authentication.
Authorization is the initial step in protecting a system from unwanted breaches. It is the process of determining who and what should be allowed into the system. Once this information is determined, defense-in-depth access control measures are implemented to verify that only authorized people and devices can actually access the system.
Authentication describes the process of positively identifying network users, hosts, applications, services and resources using a combination of identification factors or credentials. The result of this authentication process then becomes the basis for permitting or denying further actions.
Password weaknesses
Computer systems in the manufacturing and control systems environment typically rely on traditional passwords for authentication. Control system suppliers often supply systems with default passwords. These passwords are often easy to guess or infrequently changed and create additional security risks as a result. At the current time, protocols used in manufacturing and control systems environments generally have inadequate or no network service authentication.
Role-based access control (RBAC) is a technology that is attracting a great deal of attention because of its potential for reducing the complexity and cost of security administration in networks with large numbers of intelligent devices. Under RBAC, security administration is simplified by using roles, hierarchies and constraints to organize user access levels. RBAC reduces costs within an organization because it accepts that employees change more frequently than the duties within positions.
In the absence of centralized authorization tools, most designers of manufacturing and control systems take precautions to minimize the amount of external traffic to and from the control system. Most commonly, various architectural measures insure that data flow is in a one-way direction out of the system to the other enterprise systems. While RBAC will increase the safety of spontaneous data requests of the control system, it is not a panacea for careless design of the data flows.
Adapted from the first Technical Report of ISA SP99 Working Group. Committee chair is Bryan Singer. For more information, or to volunteer help, contact him at [email protected].
Gary Mintchell, [email protected]
