Subscribe and listen to AW’s podcast!
Subscribe and listen to the Automation World Gets Your Questions Answered podcast!
Listen Here

Standards Body Takes On Security

Most businesses have reported an increase in the number of unauthorized attempts to access electronic information. Over the last several years, the number of joint ventures, alliance partners and outsourced services in the industrial sector has increased dramatically.

During that same period, manufacturing and control systems have evolved from isolated networks based on proprietary technologies to standards-based networks connected to the rest of the enterprise.

It is now very difficult to know who is authorized, when they are to have access to electronic information, and what data they should be able to access. Partners in one business venture may also be competitors in another business. However, because manufacturing and control systems equipment are directly connected to the process, loss of trade secrets or interruption in the flow of information are not the only consequences of a security breach. Far more serious are the potential loss of production, environmental damage or compromise to the safety of an operation.

Standards for security

The ISA-SP99 Committee was formed to establish standards, recommended practices, technical reports and related information that will define procedures for implementing electronically secure manufacturing, control systems and security practices, and for assessing electronic security performance.

The Committee’s focus is to improve the confidentiality, integrity and availability of components or systems used for manufacturing or control and provide criteria for procuring and implementing secure control systems.

Authorization and authentication are fundamental to access control. They are distinct concepts, but are often confused because of the close relationship between the two. Proper authorization is, in fact, dependent upon authentication.

Authorization is the initial step in protecting a system from unwanted breaches. It is the process of determining who and what should be allowed into the system. Once this information is determined, defense-in-depth access control measures are implemented to verify that only authorized people and devices can actually access the system.

Authentication describes the process of positively identifying network users, hosts, applications, services and resources using a combination of identification factors or credentials. The result of this authentication process then becomes the basis for permitting or denying further actions.

Password weaknesses

Computer systems in the manufacturing and control systems environment typically rely on traditional passwords for authentication. Control system suppliers often supply systems with default passwords. These passwords are often easy to guess or infrequently changed and create additional security risks as a result. At the current time, protocols used in manufacturing and control systems environments generally have inadequate or no network service authentication.

Role-based access control (RBAC) is a technology that is attracting a great deal of attention because of its potential for reducing the complexity and cost of security administration in networks with large numbers of intelligent devices. Under RBAC, security administration is simplified by using roles, hierarchies and constraints to organize user access levels. RBAC reduces costs within an organization because it accepts that employees change more frequently than the duties within positions.

In the absence of centralized authorization tools, most designers of manufacturing and control systems take precautions to minimize the amount of external traffic to and from the control system. Most commonly, various architectural measures insure that data flow is in a one-way direction out of the system to the other enterprise systems. While RBAC will increase the safety of spontaneous data requests of the control system, it is not a panacea for careless design of the data flows.

Adapted from the first Technical Report of ISA SP99 Working Group. Committee chair is Bryan Singer. For more information, or to volunteer help, contact him at bryan_singer@entegreat.com.

Gary Mintchell, gmintchell@automationworld.com

Test Your Machine Learning Smarts
Take Automation World's machine learning quiz to prove your knowledge!
Take Quiz
Test Your Machine Learning Smarts
How use of robotic technology is sweeping across all industries
We asked nearly 60 industrial end-users and system integrators about their use of robotic technology. This report details the trends they identified and how to compare different types of robots.
Download Now
How use of robotic technology is sweeping across all industries