Bring Your Keys, Your Coffee Cup and Your Own Device

Incorporating a mobile workforce as part of the corporate culture is not a new business model, nor is it a passing fad. But for many manufacturers, the deluge of new devices and operating systems that will be brought into the company network represent a support headache for the IT department. There is also a fear among executives that intellectual property and mission-critical systems on the factory floor could be compromised if a mobile device is left unsecured or is lost or stolen.

Nevertheless, industry experts say that in the last 12 months or so manufacturers have been transitioning from a reactive approach to mobile devices in the workplace to a proactive plan for tackling enterprise mobility. The reason is twofold. First, they can’t stop the influx of personal tablets and smartphones used by employees at work. Indeed, the bring-your-own-device (BYOD) movement, defined as employee-owned devices being used within business, is ubiquitous and it needs to be managed. Second, manufacturers realize that putting corporate data into employees’ hands can help reduce costs, improve product development cycles, and increase productivity throughput and supply chain efficiency.

Many companies, however, aren’t sure where to start when it comes to a BYOD plan. It’s a real obstacle to overcome, because the reason manufacturers have been mobile stragglers has nothing to do with being technology luddites, and everything to do with information security.

To better gauge how manufacturers are addressing BYOD, we asked Automation World readers to take part in a survey on the use of personal devices in the enterprise and on the factory floor. Respondents identified security as the top concern associated with a BYOD mobile workforce, followed by the introduction of malware and viruses onto the corporate network. Other nagging issues include the potential loss of control over corporate information, and the “consumer IT” phenomenon, in which users download—and manage—their own apps for business use.

Despite the BYOD reality, many manufacturers still don’t have a BYOD policy in place. In fact, 64 percent of survey respondents said their company does not currently have a BYOD plan in place for mobile workers. So, we asked, why not? The comments range from “no need” to “no idea.”

Here are a few of the anonymous responses:

“The company supplies laptops and mobile devices.”
“Only executives are allowed, and there is no plan for the factory floor.”
“At the plant there is not much call for it, and zero mobile workers.”
“Many of us bring our own, but I don’t know of any formal plan.”
“Not sure why we don’t yet.”

These comments are not surprising, says Salah Nassar, senior product manager of Fluke Networks’ AirMagnet Enterprise and security products. “When it comes to BYOD, in my experience, often the company policy is not to have a BYOD policy,” noting that there are certain manufacturing verticals that will lock the whole network down and only allow devices that are commissioned by the company.

Even with a lockdown approach, manufacturers need to stay on top of issues. Given the sophistication of man-in-the-middle (MITM) hacks targeting wireless clients, it doesn’t matter if a phone is company-owned or a personal device. For example, hackers can fly a drone outfitted with a wireless hacking tool, such as Hak5’s Pineapple Mark V, onto the perimeter of a corporate building. Pineapple is a rogue access point that can impersonate the “preferred network list” on a person’s phone.

When a phone is not connected to a network, it sends out probe requests to all of the networks on its preferred list to see if one is available, at which point it automatically connects.

If a hacker is in the area, the user may inadvertently connect to a rogue access point. Users don’t realize they are the man in the middle; they just see they are on a network. But through the connected client device, the hacker can then redirect traffic, extract passwords or modify packets. And then, if attached to a drone, all that information can fly away without the user—or the IT department, for that matter—knowing there was a security breach.

Since security breaks are a matter of when, not if, the best defense is not necessarily to limit BYOD in the workplace, but to arm the IT department with tools to protect the network. Fluke Networks’ AirMagnet Enterprise is a wireless intrusion prevention and detection system that “listens” to the network and can identify different types of attacks. AirMagnet alerts an administrator to verify if it is a threat and provides the tools to respond and even stop anything with a wireless radio from functioning around the network. The technology can even find the threat by using the sensors set up around the network to triangulate the location.

“It’s almost impossible to control what comes into your network from someone’s pocket, so the next step is to know what devices are doing when they are on the network,” Nassar says.

BYOD best practices

Every company will ultimately have to factor mobility into the enterprise equation given the need for remote HMIs, on-demand analytics, and constant communication with workers in the field. So, by default, organizations will need to also have a BYOD policy in place.

“BYOD is not a strategy,” says Neil Florio, vice president of marketing for IBM’s Mobile Security Group. Rather, it is a component of a mobile strategy, he says. “And as part of that strategy, we recommend everyone create a BYOD policy that will go through a lot of things, such as what it means to use your own device, what devices can be used and for what, and an acceptable use policy.”

Respondents to our BYOD survey represent a cross-section of industries from discrete, continuous process, batch and machine builders—thereby painting a broad picture of BYOD attitudes. Of the survey respondents who said their company currently does have a BYOD plan in place for mobile workers, 33 percent noted that they also have a governance policy they must abide by. Specifically, there are rules around data encryption and steps to follow to secure access to corporate data. Mandatory security codes on devices and policies for how data should be transferred from personal devices to company servers are important. And employees must be willing to relinquish control of their devices in the event it is lost, or the individual leaves the company, by allowing the company to remotely wipe corporate data from the device.

That’s where there may be employee pushback. “Mobile in general is personal,” Florio says. “People have a lot of personal information on their mobile devices from apps to email. So you have to make sure employees know what IT can and can’t see on that device.”

Educating the workforce on BYOD policy is crucial to a successful adoption, as people have to opt in to this practice in order for it to work. This is where mobile device management (MDM) software makes a difference.

IBM’s enterprise mobility management (EMM) software, called MaaS360, allows IT to bifurcate work data from personal data on any kind of device by using a container system to separate the profiles. That means that IT does not have access to an employee’s personal email, calendar or contacts, for example. IT can selectively wipe corporate data in the event the device is lost or stolen. Everyone is satisfied, which establishes trust. “IT can trust that the device is secure, and the employee can trust that IT is not interfering with their stuff,” Florio says.

Similarly, Cisco’s Identity Service Engine (ISE) provides device and app authentication and policy enforcement that keeps the end users in mind, in that it is transparent and simple. Getting end user buy-in is as easy as downloading a song from iTunes. When users want to access a corporate app from their personal devices, Cisco ISE automatically redirects them to a page asking them to install the MDM client software to gain access. Users, familiar with accepting privacy policies before a download, are more apt to opt in because it removes the IT admin from the scenario. They never lose access to their device, and IT gains a secure endpoint.

“Having a unified policy that you can enforce by access, by guest, by role, by device, all the way through to managing mobile devices both on premise and off site, is what Cisco enables,” says Chet Namboodri, Cisco’s global industry director for manufacturing. “And it applies just as well on the industrial side as it does in the enterprise.”

So what kinds of manufacturing apps are workers using their mobile devices for? According to the survey, the No. 1 use case is staff communication and team collaboration (55 percent), followed by field service and sales (23 percent), maintenance and management of remote assets (19 percent), accessing machine documentation (18 percent), parts search and ordering (17 percent), as well as viewing mobile HMI/SCADA screens (16 percent) and KPI reports (12 percent). Some (11 percent) are even using their devices to monitor and manage energy usage. And a few (4 percent) use their devices to monitor the physical security of the site.

Most users have to go through IT to gain access to company apps, but 7 percent of the survey respondents said their company has established its own “app store” to download the organization’s applications in a self-service mode.

BYOD and IoT

As the Internet of Things (IoT) enters the mix, there is potential for new types of mobile apps to emerge using connectivity protocols like the messaging queue telemetry transport (MQTT), a lightweight publish/subscribe messaging system designed for constrained devices and low-bandwidth, high-latency or unreliable networks. Beckhoff, for example, is working on ways to send push notifications to an operator from the machine as a way to send an alert on machine conditions. A BYOD plan would be an important piece in the puzzle.

“Everyone comes to the factory with their own phone,” says Daymon Thompson, Beckhoff’s TwinCAT product specialist. Operators could sign up for something that amounts to an app subscription on their cellphone, and push notifications could be sent to them. “It could be set up for notifications if a machine is low on material,” he adds, noting the ongoing need to keep machines running and maximize uptime.

As far as safety goes, there is no control taking place; it would only be a message noting that a specific machine needs attention. “We are many, many years away from BYOD machine control, as that sounds very risky,” Thompson says.

Right now, however, most companies are focused on the biggest benefits associated with BYOD, which include improved productivity and corporate culture—as in, staff satisfaction. That, it seems, is a bit ironic, because when that personal device becomes a direct channel into corporate activity, employees are operating in “always on” mode.

We asked survey respondents if mobile workers are expected to be responsive and accessible 24/7, and almost half (44 percent) said, “Yes.” So when employees are at home watching late night TV, or at their son’s baseball game, technically, they are expected to respond when work calls.

So it seems BYOD brings new responsibility for the company, the IT department and end users.