BYOD Security in Perspective

As personal computing devices began entering the industrial workspace in significant numbers through corporate deployments and adoption of BYOD programs, IT and engineering departments raised red flags. But are mobile devices any less secure than other networked computing devices in the plant?

Source: Apperian.com
Source: Apperian.com

Permitting any kind of outside network access to plant floor control systems has long been a major obstacle for engineering teams. And it remains an obstacle for many engineers who cite clear security and operations concerns. However, most industrial companies today have accepted the fact that networked control systems are a fact of modern manufacturing and have increased their corporate and manufacturing IT security practices and policies in response.

Following close on the heels of industry’s broader acceptance of networked control systems came the BYOD movement—wherein corporate issued or personally owned mobile devices such as smart phones and tablet computers were being used to access automation and control networks. Accepting and securing in-house plant floor systems was one thing; extending that concept to employees’ mobile devices was a bridge too far for many engineers and plant managers.

Though the concept is still in its early days, the momentum around BYOD is much like that behind the push for networked systems a decade or more ago. The difference now is that, since industry has largely accepted the networked control system concept, acceptance of BYOD is likely to occur at a much more rapid pace.

As with the initial concerns around networked control systems, the main concern with BYOD is how to secure all those devices.

Eric Byres, chief technology officer and vice president of engineering for Tofino Security at Belden Inc., made note in his blog recently about comments presented on the BYOD security topic at the International NCSC One Conference 2014at the World Forum in The Hague. He noted that “while security traditionalists talk about ensuring confidentiality, availability, and integrity … the real goals can be divided into two more general ones: maintaining safety and maintaining control.”

Considering the inevitable increase in mobile device use in industry, this more targeted approach seems to make sense. As Marc Leroux, marketing manager, CPM Technologies R&D at ABB says, plant managers today “need to have instantaneous access to all pertinent plant information, whenever they want, wherever they are. With the larger amounts of data now available, and the always connected environment we are accustomed to, that information has to be available on phones, tablets and desktops.”

When you couple this reality with the emerging workforce that has grown up with high definition, realistic computer games, and which expects to see the same thing in their work environment, Leroux points out that “we know that static displays or reports printed on paper and distributed are a thing of the past.”

Given this reality, Byres questions if iPhone or Android smart phones are really the security risk the IT world claims. To put the issue in perspective, Byres asks: “How many truly effective rootkits have you seen for attacking iPhones? Now consider how many rootkits there are for taking over PCs.” He also notes that IT groups rarely encounter the need to patch many serious mobile device vulnerabilities, yet they have to install critical Windows, Java, or Adobe patches on PCs every week.

Byres goes so far as to point out that personal phones may actually be more secure than all the other devices welcomed by traditional IT. “Smart phones are more carefully guarded by their owners,” he says. Backing up this assumption, Byres referenced studies that show, on average, people notice and report a missing phone in less than 20 minutes compared to 24 hours for a missing wallet.

“If someone stole my laptop on a weekend, it could be two days before I noticed,” Byres says. “And once an iPhone goes missing, the remote wipe features are very effective. I doubt my IT department could ever wipe the laptop they gave me if I happen to lose it.”

Beyond security concerns, another change that must be considered in relation to greater to mobile use in industry is how manufacturing data is accessed and displayed on those devices.

“The requirements for access to information are rapidly changing,” says Leroux. “If a plant manager has to ask the IT group for a report, there is a strong likelihood that the specific need has passed by the time it is delivered. The new expectation is that anyone should be able to understand the data and configure a display for their own purposes.”

This trend represents a departure from the tag name structure of process historians, which is largely understood only by process engineers. “The current expectation is that any user can use natural language terms such as ‘give me the output temperature at the primary mixing tank’ instead of having to know that ‘P96T358T043’ is the tag associated with that value,” says Leroux. “It is also the expectation that the displays can be built up by an end user without assistance, and that they have the same availability sitting in their office or watching television with the family at night. Mobility, like many others, is a term that is evolving from referring to mobile devices to meaning immediate access to the information you want, when you want it, and on the display of your choice.”

The mobile future of manufacturing is already here. How industry adapts to that reality will determine how quickly and how widespread the benefits will be for the early adopters.

Other recent Automation World coverage of BYOD:

Companies in this article
More in Networks