Protecting Your Plant’s Data Against Viruses and Hackers
Security for production network is now a critical issue.
Over the past few years, security for industrial facilities has expanded from simple physical protection to include safeguards for data and networks. In this era of enterprise-wide Internet connectivity, protecting industrial networks has become at least as important as protecting front office systems.
Now that Ethernet and TCP/IP dominate industrial sites, networks are no longer protected by the isolation that came when factory floor communications were handled by an array of dedicated networks that were isolated from the rest of the enterprise. There are many benefits that come with tighter links to the front office and to the outside world using Internet pathways.
But those benefits also bring the need for protection. Security plans must keep hackers and extortionists from attacking the equipment that produces the goods that drive corporate profits. They must also prevent accidental problems and ensure that disgruntled employees don’t create problems. As in the office and home environments, this need for reviewing protection plans is never-ending.
“Security is not some that’s one-and-done, where you load it on your laptop and you’re all done. It’s got to be part of the corporate policy, something that needs to be revised a couple times a year to ensure that you’re protected,” says Martins Jansons of Siemens Industry Automation Division.
Industrial security encompasses many facets. Malicious attacks from outside are often a first consideration, but difficulties are just as likely to be caused by employees and contractors who don’t realize they’re creating problems.
An employee or technician logging onto the industrial LAN may not know their laptop has a virus. An employee who doesn’t log out may leave an opening for someone to make unauthorized changes, for example.
There are a fair number of technical tools that provide different types of protection. But to be fully utilized, those tools must be teamed with a workforce that understands the need for data security and has been trained to protect that data. “Companies have to train all new employees in security and ensure that they’re following corporate rules for things like protecting key cards and passwords,” Jansons says.
On both the human and technical sides, there are a number of areas that must be constantly monitored and updated. “Passwords may need to be changed every 30-45 days,” Jansons says
Another is that antivirus software and program patches must be continuously updated. Though it’s easy to set up automated programs to download these updates, many companies find it difficult to shut down systems when downloads require reboots. Many are also are leery about installing updates without checking to see if they impact ongoing operations.
When companies like Microsoft provide a steady stream of updates and patches, risk-averse industrial managers sometimes test them out before installing them on production equipment. That requires a bit of redundancy and a well-planned strategy.
“Some companies that use Microsoft software set up shadow systems that burn in updates for 24 hours or so to see if any problems arise. If there are no adverse impacts on manufacturing, they will download the release to the rest of the machines, maybe doing it sequentially to provide a bit more protection,” Jansons says
On the physical side, industrial networks must be isolated from corporate networks. Though it’s fairly easy to establish logical separations, the challenge arises for the handful of employees who need data from both sides of the network. Sharing data like orders and production capability is one of the reasons companies use Ethernet and TCP/IP, so some gateways must provide those links.
The gateway should be set up with very limited access. Only a few people need to go across the boundaries to access data on both sides. These mangers will need special access codes.
The barriers may also utilize firewalls. Devices with firewall capabilities, such as a three-way switch, also provide a high level of protection. Companies concerned that these techniques don’t provide enough isolation can set up sort of a demilitarized zone where all data movement is monitored.
Devices in this zone are linked to both the enterprise and plant networks, but they are isolated. “It’s sort of a quarantined area,” Jansons says. If hackers do get into this zone, their software can’t impact any critical equipment, he adds.
A range of technologies can provide a high level of security, ensuring that critical industrial systems won’t be impacted by unwanted software. Companies need to determine the best strategy for their needs and revisit these strategies regularly.
At the same time, companies must consider the social engineering side of network and data protection. “If you don’t train the staff to think about security, that can be your weakest link,” Jansons says.
Have an Inquiry for Siemens about this article? Click Here >>
Comments
Feel free to leave a comment...
and oh, if you want a pic to show with your comment, go get a gravatar!