We are in the era of the Internet of Things (IoT) – a world where more and more “things” are embedded with smart sensors and communicate with one another. These things serve as gateways to help industrial organizations better understand complex manufacturing processes. Devices within a machine and plant need to talk with one another, as well as those at the enterprise level, using a unified networking infrastructure that is based on standard, unmodified Internet Protocol (IP).
While this helps create a seamless flow of information, protecting these industrial assets from security risks becomes increasingly more important. It requires a defense-in-depth security approach that addresses both internal and external security threats. A defense-in-depth security architecture is based on the idea that any one point of protection may, and probably will, be defeated. This approach requires multiple layers of defense to help ensure a weakness or flaw in one layer can be protected by strength, capabilities or new variables introduced through other security layers.
Building in Layers of Security
Defense-in-depth security is a layered approach focusing on physical, network, computer, application and device security. Rockwell Automation teams with industry leaders, such as Cisco and its other PartnerNetwork™ members, to help OEMs build these layers of security into machinery and end users’ facilities. Physical security mechanisms, such as guards and gates, and a network-security framework that includes firewalls, intrusion detection and prevention systems (IDS/IPS), and managed switches and routers, are the building-block layers of a defense-in-depth approach.
Software vulnerabilities can provide an easy route for intruders to gain access to automation systems. OEMs can use advances in computer hardening to help protect end users against unwanted access. Computer hardening options include:
- Antivirus software
- Application whitelisting
- Host intrusion-detection systems (HIDSs) and other endpoint security solutions
- Removing unused applications, protocols and services
- Closing unnecessary ports
Computers on the plant floor, such as a human-machine interface (HMI) or industrial computer, are susceptible to malware cyber risks, including viruses and Trojans. Software patching practices can work in concert with these hardening techniques to help further address computer risks. Device hardening also can help protect machinery and involves changing the default security configuration of an embedded device, such as a programmable automation controller, router or managed switch, to make it more secure.
Restricting Access to Valuable Data
Setting up policies that control human interaction with end-user systems can help prevent information theft, whether users are internal or external, on-site or remote. Using software tools such as the FactoryTalk® Security architecture allows end users to centralize authentication and access control by verifying the identity of each user who attempts to access the automation system. The software then communicates with the FactoryTalk Directory services platform to determine what the user is and is not permitted to do with that software. It either grants or denies each user's request to perform particular actions on features and resources within the system.
In addition, Logix Source Protection, a feature in Rockwell Software® Studio 5000™ Logix Designer application from Rockwell Automation, enables OEMs to assign a password to any routine or add-on instruction to help protect the valuable intellectual property contained within the applications.
Secure Remote Access
With the correct security procedures and architectural systems in place, remote monitoring through open-standard networks can provide OEMs and end users with an unprecedented ability to remotely oversee operations, perform real-time diagnostics and keep maintenance costs low.
Many end users are further reducing their costs with cloud-based computing that enables manufacturing operations on virtually any scale to deploy 24/7 monitoring of valuable applications. Moving remote access and support to the cloud, through a secure EtherNet/IP™ connection, helps OEMs monitor performance and quickly send critical data to the appropriate person.
The increasing sophistication of remote-systems monitoring, asset management and engineering support demonstrates how cloud technology facilitates IP-enabled “intelligent enterprise” advances in plant-floor security, connectivity, performance and ease of integration. A mission-critical production asset like a medium-voltage drive illustrates the point.
A nonfunctioning, isolated drive can result in a significant loss of revenue. With cloud technology, when this drive issues a warning or fault, the information is easily propagated to create a work ticket for a support engineer. Within minutes, a cloud-based, asset-monitoring application has an expert looking at the fault and taking corrective actions.
OEMs can add an additional layer of security in remote monitoring with secure routers. For example, the Allen-Bradley® Stratix 5900™ services router from Rockwell Automation enables users to help protect their information by creating encrypted tunnels which limit access to the traffic to authorized users, all while using the existing untrusted network.
By making ongoing investments in secure integration, property protection and remote access, OEMs can reduce exposure to unnecessary risks as they capitalize on the opportunities presented by the connected enterprise.
10 Steps to Building Security Into Machinery
OEMs can enhance their industrial reliability and security with these 10 actionable steps.
- Control who has network access using tools, such as access control lists and port-blocking features/devices.
- Ensure robust and reliable operations by employing firewalls and intrusion detection/prevention.
- Use anti-virus protection and whitelisting.
- Establish a system-patching policy to keep software up-to-date.
- Develop procedures for employee-security practices, for example: managing and protecting passwords, managing removable media and use of personal devices.
- Physically block changes to your controller by putting it in Run Mode.
- Control who is allowed to do what from where in the application with FactoryTalk Security architecture.
- Monitor what is going on in your system with Controller Change Detection and FactoryTalk AssetCentre system.
- Protect your intellectual property with Logix Source Protection.
- Ensure all Ethernet devices are connected using standard Internet Protocol.