Legal Accountability for Access Via Controls Could Necessitate More Protection

Protect Workers; Protect Yourself: Proposed Canadian Legislation Could Lead to Accountability Via Controls Access

Share Print Related RSS

Jeremy PollardBy Jeremy Pollard, CET

Bill C45 is Canadian legislation that identifies companies and individuals who might be responsible for the injury or death of an employee in almost any circumstance.

The term "idiot-proof" comes to mind. It can't be done. This bill has led to a surge in work for various tradespeople and automaton companies, especially in the press and stamping industries, where many accidents happen due to lax controls combined with the need for speed.

In one case, a worker was crushed in a press because he was unaware that the lockout that he initiated wasn't connected, and the person on the other side of the press, who had defeated the two-hand anti-tie-down control, cycled the press.

"How could this happen?" you ask. The answers sometimes are shockingly easy.

However, in the land of networks and "data anywhere," how far does one have to go to secure one's plant and process from unscrupulous and devious minds? Can something akin to getting hurt in a press be caused by someone over a network? Can a person in authority really be charged for not securing one's network? There are those who think so.

I know Eric Byres and Ian Verhappen well, and as fellow Canadians, we share technology ideas and hockey stories. Sometimes we disagree, as I have with Eric about PLC and controls security.

In the fall, Eric, Ian and I had a conversation about Tofino—a security appliance that sits in front of each and every PLC network or each PLC, for that mater. It's an expensive proposition, but I didn't immediately discount the benefits.

Ian worked with MTL, which partnered with Byres Security to develop, manufacture and market it to all industry sectors.

Eric is a verbose guy, full of energy. His passion for the technology is very evident, but I wondered if it's more about salesmanship than anything else. Then he said something that provided that eureka moment. Tofino is also a protocol gateway, so "it can prevent unwanted downloads, data change and firmware changes," he said. I nodded while I rummaged through my recall brain cells about a time a brewery employee downloaded the wrong program to the wrong PLC and lost the batch, which cost the company more than $40,000 in raw materials.

Then I recalled the time that someone—still an unsub—trashed the firmware in a palletizer PLC and stopped production for more than six hours. At the time I was involved in a strategic evaluation for a customer about whether its electrician group would be allowed on the factory floor with laptops that could connect to the network.

If an intruder got into the control network via a normal IT firewall with the intent to create havoc with the control system, they normally would take over the HMI computer using normal hacks and holes in the operating system. But if the intrusion was from inside, they could go directly to the PLC itself.

Internal control system terrorism. Is it a bigger threat to the factory floor than the external flavor?

I don't know the ins and outs of Tofino, but it is clear that, for various types of businesses, such as pharmaceuticals, it might be a requirement for compliance.

I do some work for a pharmaceutical company. They have a PLC network that you'd consider open. Most don't have passwords on PLC access, and if there are, the passwords are on Post-it notes on the wall.

I was connected to that network and could have altered the formula by changing a few variables. If I was in that brewing company, I could mess with the taste of the batch.

While all attacks on control systems might not be malicious in nature, some could create enough chaos or danger to personnel that the people in charge might be held accountable because of the measures in Bill C45.

It's an argument for Byres' enthusiasm. Maybe not yet an immediate concern for Machine Builder Nation, but your customers might look to you for help. For more information visit www.ControlDesign.com/billc45.

Due diligence is required, in any case. So, for starters, at least lock the control panel doors.

Share Print Reprints Permissions

What are your comments?

Join the discussion today. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments