CD1201-real-answ
CD1201-real-answ
CD1201-real-answ
CD1201-real-answ
CD1201-real-answ

Secure Against Process Automation Errors

Jan. 9, 2012
What Kind of Prioritized Operator and Technician HMI Access Can Protect the Process and Still Give Links Needed to the Outside?

More of the automation we install on our machines has Ethernet and web-based connections. This helps with remote troubleshooting and enterprise reporting, but some customers worry that their connected factory floor is vulnerable to internal input mistakes that can cascade through an entire process. What kind of prioritized operator and technician HMI access can protect the process, but still give us the links needed to the outside?

—From November '11 Control Design

Answers

Several Options

There are many ways to gain the benefits of a completely networked factory while preventing erroneous input from affecting an entire production line or factory. One main benefit to networking a factory is convenient access to diagnostic data for all machines at once, even from a remote location. A simple and safe way to facilitate this is to integrate a web server directly into the PLC. This allows read-only access to all of the machine data, including specific hardware and software errors. From this remote diagnostic tool it would be possible to see the status of motion components or individual points of I/O, but it would not allow potentially dangerous inputs.

Another often-used tool that introduces vulnerabilities is virtual network computing (VNC) connection to the HMI. This can be either a remote terminal somewhere in a factory or even wireless access through a VNC client on a tablet or smartphone. These technologies offer a convenient way to control or view a machine's HMI remotely. However, to keep the machine operation secure, they should be protected by passwords that can either enable view-only or control-level access.

Even before the trend of web-based connection to machines, one of the biggest vulnerabilities to interrupting production on the factory floor was through direct access to the HMI. Implementing password-protected user levels can minimize a machine's susceptibility to costly errors caused by unauthorized or accidental manipulation of the HMI. An alternative to simple password protection would be to integrate RFID technology into the front bezel of the HMI. In this case, machine operators and technicians would be issued unique RFID dongles to log into any terminal. These users could be automatically given access to only the controls that are relevant and for which they are authorized.

In addition to these preventive measures against input errors, a machine's alarm system can be used to log user actions when they are signed in. Tracking individual user commands could help track down and reverse any problem that arises from improper input to the machine. This system could also theoretically send out an alert to the site manager (via email or sms) if a particularly important parameter is changed or command is issued.

Nathan Hibbs, Sales Engineer,
B&R Industrial Automation
www.br-automation.com

Precautions Outlined

Advanced HMI/SCADA systems are designed to enable remote access to automation systems in a secure manner. Obviously, it is important to configure the system and the software tools properly to eliminate (or at least mitigate as much as possible) the vulnerability of any system. Here are a few important guidelines:

Design protections in the controller (e.g. PLC) program to avoid foreseeable invalid operations, even if they are sent by the HMI/SCADA. The robustness of an automation system starts with a well-designed program for the controllers, which are able to reject instructions from the operator that are clearly invalid, based on the characteristics of the machine or process.

Isolate the control network from the remote user network and elect the HMI/SCADA station as the link between remote users and the controllers. Well-designed HMI/SCADA packages provide tools to block access to the development environment from unauthorized users, preventing the configuration of new commands or communication interfaces that were not properly planned and previously tested.

Configure encryption in the link between remote users and the HMI/SCADA software. Systems can support the standard Secure Socket Layer (SSL) when connecting remote web thin clients to the runtime station to provide a high level of protection against cyber attacks.

Configure the security system from the HMI/SCADA package in a hierarchical manner, providing rights to remote users according to their credentials. It is important to adopt an HMI/SCADA software that provides a high level of granularity and flexibility when designing the security system, so you can enable only the specific tasks that are really necessary for each remote user and block everything else. As a rule of thumb, if there is not a clear advantage to expose a specific interface to a remote user, it should be blocked.

Enable an event logger from the HMI/SCADA software that records the actions taken by remote users. This helps to prevent reckless actions taken by remote users, especially when they know that their actions will be recorded.

If the need for remote access is purely monitoring data, disable all commands (e.g. change set points) from the remote users to the HMI/SCADA software. In other words, configure the remote thin client stations as "read only" unless it is important for the remote users to send information back to the runtime (server) station.

In many cases, it is not possible to ignore the benefits provided by technologies and tools currently available for remote diagnostics. However, it is important to take precautions and mitigate the risks inherent to any distributed system.

Fabio Terezinho,
Vice President of Consulting Services,
InduSoft
www.indusoft.com

Secure Against Risk

Although critical to plant security, even the most comprehensive authentication and authorization systems will not prevent against inadvertent changes or outright user mistakes. During a time when considerable media attention has been focused on outside risks, manufacturers should recognize that plant downtime is much more likely to be caused by an operator error than by a hostile, outside agency. Because of this reality, manufacturing systems also need to include robust change management and disaster recovery capabilities. If an unintentional error does occur, the more quickly the system can detect the change and revert to a previous configuration, the more likely a plant can prevent extensive downtime and loss in production.

As manufacturing systems expand beyond four walls, it becomes even more critical that all aspects of security and change management are handled as an integrated whole. By doing so, organizations are better able to manage system changes and provide effective access to information.

Scott Miller
Visualization Software Business Manager,
Rockwell Automation
www.rockwellautomation.com

Many Levels of Security

On operator interfaces, especially those with remote access, provide multiple user logins, each with their own user name and password. Give each login one of multiple levels of access that can be configured as view only, view and screen change, or full access.

Allowing multiple successive logins per account will prevent having the need to require a login for everyone, but it is important to be able to limit that number and use tags to limit access also. Provide a disable tag, which can be configured so the local operator can lock out remote users. Provide a notification tag to trigger events that can notify access on one of the accounts.

Couple these with local password protection for screens and objects, and you can see there are many levels of security that can be used to control access to the process. Finally, complete this by requiring that any process control equipment not be made directly available to the Internet, but instead placed behind a secure VPN router.

Bobby Thornton
Product Engineer for HMI,
AutomationDirect
www.automationdirect.com