How should we secure the operator panel?

Aug. 10, 2006
A reader wants to know if they shopuld be looking for fingerprint or retina scanners or the like when upgrading security features, and if they are cost-effective compared to more traditional security measures.

QUESTION:

A customer wants us to upgrade the security features that determine access and levels of access to various parts of the control and automation system. They have issues with passwords being shared and keycards being borrowed or duplicated. Should we be looking fingerprint or retina scanners or the like? Just how “industrial” could we expect them to be? Are they cost-effective compared to more traditional security measures?"

—from May 2006 CONTROL DESIGN 

ANSERS:

Biometrics Available, But Don’t Neglect HMI Software
Your customer's security concerns certainly aren’t unusual. Many factors have contributed to an increase in security in nearly every industry. World events have contributed to these concerns, but in many industries, federal regulation (FDA, TREAD Act, Bioterrorism Act, etc.) have played an even larger role. Biometric verification has been a common answer to resolving identity verification issues, and as a result the market has responded withquite an array of vendors offering biometric input devices.

Many of these devices are designed to meet NEMA 4, NEMA 4X, and other industrial standards. They’re commonly used in environments that I would consider "light industrial," such as pharmaceuticals, semiconductor, chemical, etc. Harsher environments, such as foundries, steel, heavy manufacturing, and others, may require some additional protection for these devices.

Manufacturers of fingerprint readers include U.S. Biometrics, Digital Persona, Lumidigm, Secutronix, and even Microsoft. There are a wide variety of solutions available, from modules that you would integrate into your panel and office-grade readers, to standalone, fully-sealed, industrial-rated readers.
There are even some manufacturers that integrate fingerprint readers into industrial computer and HMI hardware. These include AJM Automation, which happens to use a Parker-CTC HPX PowerStation.

An important consideration in an application like this is the HMI software that’s providing the security. All of the input and verification devices in the world can’t provide adequate security if the software behind them isn’t up to the task. You may want to consider your HMI's capabilities in the areas of User Administration, which includes unique user identification, inactivity logouts, password aging and length rules, restricting access to tools, and functions on a user basis, as well as OS considerations like compatibility with active directory or domain-based integration. In some of the regulated environments, these considerations may expand to include capabilities like electronic signatures, secure audit trails, and capturing approved reasons for a change.

Parker-CTC produces an HMI product called InteractX, which provides the tools for compliance in even the most rigorous security environments (FDA 21CFR11). It meets all of the requirements above and more. You also may want to review the capabilities of your current HMI, and ensure that it’s able to support the security upgrades your customer is requesting. If not, a product like InteractX may be just the solution you’re seeking.

Andy Balderson, product sales manager, Parker Hannifin, Electromechanical Automation, Rohnert Park, Calif.


Biometrics Are Simple, Inexpensive, Reliable
The use of biometric devices such as fingerprint or iris scanners is no longer science fiction. The need for using stronger passwords or devices to assure security of shop-floor systems is increasing. The issue with stronger passwords (passwords with combinations of letters and numbers) is that they’re often difficult to remember. Having users write them down violates the whole idea behind having them in the first place. To avoid this issue and avoid having users type in these longer and secure passwords, customers are turning to biometric devices to satisfy this need.  

With GE Fanuc’s iFix Version 4.0, customers can add biometrics, which is typically the ability to use an iris scanner or fingerprint reader instead of entering a password. These devices aren’t expensive. Fingerprint readers are under $100 and iris scanners are available for about $250.

iFix 4.0’s integration toolkit option delivers a set of biometric interface tools that enable a developer to marry iFix’s electronic signature dialogs with any biometric solution. We also provide connectivity to a third-party biometric technology solution from a company called Saflink. Users install Saflink’s SAFsolution on their computers, and its software manages all their biometric devices, and integrates with Windows Security. iFIX then references the SAFsolution software any time an electronic signature password is required. It’s a very simple, cost effective, and reliable solution.


Craig Thorsland, Proficy HMI/SCADA, and global process marketing manager, GE Fanuc Automation, Charlottesville, Va.


Enforce Security Policies; Justify Biometrics Costs
A relatively simple and cost-effective way to upgrade security is to improve management support and enforcement of security and access policies. By clearly defining the security requirements and educating personnel on the importance of these procedures, employees can better understand their role in keeping the plant floor secure.

If policy reinforcement from management doesn’t help, biometric technologies are a more aggressive option. However, fingerprint identification technologies tend to get dirty in industrial environments, so retina scanners and other biometrics may be a better option.

As for cost-justification, the same concerns are true for any security technology—it depends on the cost of the control. For example, if a security technology costs $500 to implement, but downtime on the line that it secures results in savings of $10,000 per day, then cost of the technology is justifiable. If the cost of the control is significantly more than what it mitigates, you will want to look for another option.

Bryan Singer, senior business consultant and chairman of ISA’s SP-99 committee, Rockwell Automation, Milwaukee, Wis.

  October's Problem

Should We Switch to PC-Based Control?
We’ve gotten along pretty well with PLC-based machine controls. We supply machines to the contract liquid filling industry where we or our customers haven’t had to deal very much with enterprise connectivity issues until now.

We’re having some difficulty sorting the competing vendor arguments that 1) we should just augment our PLC controls with a PC-based HMI to obtain the needed connectivity, or 2) we need to convert entirely to PC-based control to eliminate integration and support issues. Any advice?

Send us your comments, suggestions, or solutions for this problem. We’ll include it in the October 2006 issue, and post it on ControlDesign.com. Send visuals if you’d like—a sketch is fine. E-mail us at [email protected]. Please include your company, location and title in the response.

Have a problem you’d like to pose to the readers? Send it along, too.