By Jim Montague, Executive Editor
Do you really know what it is you're doing? I usually think I do, but sometimes I get shaken by something that shows me that I'd better check again. Not comfortable.
So, there I was, researching and reporting this month's "How Much Access?" cover article www.ControlDesign.com/howmuchaccess), on network security and quizzing a bunch of excellent sources, when I got asked a simple question in return. Near the end of our interview, Francis Lauryssens, Pi software systems specialist at Sun Chemical's pigment plant in Muskegon, Mich., asked me, "What is network security?"
After a few years covering this topic, I thought I knew what network security was—keeping out intruders, stopping unauthorized access, killing intrusive computer viruses, right? Certainly, but Lauryssens explains there's a lot more to security than this narrow, physical, old-time-burglar-based definition.
"Security is about preventing things from happening that you don't want to happen," he explains. "Try to think about it this way—what does security mean for your car? Does it mean just keeping people out? Or does it also mean having good brakes, seatbelts and airbags, as well as an engine, tires and other parts in good working order? All of these give your car the ability to keep operating well and allow you to keep traveling down the road. This is not just keeping intruders out. Likewise, this broader definition of security also includes getting your 5000-mile maintenance checkups, but then do you just hope your mechanic fixes your car right, or do you ask some questions and say what you need and expect?"
Of course, Lauryssens' perspective is similar to the idea expressed by several sources that network security is very similar to safety and can be viewed at least partly as a subset of it. This idea is especially useful if it helps already-safety-conscious controls engineers and technicians learn about and adopt network security as part of established safety mindsets and procedures.
However, when you think about it further, can't the definition of safety be widened beyond itself, too? Safety also is about preventing bad things from happening, and so this conception of both can be extrapolated further to account for even wider circles of potential threats and negative impacts on your car and you.
For example, making sure your community maintains decent roads, plows snow and ice, maintains effective signaling and enforces traffic laws—such as speed limits—can have a potential impact on your car's security and safety. Likewise, effectively training young drivers, reevaluating older ones and keeping drunk drivers off the road can do the same.
In fact, I'd bet Lauryssens' expanded security definition not only could be applied to cars, industrial networking and process control and automation, but also could be used in homes, families, organizations, communities large and small, planets or anything that their users might want to protect.
These are not jobs that network switches can do, but they can help. For instance, though there are lots of network security resources and tools, the most important one this side of a good firewall is to secure and maintain common-sense awareness of your tools, application, network and facility, including knowing what data is going in and coming out and at which points. This knowledge will direct you to implementing the most appropriate network security hardware and software.
However, you also must have the sticktoitiveness to follow through and religiously perform your security and safety maintenance training and chores. And, sorry, but this includes bringing controls and IT staffs together, drafting a workable patching policy and installing patches and service packs every time they come in from your software suppliers.
Many controls engineers counter that they can't just shut down critical applications every time Microsoft sends out a patch, and they're right. However, there also are a growing number of methods and tools for quarantining and testing patches and then downloading them to the plant floor as soon as it's convenient.
So, even though questioning what you're trying to do might be startling and seem unnecessary, reexamining some basic concepts like security may help make you and your application to be truly more secure.