HMI / Data Acquisition & Monitoring / Networking / Cybersecurity

Why HMI innovations may promise better access control

Operators, maintenance techs and engineers could be granted permission to interact with an HMI to different degrees.

By Hank Hogan, Contributing Editor

At the machine level, access control involves managing who can do what using the HMI. For that human-machine interface, advances borrowed and adapted from other areas are now used to bolster usernames, passwords and other old security standbys. These innovations promise better access control.

At B&R Industrial Automation, local access control for machines has been improved through the use of two technologies, says John Kowal, director of business development. First is the incorporation of the same RFID technology often used to control access to buildings. The second is locking down machine software through code compilation.

SEE ALSO: Layers Protect Access to Controls

RFID is found in fobs and cards, and company employees pass them near a reader to open doors and gain access to facilities. "It's better than a password because people 'pass' passwords along," Kowal says. "It's certainly less complicated than a biometric."

The access that's granted can be at different levels. Operators, maintenance techs and engineers could be granted permission to interact with an HMI to different degrees.

As for code compilation, that offers some protection against inadvertent or intentional changes to a program. Kowal says B&R Industrial Automation uses IEC 61131-compliant languages, allowing function blocks to be locked. This is unlike the situation in a conventional PLC, where such safeguards don't exist, he adds.

Rockwell Automation also sees demand for RFID authentication, says Tad Palus, global product manager for visualization products. One of the reasons for this interest is a desire to track and control individual access to a machine. An RFID-based approach doesn't suffer from some of the drawbacks that are found with alternatives.

"Biometrics is a challenge because a lot of operators have to wear gloves, or they work in a process where their hands get dirty," Palus says. As for retinal scans, they're frequently stymied because operators wear goggles or safety glasses.

Rockwell Automation itself doesn't offer an RFID solution, however, partners such as RF IDeas have readers that can be integrated into a machine.

Often maligned, passwords actually can be secure — provided that user accounts are managed properly, Palus says. This typically means that user groups need to exist, with permissions given to the group at large and then individual users assigned to a group. It's also necessary to be able to add, drop and modify user accounts. The next Machine Edition of FactoryTalk will have these capabilities, Palus claims.

Now, making an HMI panel more secure can improve machine access control, but only if it's used. That, in turn, often is determined by the difficulty level of administrative tasks. If users must jump through too many hoops, they'll be tempted to bypass the access control system in some way.

Siemens Industry kept that in mind for its WinCC software family. The software has tools to manage usernames, passwords and groups in an administration scheme.

"Siemens has provided user group administration for years to provide customers with this power and flexibility," says Wayne Patterson, U.S. Simatic HMI product manager. "It's very easy to provide new individual users the rights that are already associated with specific functional groups." He adds that users want open, yet secure, systems. However, an HMI that's locked down to prevent changes is not enough because the HMI itself can be replaced. A laptop, for example, could be plugged in to a network and a new HMI dropped into a machine. For that reason, device authentication is necessary, even for machines not connected to a network.

Keeping with the theme that no machine is truly an island, Paul Forney, chief security strategist for the common architecture and technologies group at Invensys, notes that HMI access control must include strict limits and the monitoring of any access from outside the machine. Threat-detection engines that pick up malware activity can be helpful for this, he says.

For protection at the machine level, there are some promising developments, provided that system and operator panels are deployed securely. For instance, DeepSafe, a joint development between McAfee and Intel, assists security at a hardware level. That improves safeguards and access control efforts.

"This new technology sits below the operating system and close to the silicon, allowing for an exceptional vantage point in the computing stack to better protect systems," Forney says.