Clark notes that smartphone problems are just beginning and could become similar to current issues with company-issued laptops, which are often unknowingly infected at home, then brought back to work where they spread the virus. "Most recently this issue has spread to mobile, iPad and smartphone devicess. While these devices currently can't carry an infection capable of spreading within a normal corporate authenticated environment, it's clear that at some point they might be able to."
He suggests tighter security measures. "Device authentication can provide information about what it is and where it is—and presumably where the user is," he suggests. "Using other proximity authentication, such as Bluetooth and bar-code readers, will allow location authentication of users and devices within proximity to allowed areas or machinery. Once the person leaves the area, the content for that area no longer will be available. Another advantage of knowing where devices and users are located is that intelligent alarming can occur, which will direct alarms to the nearest appropriate people."
Monitoring Versus Control
Not many people oppose BYOD for monitoring production processes, but there are myriad concerns when it comes to using personal devices to make changes to an operating facility.
One end user, requesting anonymity, at a major Midwest refiner says, "I don't see our company or any other oil company offering control from a personal device. If something bad ever happened we would get pilloried. We're downright paranoid about external connections to the control system to the point where even serial Modbus connections get closely scrutinized. I personally consider this a good thing. Let the companies that don't make stuff that burns and explodes figure it all out before we wade in." Monitoring via a personal device is OK, he adds.
Diane Trentini, vice president at Optimation Technology, a system integrator in Rush, N.Y., hasn't seen any demand for control using personal devices. "We've had small projects in which process or production information such as status updates and alarms are sent to a personal mobile device," he says. "There are also Web-based displays of process data that can be accessed by a personal mobile device. But to date, we've not implemented mission-critical controls on personal devices."
Lou Bertha, an engineer at RDI Controls, a system integrator in Lower Burrell, Pa., believes BYOD for control is OK if used judiciously. "There are advantages to being able to access plant information via employees' personal devices," he says. "A smartphone or tablet can be great for troubleshooting, remote diagnostics or monitoring a system while away from the control room, etc. This type of remote access could be set up on a personal device without any issues."
But for control, care must taken. "Depending on the process, the ability to modify critical processes might or might not be warranted," he says. "Each process—power generation, water treatment, widget making, etc.—has its own conditions on what's critical and what's not. You might not want to give the ability to trip the entire plant via a smartphone, but would want to allow people to turn motors on and off via personal devices."
With many systems, the capability to control with a personal device is readily available, but not everyone uses it. "We use mobile applications to monitor our processes, not to control them," Stamas says. "The system has the capability, but we just haven't had the need to make process changes remotely via mobile applications."
BYOD in the Real World
Monitoring with an employee-owned device is catching on much faster than control. One reason might be that a smartphone supplied by the employee is much less expensive than installing HMIs throughout a plant. Those additional HMIs often come with expensive site licenses and require ongoing support, such as periodic software updates. With a personal device, access is via apps and web browsers, which are updated by the suppliers, usually at much lower costs.
John Cusimano, director of industrial cybersecurity at aeSolutions, a system integrator in Greenville, S.C., recently worked with a client in the water/wastewater sector who replaced hard-wired operator interface panels with company-provided portable devices. The devices connected to the control system via a short-range 802.11 wireless-access point.