How do you solve a problem like cybersecurity?

In data collection’s new frontier, is air gap passé?

By Rick Rice, contributing editor

I recently embarked on a data-collection journey with my employer. We have 40 lines of production spread over two locations that are about three miles apart. The largest challenge we’ve faced over the years is how to bring much-needed data to a point where it can be collected. We have used a foot-soldier approach for years, and, while this works for the most part, the data is at best 24 hours old before we get a chance to respond to it.

Real-time data provides for the best solution, but how do we go about connecting equipment that is 40 years old? In the age of IIoT and big data, the dilemma facing my company might seem rather easy to fix. You might just tell me to put everything on a network. Well, that might be easy to say, but it isn’t easy to execute.

The first issue we faced was the fact that there wasn’t a network to connect to. Let’s face it, a 75-year-old company still functioning in the same location, with a few expansions over the years, just didn’t have Ethernet on its mind when it laid down the foundation. Taking a walk through our various building segments, the task before us became more and more daunting. We started out wanting to put an X on the drawing to mark where our new network connections would be and quickly got the picture that an X wouldn’t tell the whole story.

White Paper: Guide to the Industrial Internet of Things

The past 75 years might tell an amazing story of pride and craftsmanship and diligence, but a glance along the hallowed halls told another story. This one reveals good intent laid over good intent until the result is a spider web of challenges as we drag ourselves into the Information Age—power conduits going this way and that, air and vacuum supply lines laid over that web, sprinkler systems carefully woven over the base elements. The result is very busy ceiling spaces and walls through which the cables of connectivity must travel.

Overwhelmed at first, we decided to approach this just like we did the addition of air lines and vacuum lines and the fire suppression system. We simply put the X on the ceiling or wall and let our contractors figure out how to get the pipes from one X to another. Two fast weeks later, the pipes are up, and the wiring pulls have begun. It makes one wonder why we saw this as an obstacle for so long?

The next challenge we faced is what to do to make 40-year-old production equipment talk to us? Some of these machines are still relay logic. The absence of a controller of any sort means that we needed to find another way to count machine cycles. The answer came in the form of the mini-PLC that I mentioned in "Mini PLCs—more than just a smart relay."

Now each of our production lines has an Ethernet connection, why not just connect a relatively inexpensive controller to that network and convert the machine cycles into pulses that can be counted by the PLC? We can find a heartbeat on pretty much anything on the production floor.

A vertical bagger cycles the jaws to seal one bag before cutting it off to form the next bag. The same goes for a horizontal pouching machine. The machine passes through a machine home position each time a pouch is filled. Each of these events is a product being made. Various equipment along the line will process or condition these products before passing them through a weigh station or metal detector or both and finally bringing the successful results to a packing station. A photoeye on the end of the case sealer will count each end product as it leaves the line.

Without a major overhaul of our beloved machines, we have come up with a way to collect data from each of our 40 production lines. We have the coveted data elements that, when combined with expected production rates, make up overall equipment effectiveness (OEE). No longer a buzzword, OEE reporting is actually going to happen.

As enterprising as our solution has been, an interesting side effect has been to broach a topic that has been around for years—how to separate production machines from the risks of cyber-attacks. The big challenge faced by the melding of production data with plant networks has been the concern over hackers getting not only into your valuable enterprise systems but down into the very machines that produce the products.

While a big worry, a hacked ERP system isn’t nearly as damaging as having your production machines stop producing. No cases mean no profits. It doesn’t take much math to figure out the impact on the bottom line if you can’t make products.

During the planning for our new data collection system, we made an early statement that we were well on the path to collection in our one location because we had installed a network infrastructure at the same time as we installed some new production lines. While we didn’t have an immediate need to connect to all the lines in that location, having the infrastructure in place gave us a warm fuzzy feeling that we were ready for the day when data collection would be on the front burner.

Some simple network-address-translation (NAT) assignments in a managed switch will put the key PLC on each line on our network, and there we go. Well, to be honest, this started the sleepless nights. What happens if someone gets through our firewall and hacks into this new data collection system?

By having our production machines on this same network, only one mapped address away from the plant network, we may be exposing ourselves to the possibility of production cessation due to cyber-attack.

Network gurus suggest a multi-layered approach to networking where a security layer called a demilitarized zone (DMZ) sits between the plant-floor network and the enterprise network. Data is passed from one network to another through this DMZ to keep sensitive equipment safely away from the potential hack or virus.

Embedded in that simple solution was the optimal way to isolate the production equipment from the risk of cyber-based attacks.

Other vendors support the use of data diodes where, as the name suggests, data can only pass in one direction. Still other vendors utilize certificate-based network identity and segmentation, while more vendors offer products that are specifically designed as security appliances. All of these are great ways to defend the plant floor from inappropriate or uninvited access.

Digging into all of the current technology available to defend the vulnerable production equipment revealed a happy circumstance that originated from our solution to making 40-year-old equipment produce production data. Since we didn’t have machine-level processors that could communicate on our network, we resorted to a mini-PLC to monitor mechanical heartbeats via a relay or photo sensor. Embedded in that simple solution was the optimal way to isolate the production equipment from the risk of cyber-based attacks. The production equipment isn’t connected to the network at all.

Sure, a cyber-attack might take down our data collection system or expose stored data to corruption, but, if our production equipment isn’t actually connected to a network, then we could be happily producing more widgets while the IT folks are frantically leaping around trying to close the barn door.

 

We get to sell our products; our client pays us for the product; and we get to pay our people and keep the lights on. The above scenario is called air gap. It is an older concept that has given way to the newer technologies, but maybe it isn’t such a bad idea after all. The technique involves creating a network that is physically separated—thus the air gap—from any other networks.

So, our data collection journey has created a quandary. Do we make up some more mini-PLC boxes and deploy them in our modern production area, or do we take a leap of faith that our plant network layers will be enough to protect us from intentional probing by outside entities?

The jury is out. Our plunge into data collection was greeted with great enthusiasm and much patting of backs as we dragged ourselves into modern times and embraced technology. And here we are, just weeks later, second-guessing our leap.

Whatever course we ultimately take, the leap has been exciting, and we’re eagerly anticipating the fruits of our collective labors.

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments