cybersecurity-lock-hacker-fb
cybersecurity-lock-hacker-fb
cybersecurity-lock-hacker-fb
cybersecurity-lock-hacker-fb
cybersecurity-lock-hacker-fb

Smart connectivity includes cybersecurity

Oct. 2, 2017
Mazak offers a launch platform for secure participation in the IIoT

Global interconnectivity and the collection, sharing and analysis of big data comprise the foundation of all business of the future. In manufacturing, the Industrial Internet of Things (IIoT) and Industry 4.0 focus on data that reflect what happens on the factory floor.

Most discussions of the IIoT closely examine how manipulation of detailed manufacturing data offers great opportunities for productivity- and profitability-boosting initiatives including cloud-based data sharing, comprehensive analytics and highly accurate measures of overall equipment effectiveness (OEE).

Amidst the enthusiasm to find new ways to utilize the data, often put aside are basic functional considerations. Namely, these are the need to develop consistent, reliable and secure ways to connect machines and other shop floor devices to larger networks and communicate data to a wide selection of users.

The basis for success in IIoT is the capability to share and analyze data across all disciplines in a company. The goal is to bring the data to the offices and servers where the information can best support decision making. However, if that means that the shop floor is linked to a company’s overall IT network, it is essential that the equipment be protected from corruption by malware or cyber espionage.

Opportunities for cybersecurity breaches are wide, varied and continuously growing. The traditional “sneakernet” transfers of data by physically carrying a machining program on a USB drive from an engineering office to a machine creates a possibility of accidental loss of intellectual property or corruption by malware and viruses. Probably 70% of the time the spread of a computer virus is not malicious. A virus lands on a USB drive by accident through a laptop, and then a production machine becomes infected when the drive is used to load a program.

Other risks can come from outside vendors, such as automation integrators who put a cellular input/output device on a machine to monitor performance of the installation. The device could become a back door into the company network.

Some shops continue the 1999-era practice of simply sharing a folder on a controller and dropping a file, or they move unencrypted files via the traditional ftp method. An upcoming threat stems from the commoditization of machine-tool time. Users will be able to buy machine-tool time online to produce a run of parts, and the links to the world outside the shop can put network security in jeopardy.

Cybersecurity practices typically employ a layered approach: A network is housed inside a network, which itself is housed in another network, and typically data does not flow between the layers. The aim is to stop intruders in one layer from moving to the next.

IT departments often “sandbox” the factory floor in its own virtual local area network (VLAN) to separate it from a corporation’s global network and the cloud. A key reason for such strict security is that shop floor equipment typically features legacy operating systems, such  as Windows 95 and Windows 2000, that are highly vulnerable to viruses.

But what about protection for the individual pieces of equipment? Some factories, for instance, reported having to replace machine-controller hard drives due to ransomware that propagated across devices.

Rigid security is an undeniable requirement. However, in the age of IIoT wide access to timely manufacturing data is essential for global competitiveness. The data are critical not only at the shop or plant network levels, but also at the management office level and often the cloud.

Two key requirements of cybersecurity are establishing connectivity and implementing ways to standardize and transport data. Connectivity means getting every machine and device on the shop floor connected to an Ethernet network. That includes computer numerically controlled (CNC) machine tools, as well as legacy noncomputerized machines, in addition to hardware as diverse as grinders, press brakes and paint booths.

The requirement to standardize and securely transport data involves MTConnect standardized communications protocol. Designed for the exchange of data on the manufacturing shop floor, MTConnect provides an industry-oriented data dictionary and vocabulary that standardizes transfer of data across all devices, enabling the data to be read and understood by any piece of software.

To utilize MTConnect, machine OEMs write software that sends data to an MTConnect agent, a Web service that holds data in a buffer. An MTConnect agent can provide data to multiple clients at the same time. Client apps can access the data via hypertext transfer protocol command to provide current data.

MTConnect is read-only. So, it is functionally unable to forcibly send data to the machine tool or alter parameters that could cause the machine to crash or otherwise malfunction. The read-only status is crucial for machine and process safety as it prevents erroneous data from interfering with manufacturing operations. When communication between two shop floor devices, such as a machine tool and robot, is desired, client software loaded on the equipment enables the devices to read each other’s actions and interact using MTConnect.

MTConnect is a data model that can standardize the data formatting when used in conjunction with well-established transport protocols that require user-defined data tags.

Our solution to the issues involved with connectivity, communication and cybersecurity is the SmartBox, a launch platform for secure participation in the IIoT. Engineered in collaboration with Cisco, its basic capability is to isolate the machine with a VLAN, while still enabling connection with clients off the shop floor (Figure 1).

Secure connections

Figure 1: The SmartBox, a launch platform for secure participation in the IIoT, was engineered in collaboration with Cisco to isolate the machine with a VLAN, while still enabling connection with clients off the shop floor.

The device protects other levels of security from the machine, but it also protects the machine from intrusion by outside sources, including other machines. Other machines are protected, as well; if an infection is introduced in the host machine via a USB drive, for example, it is unlikely that the infection will spread to other areas. Advanced options from Cisco allow even higher levels of control.

SmartBox technology was developed to provide cybersecurity; act as a communications hub for one or more machines and devices; provide an open flow of communication via MTConnect to enterprise systems and the cloud; and represent a flexible, expandable platform that can take advantage of future advances in machine and data technology.

The central element of the SmartBox is a Layer 3 managed switch developed by Cisco for industrial applications. As a managed switch, it becomes part of the IT department network, and IT can connect to it and manage it via Cisco Fog Director software. The software enables IT to see the SmartBox on its network, control access to it, install or remove applications and know which boxes need software updates and other services. It also enables an IT department to add features, such as audit functions and the ability to perform deep scanning of the data packets for viruses, worms and other abnormalities.

Some suppliers of machine-monitoring software provide a black box that mounts at the machine and outputs data. It is a simple patch that gets the machine connected but cannot connect out of lower levels of security and may leave the user vulnerable to security breaches. The SmartBox is scalable; no matter how many units a facility or corporation operates, the IT department can manage them in an integrated way from a central location. It contains a Linux PC running an MTConnect agent. The box can hold up to 10 agents, and microservices can be written to supply data for enterprise integration, databases, display dashboards or utilization calculations. Other use cases can involve OEE/utilization, part quality evaluation and sensor data regarding machine conditions that facilitate preemptive diagnostics and maintenance activities.

Preemptive diagnostics are examples of applications that utilize high-frequency sampling of data. Such applications create heavy data flow that can interfere with the operation of the larger network. Due to the nature of the SmartBox networking, this high-frequency data can be isolated in a way that allows the user to analyze it locally. This is described as edge computing, or fog computing, contrasting the cloud on a high level with the fog down at the level of the machine.

An essential cybersecurity-related microservice is secure file transfer (SFT). If a defense contractor wants to send confidential information such as a machining program to the shop floor, an engineer can use SFT to transfer the encrypted piece of intellectual property from the design office over the network encrypted, securely and automatically directly to the machine. This eliminates the dangers associated with walking to the shop floor with a USB memory drive or emailing a piece of data that can be hacked or stolen off the servers.

SFT can also help manufacturers with defense-acquisitions-regulations-system (DFARS) compliance. DFARS is a Department of Defense (DoD) regulation regarding unclassified on-premise technical information that must be managed and protected from theft. By the end of 2017 all DoD facilities are required to be DFARS-compliant. SFT helps to facilitate DFARS by ensuring that movement of technical information is secure.

The use cases of today may be very different than those of tomorrow. The SmartBox system offers the ability to add microservices, computing capability and additional sensors—configure them and distribute the data. Adaptability is essential because the nature of new technology is unknown.

To handle new use cases, it’s critical for manufacturers to use systems that employ new ways of thinking about networking and cybersecurity and not merely rearrange and repurpose present solutions. Instead of simply thinking outside the box, manufacturers should seek an altogether new box that will enable them to maximize productivity and competitiveness in the IIoT-driven future world of manufacturing.

About the author
Neil Desrosiers is application engineer/developer/MTConnect specialist at Mazak in Florence, Kentucky. Contact him at [email protected].