1663607034372 Ine11q1 Scissors

Network Security

Jan. 27, 2011
No Help for Naked Turtles - Do Not Slip Up on Security. As a Plant Manager, My First Impulse Would Be to Cut All Ties with Ethernet-based Networking and the Internet

Is there a draft in here? I've been reporting and writing about network security for a few years, but I never felt exposed, scared or ill—probably because I'm not personally responsible for a large factory-floor production line or a potentially volatile process.

However, my concern started to ramp up when I began learning about new viruses like Stuxnet that can lodge themselves and hide in PLCs and DCS-based systems, and then launch "man-in-the-middle" attacks that can damage equipment, while at the same time making it look like the network and its components are running normally. I began to get that twinge behind the knees that us parents get when they see their kids start to fall off a jungle gym on the playground.

About the Author

Jim Montague is the executive editor for Control. Email him at [email protected].

My worry only increased as I researched this issue's "Do Not Slip Up on Security" cover story (INE 2011 Quarter 1, p12) because many folks seem so uninformed about the capabilities of these viruses. For instance, there were lots of statements that Stuxnet was only focused on Iran's nuclear fuel centrifuges (mostly true), that it can only invade via USB sticks (mostly false, because it can get in through laptops and file transfers), and that Microsoft has already issued software patches (true, but more may be needed). There was little or no discussion that other viruses using similar methods are inevitably on their way.

Consequently, if I were a plant manager, I think my first impulse would be to cut all ties with Ethernet-based networking and the Internet. Business-level reporting and remote troubleshooting be damned.

Unfortunately, I'm told that plant-floor turtles no longer can pull their heads in, so to speak, and that their noggins will get stuck or lopped off if they try it. The links that enable remote monitoring and enterprising reporting are just too important because the whole lean-and-mean, just-in-time manufacturing infrastructure that has grown up in recent years depends on them. Of course, many statements that you can't sever Ethernet-based networking ties come from people who sell security systems and services, and so they have a conflict of interest, but they're probably right.

Still, in my usual search for unbiased information, I repeatedly called and emailed several branches of the U.S. government because it's supposed to have so many folks working on "cyber security." These included the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the National Institute of Standards and Technology (NIST), Idaho National Laboratory (INL) and the non-government North American Electric Reliability Corp. (NERC). Unfortunately, though I got through to a few receptionists and people who promised to set up interviews, no one called back or communicated any advice on network security. Now, I'm sure they're all very busy with high-level security projects, but again I'm just glad I wasn't a plant manager with a disabled network.

Several other suppliers and end users reported running into the same brick wall, too. Even most of the best security practices on the ICS-CERT website are five or six years old, as if someone set up the site and then let it grow stale.

I think my situation is even more ridiculous in light of the recent Washington Post series on the huge federal security bureaucracy that grew up since 9/11, which apparently scours vast amounts of Internet traffic to generate reports that no one reads (http://projects.washingtonpost.com/top-secret-america).

So, if your slender amphibian neck is on the line and it's getting cold, what to do? Are there any security blankets out there? Well, the basic advice so far is to deter and mitigate. This means inventory your network and equipment; account for all data pathways into your application and facilities; enable and routinely update complex passwords; turn on and maintain existing antivirus software; identify and prioritize vulnerable points in your network; segment it into functional zones and subzones, perhaps using DuPont's reference model; isolate those zones with firewalls that only allow well-defined, crucial communications; don't allow the use of unchecked USB data sticks, laptops or other data storage devices in your facility; update your company's security and software patching policies, and train all employees to follow them; require plant-floor and IT staffs to cooperate on security issues; regularly back up essential data and software to an isolated setting; and have some replacement equipment and software available and ready to go in case an intrusion disables some of your devices.

Despite repeated calls and emails to DHS's ICS-CERT, NIST, INL and NERC, none called back with input on security. Lucky I wasn't a plant manager with a disabled network.

About the Author

Jim Montague | Executive Editor, Control

Jim Montague is executive editor of Control. He can be contacted at [email protected].

Sponsored Recommendations

2024 State of Technology Report: PLCs & PACs

Programmable logic controllers (PLCs) have been a popular method of machine control since the PLC was invented in the late 1960s as a replacement for relay logic. The similarly...

Power Distribution Resource Guide

When it comes to selecting the right power supply, there are many key factors and best practices to consider.

Safe Speed and Positioning with Autonomous Mobile Robots

Here are some tips for ensuring safe speed and positioning for AMRs using integrated safety technology – many of these tips also apply to automated guided vehicles (AGVs).

Faster, Accurate and Reliable Motion Control With Advanced Inductive Technology

This white paper describes new technology offering improved position measurement capabilities in reliability, speed, accuracy and more.