Converging plant and enterprise networks into an integrated architecture is rapidly gaining ground in industry as a means to providing a method of uniting multiple control disciplines into a single cohesive plant-wide system. However, the use of ethernet to facilitate integration may expose the company to an increased level of risk. Gordon Bartlett, Architecture & Software Business Manager South Pacific for Rockwell Automation, discusses the current approach to integrated architecture security.
Industry is rapidly seeing the benefits of integrating the many facets of process and enterprise functions into a unified system. In the past, individual processes across the plant floor used proprietary or separate networks, isolated from enterprise business applications, which often led to the doubling up of information and resources. The aim of an integrated system is to merge the multiple disciplines of process and automation (continuous process, batch, discrete, drives, safety and motion) into a single, streamlined network that can be centrally administered in conjunction with the business network. The advantage of an integrated architecture for many companies is shown through increased productivity as assets are better utilised and information is accessible in real time.
Transparency through standardised information presentation also allows monitoring of resource usage to help provide energy consumption and emissions consistent with business KPIs and commitments to sustainability.
The uniformity introduced by an integrated architecture allows additional processing devices to be added with relative ease. Scalability of the system is now manageable and development time for new hardware or processes is reduced, so that businesses now have a degree of flexibility not previously available with disparate system configurations.
Networks and security
The key to successfully integrating the architecture is in the underlying network. The deployment of ethernet is being taken up at a rapid rate due, in part, to the familiarity and usage at the enterprise level. Many companies are using standardised unmodified ethernet as the basis for this architecture, and the use of open protocols makes complex automation control integration easier as it requires fewer steps to accomplish connectivity of device and application.
It is recognised that enterprise networks provide a door to the outside world via the internet and, as such, expose the company to a greater risk of intrusions from viruses and malware. Connecting the plant floor through the same network can now potentially make the entire company vulnerable to the same threats.
The application of security procedures is designed to minimise the risk of malicious external attack, but unintentional security issues from within the company should also be addressed when considering security. The potential for breaches are typically the result of a lack of attention to standard operating procedures and poor training or accidents, and account for the majority of problems encountered.
Locking the door to the server room is not sufficient if network access is available from any computer via a default password. Equally, changing the recipe for the company’s bestselling product should not be possible via the computer at reception. Solutions such as locking doors on network infrastructure cabinets, maintaining software updates and backups, and restricting access, both physically and electronically, are simple measures that should be addressed by standard operating procedures.
In recent years, there have been several high-profile incidents, such as the security breach recently experienced by Sony in regard to credit card privacy via the PlayStation platform. The company has certainly suffered as a result of the breach. Additionally, the recent discovery of malware that specifically targets industrial control systems has brought industrial security to the forefront in manufacturing. As a result, there is growing recognition of new risks and real-world threats that are capable of disrupting control system operation and adversely affect safety, productivity and the ability to adequately help protect assets, machinery and information alike.
The potential for disastrous outcomes from malicious attacks has prompted some government agencies in the USA, for example, to take a more proactive approach to security and managing risk, and to identify critical infrastructure industries in the USA that pose a heightened risk to the public if under attack. The emerging industrial security standards from the International Society of Automation (ISA-99), the National Institute of Standards and Technology (NIST 800-82) and the Department of Homeland Security (INL/EXT-06-11478) all recommend two principle strategies to cover the many facets of security for plant and enterprise: defence-in-depth and DMZ deployment (structuring the network into manageable levels and zones).
Often described as the ‘onion model’ due to its schematic representation, defence-in-depth strategies break down the various aspects of security into five core layers.
The outer skin represents physical security and deals with tangible aspects such as limiting entry to server rooms to authorised personnel, locking control panels and cabling, and the tracking and escorting of visitors.
Firewalls, secure switches and routers form the backbone of the second layer - network security. It is here the underlying infrastructure framework is protected with intrusion detection and prevention techniques.
Many security measures fail due to mismanagement of software updates, including antivirus applications, particularly at remote sites. For instance, head office has the latest updates for enterprise applications while the offsite office is still running a version that has been superseded. The risk in this scenario is that the improved security features that are available in the most recent upgrade are not applied elsewhere, but both are still connected via the same network infrastructure, creating potential ‘holes’ in the security blanket. It is here - computer hardening - that the third layer of the onion model takes effect. This strategy can help ensure that all sites are running the same versions, that they have been fully tested prior to implementation, and unused or redundant applications, protocols and services are removed.
The fourth layer, application security, provides authentication, authorisation and audit software, restricting users according to their access level and training. Many industries that rely on batch and ingredient control, need to provide a method of recording activity around a process, such as who changed the ingredients, when it occurred and who authorised the change. These records need to be logged and regularly audited, which can help ensure that no breaches are made - intentional or otherwise.
The most internal layer of defence-in-depth deals with device hardening - protecting the actual controllers, drives, motors, valves and other automation and control devices from intrusion and security breaches, and applying change management and disaster recovery procedures.
Zoning the network
The defence-in-depth strategy gives a systematic approach to security from one end of the business to the other, but does not provide a comprehensive framework for protecting the information flow throughout the network. The ISA-99 approach establishes a Manufacturing Network Security Framework, allowing the overall plant and enterprise network to be broken into levels and ‘zones’. Each ‘zone’ is defined as an aggregation of resources with similar processes, access requirements, risk points and security strategies. For example, enterprise functions such as email, intranet, planning and logistics are grouped into the ‘Enterprise Zone’. The manufacturing zone will contain the plant-floor operational hardware and software such as production control, process history and other decision-making tools for production. The final zone, the ‘Cell Zone’ is a subset of the manufacturing zone and contains operator interfaces, batch and discrete controllers, sensors, drives, actuators and robotics.
A fourth and crucial zone exists between the Enterprise Zone and Manufacturing Zone, known as the demilitarised zone (DMZ). Acting as a buffer zone between enterprise and plant, it enforces security strategies on information passing between the two networks. Information cannot communicate directly between enterprise and plant and must terminate or originate in the DMZ. A key component to facilitate the effectiveness of the DMZ is a firewall on each side.
Effective security strategies
As with many company-wide strategies, the success or failure will be dependent on training, monitoring, maintaining and validation. The most sophisticated security measures will not work if passwords are not regularly updated, access doors are left wedged open, USB devices are not automatically scanned for potential viruses, and software is not employed to only accept ‘known’ USB devices. Many of the security breaches that occur daily do not always originate from outside sources - many are due largely to poor personnel practice and procedures. Training staff on security policies and procedures must be incorporated into the whole business infrastructure if it is to be successful.
The implementation of security measures raises some valid concerns, particularly security of devices sourced from suppliers and validation of their operation. Ongoing collaborations between companies such as Rockwell Automation and Cisco Systems continue to develop and provide validated equipment that is compliant with the guidelines and standards derived by ISA, NIST and DHS. Implementation and maintenance strategies are therefore integrated into automation supplier products and services, whether it is for ethernet or some other proprietary network or protocol.
Companies must undertake risk assessments and estimate the probability of a security breach to determine the level of protection required in proportion to the critical nature of the control or process. The use of firewalls, patch management strategies, business continuity plans, intrusion detection and protection systems will need to be implemented across the plant. The level of security an individual process may require is dependent on the perceived damage a security breach may cause. Deciding what course of action should be taken in the event of a security breach will also need to be considered.
It is the responsibility of both the IT and engineering departments to ensure that all facets of the security strategy are in place and up to date. Protection of the plant, based on perception of acceptable risk, will need to be in accordance with company policy and industry standards. Evaluation of the security system is achieved through auditing, monitoring and re-evaluation of all components so the whole system is adequately maintained in order to deal with current threats and also have the ability to respond to the threat.
As automation and processing systems move away from isolated components of processing and enterprise, to operate over a single plant-wide network environment, the level of risk for security breaches increases. To implement, manage and maintain a successful security system is to recognise the potential hazards, assess the risk and determine the security required and gauge the impact on business operations if a security breach occurs.
Integrating security into the overall network architecture will greatly enhance the ability to apply security measures across all facets of both plant and enterprise. Using strategies such as defence-in-depth and zoning (creating a DMZ) help ensure that not only are devices such as switches secure, but management can be confident that their business is meeting the standards and recommended practices to comply with regulatory bodies.
To successfully implement a security system is to establish corporate strategies and policies so all personnel are trained in its use and application. Maintaining and monitoring the system can help the system operate with minimal impact of known security risks, both internal and external, as well as having the capability to help protect against new threats.
By Gordon Bartlett, Rockwell Automation