Protecting automation systems
against cyber threats

By : Jim Pinto,
San Diego, CA.

Today’s networked control systems often use the same hardware architectures, software and networks as corporate office and administrative networks. This means that vital production and process control systems can be exposed to the same spam, virus and security threats that corporate IT departments have been facing for years.

This article was published by:
Automation World, June 2005

Security for networked automation systems is an urgent issue, perhaps even a critical one.

In the not-so-distant past process automation systems were designed for functionality and performance not security. They typically operated in isolation from the rest of the company in an environment of implicit trust. System components were purchased as proprietary black boxes and there was very little concern for interconnectivity with other systems. So when legacy systems are included in common networks they are often the weak point in total network security.

Today’s networked control systems most often use the same hardware architectures (Intel based), software (Windows) and networks (Ethernet and TCP/IP) as corporate office and administrative networks. The use of common networks means that vital production and process control systems can be exposed to the same spam, virus and security threats that corporate IT departments have been facing for years.

It’s tempting to suggest that because they have the knowledge and experience corporate IT people should be responsible for total network security, including that of automation and control systems. But this is wrong. The problems are different and the urge to delegate responsibility is misleading. There are definite differences of goals and objectives, differences in assumptions of what needs to be protected, understanding of what “real time” performance and “continuous operation” really mean, and knowledge of how some well-intentioned software-based security solutions can interfere with real-time automation and control systems.

Beyond just common architectures, many business networks may now be connected with process networks, boasting the “sensor to boardroom” interface that Foxboro made famous. Unless significant security precautions are taken, this may open the door for hackers and viruses to enter the production and process environments.

No email, no games

Most experts agree that automation networks should be completely separated using routers and firewalls specifically designed for the applications. Users and applications should be limited to those specifically required for the process—no email, no games, no Internet browsing. Often, control room personnel need email and business applications, and budget-conscious administrators may suggest network commonality. But that’s short-sighted. It simply exposes the automation network to a plethora of problems. Parallel installation of separate networks is not a luxury – it should be mandated.

Many failures may be un-intentional (example, from installation of anti-virus software that limits real-time functionality). But malicious security breaches, and attacks from outside intruders, are rapidly growing threats for automation systems based on common architectures. Employees and ex-employees may be involved in theft, and retaliation. And there are “hackers” who may do it just for the thrill, or vandals and opportunistic criminals (including terrorists).

Security software from companies like McAfee or Symantec could be part of a good security strategy, but not sufficient. Standard anti-virus and anti-spam packages were developed for typical PC users, not for sophisticated, real-time control systems. They could work initially, but updates may disrupt performance. They need to be adapted specifically for use with automation control systems.

Network security comes from proper design, operation and maintenance to provide regularly updated protection. Good network security environments include high security routers and firewalls that block outside intrusion but do not affect required performance. Operators, supervisors and administrators should have the ability to interact with the system without constantly getting tied up with arduous, tedious and prolonged procedures. If it’s too difficult, knowledgeable people will quickly find a way around the system – the well-intentioned, honest but impatient insider.

Well thought out system security should prioritize and manage network traffic, restrict outside traffic, and give preferential treatment to control traffic. The system must have the ability to prevent problem situations before they occur. Plug-in memory ports must not be generally accessible, limiting the possibility of “sneaker-net” – portable memory like floppy-disks or USB memory sticks which may insert a virus or worm intentionally or unintentionally. There should be preconfigured groups and group policies that define desktop and console behavior. For example, operators could be limited to just auto start applications, supervisors could have the next level of security, engineers could be restricted to relevant engineering functions, and administrators could have unlimited access with maximum security (password protection, etc.).

Regular and consistent network management is the key to security protection. As they say about quality, business performance, and even about Life: Network Security is a journey, not a destination!

Return to Index of all JimPinto Writings Return to Index of all JimPinto Writings
Return to Homepage Return to HomePage

If you have ideas or suggestions to improve this site, contact:
Copyright 2003 : Jim Pinto, San Diego, CA, USA