I attended a conference a little while back that covered everything you ever wanted to know about control and automation. The conference was sponsored by Siemens, which gave many of the presentations. But there were just as many by other experts, particularly folks who were either partners or customers of Siemens.
I sat in on a bunch of sessions in the security track, as there was a lot of information that, frankly, I was completely unaware of in that space. I’m mostly referring to how vulnerable our networks are, or, more precisely, how vulnerable your networks are.
At first glance, I asked myself, “Why would someone want to hack into somebody’s network on a factory floor?” The simple answer is: because they can. The less simple and more disturbing answer is: because they want to disrupt someone’s business. You’d hate to think that a competitor would initiate something like that, but you never know.
One of the more eye-opening presentations on this topic was delivered by Chuck Tommey, of A&E Engineering. Tommey is a senior controls systems engineer with 18 years of experience in the field. His presentation was titled, “How Hackers View Your Control System & What You Can Do About It.” The quote that got my attention was, “I’m scared silly. Very few plants are even close to thinking seriously about cybersecurity.”
It’s certainly no surprise that the “networked plant” has arrived and is here to stay. You could easily argue that the “networked world” is here to stay. What I learned at these presentations is that cybersecurity is not keeping pace, not by a long shot.
It’s to the point that our government is taking notice and is quite concerned about the issue. In fact, one prominent government blogger recently wrote about how Senators Joe Lieberman and Susan Collins, along with the Department of Homeland Security, hosted a cybersecurity demonstration. The purpose was to highlight some of the hackers’ methods and show how to protect against them.
The blogger, Brendan Sasso of Hillicon Valley, went on to say, “The sessions are part of a push for cybersecurity legislation. Lieberman and Collins, the top lawmakers on the Homeland Security and Government Affairs Committee, are the lead sponsors of a bill that would empower the Homeland Security Department to set mandatory standards for critical infrastructure systems such as electrical grids and gas pipelines.”
A second presentation I attended talked about how to actually implement the security into your network. It was given by Harry Brian and Barbara Fichtinger, both of Siemens. The best piece of information I pulled from this presentation was that security has to be implemented as part of the process, not something you add on later. And, “processes require well-trained people who live them.”
As evidenced regularly by our own Black Hat developers, no network is 100 percent bulletproof. But the harder you can make it, the more likely that the perpetrators will simply go looking elsewhere for a network to break into. Make sure you’re not that “other network” that gets hacked.
What’s your take? Tell us in the comments section below.
I definitely think organizations' attention is so fixated on security concerns surrounding their traditional information technology (IT) systems, that the factory floor is often overlooked in the equation. Also, production floor automation systems are oftentimes under a different domain and run by a separate entity than the CIO-led IT departments where security and hacking has been a top concern for years. Great to see that this issue is coming front and center. It's just as important to safeguard the lifeblood of a company's operations nerve center as it is to ensure the security of its data assets.
It's a sad commentary when network security to protect the factory floor ends up becoming such an important task, versus other so much more productive projects. But unfortunately this is the world we live in.
This is an important subject, Rich. Over the past couple years, I've done a number of stories on security and the factory floor. I was curious too about who would want to hack into a plant's control system. The answer I received over and over was a disgruntled employee. This is the one person who has a motive and knows where all the buttons and levers are in the system.
Security is also a battleground between the control staff and the IT staff. IT says, we have to load patches and reboot. Control says, we're not going to shut down the plant to put in a patch.
The factory floor used to be unhackable back when all the controller interfaces and comm systems were proprietary and not connected to the Internet, or even to the company's own IT system. Ethernet connectivity has changed everything.
I agree, Ann, connectivity has changed everything in the plant. The control engineers were dragged into this kicking and screaming. Now they have vendors who are monitoring, even running, various aspects of plant operations, from maintenance to diagnostics to optimization.
Ann, Stuxnet got into Iran's nuclear program even though there was an air gap.
Flash drives are potentially more dangerous than having a plant connected to the internet. A simple way to social-engineer access into a factory is to load a virus payload onto several high capacity flash drive and scatter them on the ground in the target's parking lot.
Very few people would resist picking it up thinking it was their lucky day. If they're scattered in the early morning, then the loaded drive goes into the building, where it gets slotted into a work computer to see what's there.
Some companies have policies against flash drives, and some of them even institute Group Policies (through their network) to prevent USB ports from being used for mass storage, but they are the very small exception.
I guess we should be just as surprised about the importance of Factory Floor Network Security as we were surprised by the importance of Y2K. We all knew it was a problem, but there was little concerted push to fix it until we scrambled to avert a catastrophe.
I'm not a huge fan of government regulations, but I can support the need for regulations concerning cybersecurity. In addition to clamping down on access from outside networks, I would hope that simple security measures such as multi-parameter identity verification and multi-user moderation would be a strong first step. Hollywood currently depicts cybersecurity breaches as easy as stealing a photo ID key card from an unsuspecting employee.
Requiring multi-parameter login identity verification and then requiring all program modifications and confidential data accesses to be approved by a moderator would stop both an unknown intruder and a lone disgruntled employee from being able to log in, access confidential data, and starting the self-destruct sequence...
TJ, good point about flash drives, although security experts generally say that internet connections are at least as dangerous. Another big point of entry has been handheld devices, although those have become a lot more secure.
Gigabit and PoE are two networking technologies moving ahead in tandem as industrial users power remote Ethernet devices such as IP security cameras at 1,000 Mbps over existing CAT5 cable.
New disc magnet motors fit into the design trend of stepping up to closed loop performance while maintaining the cost advantage of stepper motor technology.
At the Design News webinar on June 27, learn all about aluminum extrusion: designing the right shape so it costs the least, is simplest to manufacture, and best fits the application's structural requirements.
A new battery design, which replaces lithium with abundant and low-cost elemental sulfur, is still in its nascent stages but shows real promise for giving batteries more energy potential.
From Dell / Intel® New Paradigms in Design Work Scott Hamilton, vertical market strategist for Dell Precision workstations, 5/2/2013 5
Early in my career, I worked as a draftsman and remember the days of drawing on vellum with numbered pencils and Mylar with plastic lead. This was a fun experience in the sense that I ...
I've been using workstations for more than 10 years and love finding ways to get more performance from my system. With demanding professional applications that require more power each ...
A lasting memory from my first job as an engineer in an auto assembly plant is standing on hard concrete at six in the morning, vending-machine coffee clutched in hand, listening to ...
For industrial control applications, or even a simple assembly line, that machine can go almost 24/7 without a break. But what happens when the task is a little more complex? That’s where the “smart” machine would come in. The smart machine is one that has some simple (or complex in some cases) processing capability to be able to adapt to changing conditions. Such machines are suited for a host of applications, including automotive, aerospace, defense, medical, computers and electronics, telecommunications, consumer goods, and so on. This radio show will show what’s possible with smart machines, and what tradeoffs need to be made to implement such a solution.
To save this item to your list of favorite Design News content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
2 
