When things go wrong

InTech, Dec 2004 by Fussell, Ellen

"What's out there now is the original SP84 committee development from 1996-the U.S. domestic standard," Summers said. "Other countries used it, but it was predominantly focused on the U.S. market. The new standard is global. So it doesn't matter if you're building a plant in Asia, Texas, or Europe; it'll be built by the same standard. And that's good because most work is done using a variety of parties," she said. "You might do engineering in the states, a European company might own the site, and the installation might be going into Africa."

In the past, Summers said, local regulations made it difficult to execute projects efficiently because everyone had different opinions about how to design it."Now we have one base template about effective design of safety instrumented systems," she said.

What about security?

And just when they thought complying with safety standards was enough, now plants need to protect their systems against attacks. "But we need to apply protection in proportion to the risk and value,"said Rich Ryan, vice president of business development, global manufacturing solutions, at Rockwell Automation in Milwaukee, Wise. "Having too much security-if there is such a thing-can create unnecessary expenses and restrict accessibility to those with authorized access. But the lack of security puts people, processes, and profits at risk. So companies need to evaluate and balance the level of exposure with the business criticality of what they're protecting," he said.

Simply giving an IP address to a plant-floor device makes it a potential target, Ryan said,"but that doesn't mean we shouldn't leverage available technologies to improve manufacturing productivity. It's possible to build systems that leverage contemporary IT technology, but to apply it blindly without understanding the consequences of the threats isn't a good business risk."

Culprits, processes, and solutions

One way to protect information inside the perimeter of the plant is to implement user authentication at the doorbetween the inner and outer areas-using role, location, and process-based authentication, Ryan said. "Think of it as the definition and enforcement of who can do what, and from where." (See "Who, what, where" story, page 25.)

The outer layer of the enterprise, normally IT's domain, is the protective shell of the plant floor. It uses firewalls, encryption, and patch management to protect the plant from hackers, crackers, and script kiddies, Ryan said. "Think of what happens when you buy a new PC, take it home, and plug it into your DSL [digital subscriber line] or cable modem line. You immediately find your system is vulnerable to the outside world," he said. "The same risks occur in the production system, especially when you open up your manufacturing system by connecting it to the corporate IT network and the Internet." When they work with IT, most manufacturing managers realize this shell has proper protection, but they also need to know how that protection works to secure the factory floor.