Top plant security myths

InTech, Jul 2005 by Singer, Bryan

As awareness of the issue of plant floor security continues to grow across the industry, one question I often hear is "what are the real risks to a manufacturing environment?" When most of us think of security, it usually invokes visions of viruses, hackers, and worms. While these threats are certainly real, it's important to recognize the vast majority of security breaches come from within a company's walls, through acts by employees and flaws in security procedures. Along with the growth in use of open systems technologies on the factory floor, including Web browsers and standards-based networks, comes a whole new host of vulnerabilities that didn't exist before, at least in the plant-floor environment.

With leaner operations and more integrated plant information systems, keeping information and control systems secure and reliable requires manufactures to stay keenly aware of everything happening on the plant floor. Security breaches occur daily in plants, and many of them are simply the result of faulty procedures or poor personnel oversight. While employing the right technology is important, it is also key to effectively manage people in this environment to ensure optimum plant-floor security. Below are some of the most common security misconceptions throughout the industry.

Common security misconceptions

Myth: Technology solutions can answer all of the problems.

Reality: Most security mishaps are the result of a plant's own people, policies, and procedures. The best technology in the world isn't going to make a facility secure if there aren't properly trained people to use it correctly. To execute a successful strategy, it's imperative manufacturers employ trained personnel and enforce policies that assign , responsibility to individuals who can then be held accountable for any security incidents.

Myth: If your organization has an IT department, your plant is secure.

Reality: This is sometimes true, but not often. There are significant differences between security in an IT environment and security in an industrial automation and controls setting. In a plant environment, avoidance of downtime is crucial, and if there is a failure, immediate action needs to take place to restore production and minimize losses. IT departments don't have the same sense of urgency for repair of the manufacturing systems and therefore, by relying solely on your IT department, your plant could be at even greater risk.

Myth: Security is a significant company expense.

Reality: The misuse of technology results in significant expense, not security itself. Having properly trained personnel in place who know how to use technology correctly helps ensure you're using your investment without overspending. Contrary to popular opinion, it is possible to employ skilled people who are capable of following defined practices and can carefully, accurately, and efficiently apply technology.

Myth: The software vendor is responsible for patch certification.

Reality: While it is the responsibility of vendors to test their products against general patches and give guidance on patch management, it is the responsibility of the user to create internal labs and test the compatibility of patches against their own environment. To do this correctly, you must develop the appropriate security architecture for your controls environment. In simple terms, the software vendor can't control the environment and therefore can't account for all of the variables.

Myth: Preventive and detective measures are enough to keep a plant secure.

Reality: Regular patch testing and virus updates alone aren't going to effectively manage security. These measures only work if you do them before a virus hits, and preventive and detective measures can't substitute for trained people and sound security policies. The best solution is to have better defenses and more preventive measures in place.

Moving forward

The technical reports from ISA and other upcoming documents can be excellent resources to help ensure a secure plant. After reviewing these reports, it's important to conduct a risk analysis of the plant's control system to identify potential security risks and assess any potential problems. Assemble an internal team involving the major business units and develop a comprehensive security plan. If your company is not informed on security risks, engage experts who can thoroughly educate and inform management on this topic. Once you complete a thorough examination of your facility and procedures, take corrective actions to help ensure maximum plant reliability and security.

Behind the Byline

Bryan Singer is a senior business consultant at Milwaukee-based Rockwell Automation, and chairman of the ISA SP99 Committee.