Over the last five years, Ethernet and TCP/IP have increasingly become relevant to industrial communication as production systems are more closely integrated with ERP and back office management systems. Added to which, significantly lower costs for standard components have contributed to the growing popularity of Ethernet in the world of automation.
The IP protocols used in the factory network are effectively the same as the office network but extended by special Ethernet protocols such as EtherNet/IP, Modbus/TCP, Ethernet Powerlink, Ethercat and Sercos III – reflecting the real time requirements of industrial control.
But with these changes have come a new threat – a back door for viruses and malicious attacks onto the shop floor. And the consequences can be potentially disastrous with expensive loss of production running into days.
A disabled manufacturing line will lead to much higher costs than the temporary loss of an email server. For example, a denial of service attack that reduces bandwidth for machine controllers and production robots could paralyze an entire production line. And with the increasing use of Windows PCs for control and maintenance of industrial equipment there is the risk to network security from destructive programs or 'destructive' employees.
For example, one European automobile component supplier suffered severe production loss as a result of a service technician inadvertently connecting an infected notebook into the production line. This mid-sized company lost 24 hours in production time at an estimated cost of 1,000,000 Euros.
So it is not surprising that manufacturing and production managers are waking up and realizing that there is an urgent need to protect their once isolated and secure shop floor systems. But conventional security solutions suitable for the office environment are not necessarily designed for use in manufacturing and production.
The traditional hard perimeter approach is to place a firewall at the perimeter of the network. But in an industrial environment the targets are usually very specific and it is the interface to the back office networks that poses the greatest security risk.70-80 percent of all machine failures are caused by unauthorized or negligent internal access to systems – including the unwitting maintenance engineer with a rogue laptop.
The defense it depth approach uses multi-level security to protect individual production systems or zones. Software, usually based on anti-virus programs, can be installed on controllers, robots or industrial PCs or specific robust, 'device-attached' hardware devices can be deployed. And by combing security functions such as firewall, anti-virus and VPN with a traditional Ethernet switch it is possible to facilitate the secure, seamless exchange of information between back-office management systems and industrial control processes.
There is a long way to go before the shop floor catches up on and takes security as seriously as the back office. But it's starting and as production managers look to add functions such as remote machine diagnostics and maintenance, the need for better protection will be further increased.
The author is CEO at Innominate