We can do this with confidence because there are ways to minimize security risks, protecting the recipe and protecting your brand.
However, the approach to mitigating security risks in a converged plantwide network must be holistic and multilayered, evaluating both external and internal threats.
Protected Environments Spur Innovation
Network security can seem complex. Scratch that. Network security IS complex. But, looking at it through the lens of a hypothetical food manufacturer can better explain some important concepts.
Let’s look, for instance, at a hypothetical cookie manufacturer wanting to move from a manual way of measuring ingredients, configuring equipment and reporting on production, to an automated system that can be accessed remotely using EtherNet/IP technology.
After performing an audit of the facility, our manufacturer has discovered the first two opportunities to enhance security.
First, all employees do not need the same physical access to production servers and clients. Second, employees outside of the plant will need to be authenticated and authorized to keep out malicious individuals.
Our cookie manufacturer has learned that implementing EtherNet/IP technology will cause employees to interact with equipment in unfamiliar ways.
Everyone knows the USB port, for instance, but a USB port on an HMI server or client, while seemingly mundane, requires rules for how it should be used.
What security risk is there in a USB port? On occasion, malicious individuals have left thumb drives outside of food manufacturing plants.
The thumb drives appear harmless to who found it until a virus or spyware has been downloaded onto the network that communicates information directly between the manufacturing and enterprise network.
That’s intellectual property up for the taking, enabling a competitor to shortcut R&D investments.
And it is not just thumb drives. Often USB ports are viewed as charging stations for phones, music players, etc. Our virtuous employee is unware that these devices can transport viruses and spyware.
That’s why it’s important to limit physical access of devices, machines and control rooms to authorized personnel. For example, a lockout/tagout device will help keep unauthorized access from open ports like a USB.
Because our cookie manufacturer wants to be unhindered in refining and learning from the newly automated process, they want employees to view information from anywhere, anytime.
Managers can check on a batch schedule, material usage and similar items. Maintenance can troubleshoot operational deviations from anywhere off-site.
But providing access to employees outside the plant, or even on tablets from anywhere within, means potentially opening up access to a malicious individual also trying to access the network remotely.
What our manufacturer has begun to discover is the importance of network security technology.
In this case, authentication solutions that restrict remote access to a controller based on the level of authorization a user has, even completely restricting certain users and providing read-only access to others.
The point here is to permit or block someone from logging on to the network by offering access to only determinate users, sources, destinations and protocols.
The lesson: protect the physical layer, authenticate and authorize users, and use the appropriate solutions resulting from the initial review of the facility.
Safety in a Complex World
Of course our hypothetical cookie manufacturer lives in a simpler world than our own.
Manufacturers have different types of technology deployed in their plants, and will need to think about security in terms of the devices and applications actually used.
How? A logical topology of the plant should take into consideration each zone from the cell/area zone to the enterprise zone.
When connected to an enterprise business system, consider an industrial demilitarized zone that secures sharing between the plant and the larger organization.
Luckily for food manufacturers in the real world, best practices exist to help navigate the secure deployment of EtherNet/IP technology.
To learn more about what you need for a secure industrial network, check out the Design Considerations for Securing Industrial Automation and Control System Networks and the Industrial IP Advantage e-learning series.
EtherNet/IP is a trademark of ODVA Inc.