This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Is cyber security a threat to smart factories?

05 March 2017

Barry Graham discusses plant network security considerations as we move towards the goal of ever smarter factories. 

The Stuxnet computer worm was a wake-up call to the industrial world, highlighting that an ostensibly closed and secure system could be compromised by nothing more than an infected USB memory stick during a routine maintenance procedure. 

The original mode of delivery for Stuxnet was essentially via portable storage media. More recently other malicious code are thought to have entered systems via the internet, with phishing emails and/or Trojans being the suspected vectors. Whatever the mode of access, it is evident that many of today’s industrial networks remain vulnerable to cyber attack and it is fair ask whether the more open industrial networks of the future, designed to work with the Internet of Things and in smart factories, will be at greater risk of cyber attack. The potential risks are manifold, compromising intellectual property, brand damage, financial loss, customer grievances following late deliveries or batch inconsistencies, the safety of production personnel and even the safety of manufactured products. 

The International Society of Automation's ISA99 committee has been working to define security standards for industrial automation and control systems since 2007. In 2010, these standards were aligned with the corresponding International Electrotechnical Commission (IEC) standards to become the ISA/IEC 62443 series – which is currently the most comprehensive set of standards dedicated to the security of industrial control and automation systems.

It is fair to say, these standards have yet to be fully assimilated industry-wide; meanwhile, most automation hardware/software suppliers have also been developing solutions to the problems of cyber-physical production system security, and have addressed the issues in a variety of ways.

For a decade or more, it has been possible to connect remotely to a PLC via a serial bus for monitoring and diagnostic purposes. Today's machine controllers are equipped with Ethernet ports that, for example, provide internet connection via the enterprise IT system to a remote, cloud-based SQL database in order to download stored recipe data.

Any vulnerability in that connection, however, could potentially lead to compromised intellectual property relating to that recipe. The security of such open systems – and, by inference, the necessary level of co-operation that will be required between information technology (IT – the enterprise business system) and operational technology (OT – the factory automation system) departments – have become critical considerations.

Omron’s approach to the problem is to provide basic security for its factory automation systems using http Port 80 – the default port number for a web server – which protects Sysmac machine controllers by allowing communication only from within the Sysmac Studio configuration, programming, simulation, and monitoring software environment. Communication between Sysmac machine controllers and Sysmac Studio is not encrypted; instead, it is protected via digest authentication – a method that enables a web server to check a user's credentials, such as their username and/or password, with their web browser. The identity of a user can be confirmed before information is released to the network by applying a hash function to the username and password before transmission. Moreover, Sysmac controllers cannot send service data object (SDO) messages to the EtherCat network from external sources, so it is essentially isolated from the information network.

Barriers that have traditionally existed between IT and OT departments will have to come down if a true Industry 4.0 implementation is to be realised. IT departments have, for many years, been fully aware of cyber threats and the potential damage that can ensue if systems are not adequately protected. For OT engineers, however attacks on their systems are a relatively recent phenomenon and the threats and risks may or may not be fully understood by OT departments.

IT and OT functions still remain generally independent of one another and it is normally the IT department that has any control over the prevention of cyber attacks on the enterprise by restricting access to the enterprise networks. However in a smart factory restricting access to enterprise networks would be unacceptable, so it is important that IT and OT departments start to work together so that they are able to combat the greater risks posed by the open networks of Industry 4.0 together.

A productive collaboration between IT and OT departments would improve business efficiency as well as raise awareness of the cyber threat issues that must be addressed at all levels of the enterprise. 

Barry Graham is automation product marketing manager at Omron.

Contact Details and Archive...

Print this page | E-mail this page