www.plantservices.

com

SMART SOLUTIONS FOR MAINTENANCE & RELIABILITY

AUTOMATION SECURITY
& SCALABILITY

NEXT PAGE

AUTOMATION

WWW.PLANTSERVICES.COM

ARE YOUR CRITICAL ICS DATA PROTECTED?

Cybersecurity is an ongoing journey that manufacturers need not take alone
The threats to industrial control systems are real and

Should people in communities surrounding your facilities

be concerned?
How could any of those possibilities affect your relationships with customers and stakeholders?
Building a cyberdefense program that is truly comprehensive is very difficult to do internally. It is a process, not
an event. There are technical elements, but the process must
involve training your employees on secure work practices
and behavior.

alarming. Building an effective defense is something few

companies can or should undertake singlehandedly.
In a report1 released in March 2015, the U.S. Department
of Homeland Security Industrial Control System Computer
Emergency Response Team (ICS-CERT) cited 245 documented cyberattacks on industrial control systems in the period between Oct. 1, 2013, and Sept. 30, 2014. Keep in mind
those were just attacks that were recognized and reported.
One can only assume there were far more that were not even
detected and others where the victims did not feel inclined
to make the incident public.
While this statistic can be analyzed and interpreted in
many ways, one thing is clear: Industrial networks and
control systems are under attack. To the management of a
manufacturing company looking at this reality, how should
responsible leaders act?
One approach is simply to do nothing: Conduct business
as usual and hope for the best. Some companies assume
implementing a firewall is enough of a defense considering
the odds of an attack. With luck, that might work, but it is
similar to leaving the doors unlocked with hope that the
wrong person wont try to get in. Still, if a company can operate easily without automation and there is little in the way
of information to steal, the risk can be very low. Why buy
locks for a building if there is nothing in it of any value?
For a company of any substance, this is not practical. The
risk is simply too great.

BUILDING A CYBERDEFENSE PROGRAM

THAT IS TRULY COMPREHENSIVE IS VERY
DIFFICULT TO DO INTERNALLY.
Working with an industrial cybersecurity expert to
develop defensive strategies and manage them over the
long term can help you avoid the drawbacks of trying
to take that challenge on singlehandedly or ignoring
the risk. This expert will bring the collective experience
of working with a wide variety of companies, promote
best practices and provide valuable expertise in helping
customers understand their current cybersecurity capabilities. Many companies are hobbled because they dont
know what they dont know, so to speak, but drawing on
outside experience can fill in those gaps.
Siemens implements the following three-step process to
build industrial cybersecurity programs for its customers:
Assess. Analyze your present security environment and
develop a security roadmap. This is always an eye-opening
experience as companies typically do not have a comprehensive grasp of the nature of their industrial networks or what
data could be compromised.
Implement. Engineer, design, and implement a cybersecurity program based on your specific situation to cover the
gaps between your level of protection and potential risk, creating a program that follows important industrial security
standards such as ISA99, IEC62443, NERC-CIP, and others.
Siemens applies standards, best practices, and security
frameworks, resulting in a defense-in-depth approach that
includes the use of secure automation cells.

A MORE-COMPREHENSIVE APPROACH

A more-effective solution over the long term has to begin

with a careful analysis of where a company is in the larger
picture. What is the company trying to protect? What is its
overall security concept, and how does it fit into the larger
organizational concept? In more practical terms:
W hat risks do you face? Do you have any concept of who
might want to attack your systems and how? Have you
already experienced cyberattacks?
W hat information or data might someone want to steal?
How could an attacker disrupt your production?
Is there potential for an environmental disaster or loss-oflife scenario?

PREVIOUS PAGE

NEXT PAGE

AUTOMATION

WWW.PLANTSERVICES.COM

Operate and manage. Allow for continuous detection and

protection through proactive defense. Provide support for
maintaining your security posture against current and potential cyber threats. Your adversaries are intelligent, and they
are always looking for new ways to get into your system.

Industrial manufacturing leaders that partner with effective cybersecurity services providers allow their internal
resources to concentrate on their core business. They also
provide protection for their companys assets, people, and
customers.

AN ONGOING PROCESS

REFERENCE

Ongoing services for managing and maintaining your security against current and potential cyber threats is a critical element. Using the capabilities provided through a cybersecurity operations center (CSOC) such as the Siemens
CSOC can provide 24/7 monitoring as well as operations
and updates of deployed security controls based on realtime intelligence. Proactive monitoring and continuous
security management reduces the risk of production loss
and equipment damage caused by cybersecurity threats,
and it protects intellectual property, company reputation,
and brand image.
In addition, on-demand remote-incident handling should
be implemented, ideally with ICS cybersecurity experts
available to respond quickly to provide support in executing
forensic investigations, containing possible damages to the
operating environment, and eradicating further risks.

1. N
 ational Cybersecurity and Communications Integration
Center (NCCIC), 2015. ICS-CERT Monitor, September
2014-February 2015. https://ics-cert.us-cert.gov/sites/
default/files/Monitors/ICS-CERT_Monitor_Sep2014Feb2015.pdf

PREVIOUS PAGE

Ken Keiser is Practice Lead, Plant Security, for

Siemens Industry, Inc. Ken has spent more than 30
years in the process control industries with Fischer &
Porter, Bailey Controls, ABB, and Siemens. In the last five years,
he has also concentrated in Industrial Cyber Security within the
Siemens Process Automation segment. He has worked with
ISA99 on various workgroups, is the Industrial Security liaison to
key Siemens customers, and recently received his CISSP certification from (ISC)2. Contact Ken at [email protected].

NEXT PAGE

AUTOMATION

WWW.PLANTSERVICES.COM

CONNECTED, SECURE REMOTE SYSTEMS

Six tips for remote HMI/SCADA users to protect plant operations, drive cost savings
When you wake up in the morning, you can program your

has been an increased emphasis on HMI/SCADA security,

and users of HMI/SCADA systems are focusing on how to
protect this key element of their operations.
The good news is that there are several ways to secure
remote access and reduce cybersecurity risks while enabling
the connectivity required to support and service equipment.
Users of HMI/SCADA systems should keep in mind the following to help protect their systems:
Look for a system with robust built-in security, which is

coffee maker with your smartphone upstairs and get a notification when your cup of coffee is done brewing downstairs. You
can also turn up your thermostat with the touch of your phone
to increase the temperature before you get out of bed. This
technology is part of the Internet of Things, and it is helping to
make peoples everyday lives more convenient and efficient.
The Internet of Things revolves around increased machine-to-machine (M2M) communication and is built on
cloud computing and networks of data-gathering sensors.
Beyond its application in our home lives, this concept is
becoming widely used in the industrial sector and has been
dubbed the Industrial Internet of Things (IIoT). Now M2M
technology allows us to manage and monitor equipment
remotely and address problems in a timely manner, which
translates to cost savings. The average field service visit now
costs more than $1,000, according to data from the Technology Services Industry Association, and every eliminated
field visit adds to an organizations bottom line.
A variety of M2M solutions can help diagnose and fix equipment issues. Among these are the remote desktop, which allows
users to manage the machine/process remotely as though
they were standing in front of a human-machine interface
(HMI) connected to a supervisory control and data acquisition (SCADA) system. (HMI/SCADA solutions have become
a widely used tool in a variety of industries and are often at the
heart of an operations data visualization, control, and reporting process to drive operational improvements.) A development
software interface enables users to connect remotely to HMI/
SCADA systems to make machine/process changes over the
Internet without forcing unnecessary shutdowns.
While remote monitoring solutions such as HMI can
provide cost savings and increased efficiency, its important to
understand the security risks associated with this technology
and how to protect against them. Past cybersecurity breaches
have shown how harmful cyberattacks can be for remoteactivity operations in the industrial sector. For example, the
Stuxnet virus is a computer worm that targeted industrial
control systems used to monitor and control large-scale
industrial facilities such as power plants, dams, and waste
processing systems. The virus lets the attackers take control
of these systems without the operators knowing as much, and
the hackers can manipulate real-world equipment. Because
of Stuxnet-type viruses and other various cyber threats, there

PREVIOUS PAGE

BECAUSE OF STUXNET-TYPE VIRUSES

AND OTHER VARIOUS CYBER-THREATS,
THERES BEEN AN INCREASED EMPHASIS
ON HMI/SCADA SECURITY.
the last line of defense against unwanted access. Some of
the systems allow you to tie the SCADA security into the
plant security system through a Lightweight Directory
Access Protocol (LDAP) interface to Microsofts Active
Directory server.
Firewalls are key to keeping a network secure. They can
either be software-based or hardware-based, and their
primary objective is to control incoming and outgoing
network traffic. Firewalls are designed to analyze data
packets and determine whether they should be allowed
to pass or not, based on a predetermined rule set. Most
routers that pass data between networks contain firewalls
and/or firewall components. Secure socket layer (SSL)
encryption is important to help prevent unwanted access
to information about the machine. This addresses security between outgoing email and incoming (i.e., HTTPS)
network access.
V
 irtual private networks (VPN) use the Internet to connect
computers to isolated remote computer networks that would
otherwise be inaccessible. A VPN provides security so that
traffic sent through the VPN connection stays isolated from
other computers on the network. Some routers can create
one or more VPNs that allow secure connections from the
Internet to computers within a plant network.
D
 eep Packet Inspection (DPI) is a form of network packet
filtering that examines the data portion of a packet as it
passes an inspection point, searching for protocol noncom-

NEXT PAGE

AUTOMATION

WWW.PLANTSERVICES.COM

security measures, an engineer or operator can still introduce

a virus into the network by simply plugging an infected USB
memory stick into a PC behind the firewall. A reboot will get
the machine running much more quickly than a backup to a
restore point, assuming a good restore point is even available.
HMI/SCADA systems provide remarkable efficiency and
cost savings for users and OEMs, but ensuring the security of these systems and protecting against cyber threats
is crucial. Companies can start by selecting systems with
inherent security designs that can protect against a malware
attack. In addition, taking proactive steps such as working
with IT to design network interfaces and firewalls can help
to minimize internal and external risks. Ultimately, these
safeguards can help companies enhance protection of their
critical infrastructure assets and reduce costs.

pliance, viruses, spam, intrusions, or other defined criteria.

It can then decide whether the packet may pass, be blocked,
or be routed to a different destination. Certain routers and
passive network devices that are commercially available
incorporate this technology to filter messages at the application protocol layer (e.g., Modbus TCP or EtherNet/IP).
Segmenting the network into functional areas using intelligent routers provides additional layers of security. The more
layers of security, the more difficult it is for cyber criminals
to compromise the security of the manufacturing line and
its control system. In addition, network segmentation provides a mechanism for isolating the control system from a
plant or office network by providing an air gap in the event
that other segments of the network come under attack. Unplugging the routers uplink to the rest of the network kills
remote connectivity, but it allows the manufacturing line to
continue to run in this worst-case scenario.
Some Windows-based HMI/SCADA systems offer a protected, noncorruptible operating system. In the event that
machines do contract a virus or other malware, the problem
can be cleared with a simple reboot. Despite assorted network

PREVIOUS PAGE

Kerry L. Sparks is senior field marketing specialist

with Eaton (www.eaton.com) and has worked in the
process control & automation industry for 40 years.
His primary focus is on PLC, HMI, and SCADA systems. Contact
him at [email protected].

NEXT PAGE

AUTOMATION

WWW.PLANTSERVICES.COM

CERTIFY YOUR CABLING INFRASTRUCTURE

Industrial Ethernet certification is vital to the efficiency and productivity of your plant
In the good old days, it seemed like each manufacturer had its own protocols at each level of control. One advantage of this was clear separation of control data from
plant data. However, these older protocols had lower
speeds and provided less information on the devices and
processes that were connected to them. And, because data
throughput and basic transmission rates were relatively
low, these networks typically tolerated more variability in
cabling and connector integrity.
Ethernet has been in use at the top control levels for decades, and it has steadily migrated into lower levels of control. While there are certainly legacy systems in place and
some greenfield installations are using device-level networks
for sensors and actuators, the majority of data is transferred
via some flavor of Ethernet.
To address concerns about throughput or IT-oriented
traffic interfering with plant control, multiple Ethernet
networks and subnets are deployed and handled with managed switches and routers. A parallel trend with Ethernet
at different levels has been an increase in the amount and
types of data being transferred. Its not unusual for conventional TCP/IP to coexist with other protocols on top of
TCP/IP and along with video.
The net result is that physical cabling is being pushed
to the limit. Whether the cable is Cat5e at 100MHz, Cat6
at 250MHz or Cat6A at 500MHz, you will want to be
sure that it meets its specifications. After all, cable is the
foundation of network communications.
Often overlooked by plant manufacturing managers,
industrial Ethernet certification is vital to overall efficiency
and can mean the difference between optimized productivity and less-than-robust performance. In fact, its estimated
that 35% to 80% of total failures in plant automation can
be attributed to the cabling. Loss of critical data, system
downtime or even catastrophic, overall failure are possible
outcomes of unreliable network performance.
When installing cabling for industrial Ethernet applications, you cant simply assume it will work. To
reduce the risk of startup problems and minimize future
downtime, its advisable not only to ensure that cable is
installed properly but also have it configured, tested, and
certified. Cable certification ensures that the cable infrastructure meets standards for quality and speed. Cable
certification test parameters include cable length, ACR-N,

PREVIOUS PAGE

propagation delay, return loss, and loop resistance. The

odds of communication failure increase if these parameters are out of specification. For many cabling and
network infrastructure vendors, certification is a requirement for installation warranties.
In commercial sectors, certification is relatively common. However, in the industrial space, its relatively
uncommon. Therefore, when researching your options
for cable testing, it is important to remember that not

ITS ESTIMATED THAT 35% TO 80% OF

TOTAL FAILURES IN PLANT AUTOMATION
CAN BE ATTRIBUTED TO THE CABLING.

all certifiers are created equal. Certifiers have active

electronics at each end of the cable that work together to
conduct measurements. Look for a certifier that can be
operated from either end to avoid the need to walk back
to the head end during testing.
Industrial installations may have RJ45 to M12, RJ45 to
RJ45, or M12 to M12 cable connections. Some using M12
connections may have both the older M12 two-pair cabling
or the newer four-pair cabling, so find a certifier that can
handle either. The Telecommunications Industry Association (TIA) has specifications for all of these variations.
Also, Cat5e (100MHz)/6 (250MHz) and, increasingly,
6A (500MHz) copper cabling is in use in industrial installations, so you may want your certifier to support the
emerging Cat8 with expected applications in areas such
as data centers.
Finally, the connection types discussed so far have all
been for copper cabling. Your application may benefit from
the noise immunity and intrinsic safety of fiber. In this case,
make sure the certifiers you are considering also have adapters for single and multimode fiber.
Mark Knebusch is vice president of marketing for
Softing Inc. (www.softing.us), a leading provider of
industrial communication products and technologies for
manufacturing and process automation. He is based in Knoxville,
TN, and can be reached at [email protected].