In some applications, protective equipment like helmets, goggles and gloves can make it difficult to see a screen or handle a mobile device, whether ruggedized or COTS. Modern capacitive touch screens rely on the body’s ability to conduct electricity; swipes and taps won’t work with fingers covered by thick gloves.
Another potential problem with protective gear is unintended gestures on the device. Whether stored in a padded pocket or inadvertently brushed with a glove, the industrial equivalent of “butt” dialing can be avoided simply by building verifications into the interface.
But in the many areas where protective gear isn’t needed, these concerns don’t apply. More attention is being paid to the safety advantages of mobile: “You can keep cabinet doors closed and keep a safe distance away from the energized equipment,” notes one engineer.15
Automation company security concerns often go beyond normal business concerns about company data because critical processes and equipment are key in industrial control.
Proprietary control networks not connected to any other systems make security much easier than Ethernet or wireless networks, precisely because they are isolated and few people understand them. But closed, proprietary networks also lock useful data inside.
As Ethernet and especially wireless systems become more common in industry, and as connections between control systems and business systems become more common, this valuable data becomes useful in many ways:
• Supply chains become more efficient, with deliveries tied directly to current needs;
• Real-time production data informs management business decisions;
• Equipment status data drives maintenance, improving efficiency and reducing downtime; and
• Systems and equipment in remote or hazardous areas are easily monitored and adjusted, reducing employee time and expense and increasing safety.
The benefits of making data available are obvious, but the importance of securing that data is obvious as well.
As their operational realms become interconnected, information technology (IT) and industrial automation (IA) personnel must work hand-in-hand to protect network security, and turf wars between IT and IA must give way to alliance against a common enemy.
Control system security is just part of an overall security plan that includes far more than computer networks. Frost & Sullivan suggest (Figure 5):16
• Looking at all possible attack vectors, both cyber and physical;
• Thinking about all vulnerabilities: people, processes and physical security gaps; and
• Considering control system vulnerabilities.
The best system security is multi-layered, starting with access to the mobile device itself, continuing to its communication with your company network, and ending with layers of protection for the automation system and key pieces of equipment.
Device access. Manufacturers are experimenting with a variety of password protection methods for accessing COTS mobile devices: simple number locks, a pattern swipe (Android), a fingerprint scanner (iPhone), facial recognition (Android), a gesture-on-a-picture (Microsoft Windows). All of these methods can help keep unauthorized people from using the device.
If you supply devices to your employees, you may want to look into other protections as well, for example:
• Endpoint protection programs, similar to anti-malware and security applications on PCs
• Isolated virtual environments (also called containers) that separate personal apps and data from company apps and data on the device
Device communication. One advantage of COTS mobile devices is that security standards for communication are built in. When you check your bank balance or pay bills online from your phone, you use its built-in Wi-Fi Protected Access II (WPA2) security, a protocol called secure sockets layer (SSL), and some combination of username, password and perhaps images or special questions to verify that you have the right to take those actions.
Similar standards must be used in your industrial mobile apps to verify users and track operator actions.
Look at mobile device management (MDM) client programs for mobile devices, for example. These programs give your IT department the ability to control software, track a device’s location and regulate the use of company systems by anyone using the device.
Automation system protection. Whether you use COTS mobile devices or not, your company networks, both IT and automation, must be made as secure as possible. Mobile devices are only one part of an overall security strategy designed to identify, authenticate and track users; control access; and monitor and respond to any unusual activity.
An August 2013 white paper from network device manufacturer Moxa suggests several actions to take:17
• Segment IA from the rest of the company.
• Segment subsystems and key equipment.
• Disable unused ports on networked devices.
• Filter incoming MAC addresses to allow access only to authorized devices.
• Use a deep packet inspection (DPI) firewall to identify suspicious use from authorized sources.
• Monitor passwords for strength, and force periodic change.
• Always change default usernames and passwords on networked devices.