The iPhone is coming to the Plant Floor – Can we Secure it?

Browsing this week’s industry newsletters, I noticed that Automation World had two related stories on new technologies:

Both articles indirectly point to an issue that industry needs to come to terms with quickly if we are ever going make our plant floors secure.

The BYOD Iceberg?

Let’s start with the Tablets and Smart Phones story. It is about the issue of mobile devices, especially personal mobile devices, showing up on the plant floor. Never going to happen you say? I wouldn’t be so sure.

First, a definition. The topic of personal mobile devices is referred to in the corporate IT world as “Bring Your Own Device” or BYOD. If you haven’t heard of BYOD, Wikipedia defines it as:

Bring your own device (BYOD) is a business policy of employees bringing personally owned mobile devices to their place of work and using those devices to access privileged company resources

A common example is using your personal iPhone to access your company’s email system. And as I will explain later, the iPhone is only the tip of the iceberg. The whole “Bring Your Own Device” (BYOD) phenomenon is a major concern throughout the corporate world.

Like icebergs, mobile technology has become an unstoppable force of nature. They have invaded the corporate office – is the plant floor the next frontier?

The iceberg is a good metaphor for the onslaught of this technology. When dealing with an iceberg, pushing against it or ignoring it generally aren’t effective options. It is bigger than you are and will go where it wants. The best you can do is to try to manage it.

Bring Your Own Devices to the Plant Floor?

Most IT departments are beginning to accept the inevitability of BYOD. According to a recent study, the majority of companies surveyed said they are now adapting their IT infrastructure to accommodate employee’s personal devices, rather than restricting employee use of personal devices.

“Dear Mom, Today is my first day programming the filling line.”

What about the plant floor? Will tablets soon be standard equipment in the refinery? Or will they be banned from moving outside the corporate office. The first sentence of the Tablets and Smart Phones article says it all:

Industrial IT teams are likely to rail against the use of mobile devices, but many equipment makers feel they are fighting against the tide to ignore them. Productivity will ultimately determine which side will win.

#1 on the Engineer’s Wish List?

Next read the Industrial Networking Desires Revealed article. You will notice that when engineers are asked to identify their unfulfilled industrial networking desires, the number #1 item is: “Connecting to the factory with a smart phone”.

I have discussed in past blogs that in any war between security and productivity, security will lose. The situation is no different here. Smart phones are coming to the plant floor. The only question is “Will we adapt to this new world in a secure way or will it be another source of insecurity”?

What is a Mobile Device Anyway?

One option for the mobile device question is to just ban them outright. There are cases when this might be appropriate (explosive environments for example), but generally outright bans rarely work the way people want them to. One of the reasons is that we have a tendency to see technology only in terms of what is available today or what is popular. This results in narrow definitions of a specific technology that lets other technologies slip through. For example, an iPhone is clearly a mobile device, but what about a personal USB keyboard or mouse that an employee brings in, perhaps for health reasons? (If you don’t think that a mouse can be a security issue then see: Hackers pierce network with jerry-rigged mouse).

Sometimes a “mobile device” isn’t even a device at all. Consider a CD that contains a Stuxnet-infected S7 ladder logic file. Or an automated forklift that moves from site to site. At the extreme end, many people know we have been working with Boeing for the past few years – they have large mobile devices called 787s. What is important to remember is mobile devices can range from a CD with what appears to be an innocent document file, to the obvious iPhone, right up to entire mobile platforms.

Managing Smart Mobile Devices Smartly!

The only way to address this range of evolving “mobile” technology is to use the Zone and Conduit concepts promoted in the ISA/IEC 62443 standards. Properly done, zone and conduit security can result in operational requirements that define a security process, rather than proscriptive requirements like “Mobile Devices should not be used on the plant floor”. Restricting devices seems simple and comforting, but since this is so narrow, restrictive and inflexible, it encourages inventive staff to find ways around the rules so they can do their job.

Recently I talked to a customer with a very innovative way to manage Wi-Fi-capable mobile devices on his factory floor. Instead of banning wireless technologies (something that is hard to enforce if you have a lot of contractors), he actually set installed Wi-Fi access points throughout the manufacturing areas. Then he routed all the access points into a “Captive Portal” – one of those locked down web pages you run into in hotels and airports.

This Captive Portal strategy had multiple benefits – first he immediately had a record of who was trying to use Wi-Fi in his factory. Second, by forcing all employees and contractors to log in, he could track exactly what they were doing and when. Then, based on each user’s log-in credentials, he could restrict network access to specific systems in his factory. For example, a contractor working on the Finishing Line could be restricted to only seeing the Finishing Line PLCs. And finally, by using deep packet inspection, he could force the contractors into a view-only mode by blocking all PLC write and programming commands.

Who Knows What Tomorrow’s Mobile Device Will Look Like?

Information technologies are changing constantly. Trying to manage them with proscriptive rules is a hopeless task, because we can never keep up. Instead we need to work from general principles. For example, the definition of mobile device can be expanded from specific technologies (such as cell phones) to a definition based on their general functionality. For example, one proposed definition is “non-fixed location digital information storage or processing devices”. That covers basically anything that can contain an electronic 1 or a 0 and isn’t bolted down.

Once we have our definitions set, we can move onto determining what actions we want to manage. The example with the captive portal showed how all Wi-Fi devices (rather than subsets like laptop or iPad) can be managed in a uniform manner. If we stick to those principles, I believe we can have mobile devices and security at the same time.

What is your company doing about mobile devices on the plant floor? Does it have a strategy?

Image credit: Iceberg, Advoco

Related Content to Download

White Paper: "Using ANSI/ISA-99 Standards to Improve Control System Security"

Download this White Paper and learn about:

  • The ANSI/ISA-99 Zone and Security Model

  • A Real World Oil Refinery Example

  • Implementing Zones and Conduits with Industrial Security Appliances

  • Testing and Managing the Security Solution

Note: ANSI/ISA-99 Standards have recently been renamed ISA/IEC 62443 Standards.

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Author Eric Byres

Comments

4

ThinManager (also featured in Automation World this month) has had applications for iPhone and iPad that are extremely secure and can limit user functionality to specific applications (thank you Guided Access via iOS6):

http://blogs.thinmanager.com/thinclients/?p=1638

http://www.thinmanager.com/ios/index.php

Embrace the power of thin!

Let's start off by assuming a compromised cell phone which permits remote operator access to the device. An employee creates a Wi-Fi log-in record using the captive portal which gives a false assurance of compliance (false because the device is compromised). As the employee accesses a PLC in view-only mode the remote operator sends commands through the cell data network to access other PLC information in view-only mode. This information is sent to a remote connection through the cell data network. Using the cell data network bypasses the security controls of the Wi-Fi network and at the same time leaves the false assurance that security has not been compromised. The remote operator acquires timely information on a process which can be sold or used to plan other exploits, without tripping security safeguards.

OPC UA will also enable secure mobile clients. See for example our trade show setup, which demonstrates controlling a Beckhoff PLC directly from an Android phone, http://www.prosysopc.com/blog/2012/11/16/tuomas/prosys-opc-in-ias-2012-s... using standard communications (OPC UA is IEC 62541).

Cyber Security is one of the most important issues which we face today in this modern world. The demand for security in handheld devices that we use is increasing like anything. If iPhone is coming to Plant Floor, we need to think about a better security program, I think. Anyways thanks for sharing.

Add new comment