optimizing exceptional equipment security...
TRANSCRIPT
Optimizing Exceptional Equipment
Security Matters
Proactive Protection Through Industrial Networks
We are in the era of the Internet of Things (IoT) – a world where more
and more “things” are embedded with smart sensors and communicate
with one another. These things serve as gateways to help industrial
organizations better understand complex manufacturing processes.
Devices within a machine and plant need to talk with one another, as well
as those at the enterprise level, using a unifi ed networking infrastructure
that is based on standard, unmodifi ed Internet Protocol (IP).
While this helps create a seamless fl ow of information, protecting
these industrial assets from security risks becomes increasingly more
important. It requires a defense-in-depth security approach that
addresses both internal and external security threats. A defense-in-depth
security architecture is based on the idea that any one point of protection
may, and probably will, be defeated. This approach requires multiple
layers of defense to help ensure a weakness or fl aw in one layer can be
protected by strength, capabilities or new variables introduced through
other security layers.
In This Issue of Security Matters
The control system is no longer an
isolated operation, and industrial
organizations are recognizing that
a seamless fl ow of information
created by connecting control
systems to the enterprise is critical
for making signifi cant operational
improvements. As organizations seek
greater visibility into their operations,
OEMs must help establish a smooth
fl ow of information from the
machine level to the enterprise.
But eff ectively connecting
the enterprise is a journey. No
single product, technology or
methodology can fully secure
industrial applications. Protecting
industrial assets requires a layered
approach that helps mitigate various
types of security threats – both
internal and external. It also takes a
comprehensive approach – one that
extends beyond the stand-alone
machine to include data, policies
and procedures – to help address
the myriad of people, process and
technology-related security risks.
This issue of What Matters discusses
the steps OEMs can take to securely
integrate machines and equipment
into a plant network, protect
intellectual property at the machine
level, and provide secure remote
access for the end customer.
Information from Rockwell Automation for OEMs
2
Optimizing Exceptional Equipment
Information from Rockwell Automation for OEMs
Building in Layers of Security
Defense-in-depth security is a layered approach focusing
on physical, network, computer, application and device
security. Rockwell Automation teams with industry
leaders, such as Cisco and its other PartnerNetwork™
members, to help OEMs build these layers of security
into machinery and end users’ facilities. Physical security
mechanisms, such as guards and gates, and a network-
security framework that includes fi rewalls, intrusion
detection and prevention systems (IDS/IPS), and managed
switches and routers, are the building-block layers of a
defense-in-depth approach.
Software vulnerabilities can provide an easy route for
intruders to gain access to automation systems. OEMs
can use advances in computer hardening to help protect
end users against unwanted access. Computer hardening
options include:
• Antivirus software
• Application whitelisting
• Host intrusion-detection systems (HIDSs) and other
endpoint security solutions
• Removing unused applications, protocols and services
• Closing unnecessary ports
Computers on the plant fl oor, such as a human-machine
interface (HMI) or industrial computer, are susceptible
to malware cyber risks, including viruses and Trojans.
Software patching practices can work in concert with
these hardening techniques to help further address
computer risks. Device hardening also can help protect
machinery and involves changing the default security
confi guration of an embedded device, such as a
programmable automation controller, router or managed
switch, to make it more secure.
Restricting Access to Valuable Data
Setting up policies that control human interaction with
end-user systems can help prevent information theft,
whether users are internal or external, on-site or remote.
Using software tools such as the FactoryTalk® Security
architecture allows end users to centralize authentication
and access control by verifying the identity of each
user who attempts to access the automation system.
The software then communicates with the FactoryTalk
Directory services platform to determine what the user
is and is not permitted to do with that software. It either
grants or denies each user’s request to perform particular
actions on features and resources within the system.
In addition, Logix Source Protection, a feature in
Rockwell Software® Studio 5000™ Logix Designer
application from Rockwell Automation, enables OEMs
to assign a password to any routine or add-on instruction
to help protect the valuable intellectual property
contained within the applications.
4
Optimizing Exceptional Equipment
Information from Rockwell Automation for OEMs
Secure Remote Access
With the correct security procedures and architectural
systems in place, remote monitoring through open-
standard networks can provide OEMs and end users with
an unprecedented ability to remotely oversee operations,
perform real-time diagnostics and keep maintenance
costs low.
Many end users are further reducing their costs with
cloud-based computing that enables manufacturing
operations on virtually any scale to deploy 24/7
monitoring of valuable applications. Moving remote
access and support to the cloud, through a secure
EtherNet/IP™ connection, helps OEMs monitor
performance and quickly send critical data to the
appropriate person.
The increasing sophistication of remote-systems
monitoring, asset management and engineering support
demonstrates how cloud technology facilitates IP-enabled
“intelligent enterprise” advances in plant-fl oor security,
connectivity, performance and ease of integration. A
mission-critical production asset like a medium-voltage
drive illustrates the point.
A nonfunctioning, isolated drive can result in a signifi cant
loss of revenue. With cloud technology, when this
drive issues a warning or fault, the information is easily
propagated to create a work ticket for a support engineer.
Within minutes, a cloud-based, asset-monitoring
application has an expert looking at the fault and taking
corrective actions.
OEMs can add an additional layer of security in remote
monitoring with secure routers. For example, the
Allen-Bradley® Stratix 5900™ services router from
Rockwell Automation enables users to help protect their
information by creating encrypted tunnels which limit
access to the traffi c to authorized users, all while using the
existing untrusted network.
By making ongoing investments in secure integration,
property protection and remote access, OEMs can reduce
exposure to unnecessary risks as they capitalize on the
opportunities presented by the connected enterprise.
10 Steps to Building Security Into Machinery
OEMs can enhance their industrial reliability and security with these 10 actionable steps.
1. Control who has network access using tools, such as access control lists and port-blocking features/devices.
2. Ensure robust and reliable operations by employing fi rewalls and intrusion detection/prevention.
3. Use anti-virus protection and whitelisting.
4. Establish a system-patching policy to keep software up-to-date.
5. Develop procedures for employee-security practices, for example: managing and protecting passwords, managing removable media and use of personal devices.
6. Physically block changes to your controller by putting it in Run Mode.
7. Control who is allowed to do what from where in the application with FactoryTalk Security architecture.
8. Monitor what is going on in your system with Controller Change Detection and FactoryTalk AssetCentre system.
9. Protect your intellectual property with Logix Source Protection.
10. Ensure all Ethernet devices are connected using standard Internet Protocol.
5
Optimizing Exceptional Equipment
Information from Rockwell Automation for OEMs
Product and Service Highlights
Allen-Bradley® Stratix™ Family of Industrial Switches and Routers
Rockwell Automation is expanding its Allen-Bradley Stratix
family of industrial switches and routers, and announcing
new wireless and security products designed to meet
industrial networking requirements. Expansions include:
Stratix 5700™ managed industrial Ethernet switch with
embedded Network Address Translation; Stratix 5900
services router; and new fi ber and Power over Ethernet
(PoE) options for the Stratix 5700, Stratix 8000™ and Stratix
8300™ switches. New products coming in 2014 include the
Allen-Bradley ArmorStratix™ 5700 switch and Stratix 5100™
wireless access point. This expansion will help you and your
customers build a more cost-eff ective, unifi ed and secure
network infrastructure from the enterprise to end devices
used in the production environment. The Stratix switches
use Cisco technology and are featured in the Converged
Plantwide Ethernet (CPwE) Design and Implementation
Guide from Rockwell Automation and Cisco.
For more information, visit:
http://ab.rockwellautomation.com/Networks-
and-Communications/Ethernet-IP-Infrastructure#/
tab3
FactoryTalk® Security Architecture
The FactoryTalk Security architecture from
Rockwell Automation provides centralized
authentication and access control by verifying the
identity of each user who attempts to access the
automation system. The architecture either grants or
denies each user’s request to perform particular actions
on features and resources within the system. The
FactoryTalk AssetCentre system provides a set of asset-
centric tools to securely and centrally manage factory
and process automation production environments. It
helps secure access to the control system, tracks users’
actions, manages asset-confi guration fi les, confi gures
process instruments, and provides backup and recovery
of operating asset confi gurations.
For more information, visit:
http://www.rockwellautomation.com/rockwellsoftware/
factorytalk/security.html
5
Optimizing Exceptional Equipment
Information from Rockwell Automation for OEMs
Product and Service Highlights
Virtual Support Engineer™ Service
The Virtual Support Engineer service from
Rockwell Automation off ers a simple and secure
approach for you and your customers to monitor your
machines and collect valuable performance analytics.
You can connect to your equipment from any Internet
connection quickly and securely. Using IT-approved,
outbound-only communication, the service off ers access
to assets and allows access to valuable information
about machinery without sacrifi cing the security of the
transferred data. The service sends alerts regarding any
machinery issues in real time, via email or text messages.
For more information, visit:
http://www.rockwellautomation.com/services/online-
phone/virtual-support-engineer.page
Industrial IP Advantage
Industrial operations have a tremendous opportunity to
improve productivity, quality and fl exibility through more
eff ective connectivity and information fl ow between
all of the various data-generating and data-consuming
devices, processes, systems and people within the
organization. Machine and process skid builders can use
standard, unmodifi ed Internet Protocol (IP) to help their
end customers achieve this end-to-end connectivity.
Industrial IP Advantage was established by a coalition
of like-minded companies (Rockwell Automation, Cisco,
Panduit and ODVA) who share a vision of an educational
community where best practices, successes and failures
can be shared on the use of standard, unmodifi ed
Ethernet and IP, together with the leading open industrial
Ethernet standard, EtherNet/IP.
For more information, visit:
http://www.industrial-ip.org
Allen-Bradley Stratix 5900 Services Router
This new services router is the fi rst in the
Rockwell Automation network product portfolio to
deliver virtual private network (VPN) and fi rewall
capabilities simultaneously. These capabilities make the
router well-suited for securing cell/area zones, as well as
connection to a cell/area zone from a remote location
over an untrusted network.
For more information, visit:
http://ab.rockwellautomation.com/
networks-and-communications/stratix-5900-services-router
Optimizing Exceptional Equipment
Information from Rockwell Automation for OEMs
Publication OEM-AP043A-EN-P – March 2014 Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Printed in USA.
Allen-Bradley, ArmorStratix, FactoryTalk, PartnerNetwork, Rockwell Software, Stratix, Stratix 5100, Stratix 5700, Stratix 5900, Stratix 8000, Stratix 8300, Studio 5000, Total Cost to Design, Develop and Deliver and Virtual Support Engineer are trademarks of Rockwell Automation Inc.Trademarks not belonging to Rockwell Automation are property of their respective companies.
For more information on OEM Solutions from Rockwell Automation visit:
www.rockwellautomation.com/oem
Rockwell Automation OEM Program for Machine and Equipment Builders
As an OEM, you are challenged to diff erentiate yourself
amid global competition and rapidly evolving technology.
To eff ectively compete, you need to defi ne value beyond
the cost of your equipment and maximize company
performance. Rockwell Automation can help improve
your performance with solutions and services to lower
the Total Cost to Design, Develop and DeliverSM
equipment and meet your customers’ requirements.
As part of the OEM Program, you can expect increased
comarketing opportunities, better market planning with
our sales force, and improved customer engagement
with comanaged objectives.
For more information, visit:
http://www.rockwellautomation.com/go/wmoem
Events Around the World
Rockwell Automation hosts events around the globe to
help you learn more about how to use technology as a
competitive advantage – to help you get your products
and services to market faster, reduce costs, better utilize
power and plant-fl oor assets, and minimize risk in your
manufacturing environment.
For a list of events worldwide, visit:
http://www.rockwellautomation.com/rockwellautomation/
events/overview.page
Visit the Rockwell Automation Connection Point at Interpack 2104
Hall 06, Booth A61
http://www.rockwellautomation.com/rockwellautomation/
events/interpack/overview.page?
Save the Date: Interpack 2014
Join more than 166,000 attendees and 2,700 exhibitors
from more than 60 countries at this year’s Interpack 2014
trade fair, May 8 – 14 in Düsseldorf, Germany. Visit the
Rockwell Automation “Connection Point,” where you
can take the fi rst step in learning about leading-edge
machine and equipment builder technology.
For more information, visit:
http://www.rockwellautomation.com/rockwellautomation/
events/interpack/overview.page?