Optimizing Exceptional Equipment

Security Matters

Proactive Protection Through Industrial Networks

We are in the era of the Internet of Things (IoT) – a world where more

and more “things” are embedded with smart sensors and communicate

with one another. These things serve as gateways to help industrial

organizations better understand complex manufacturing processes.

Devices within a machine and plant need to talk with one another, as well

as those at the enterprise level, using a unifi ed networking infrastructure

that is based on standard, unmodifi ed Internet Protocol (IP).

While this helps create a seamless fl ow of information, protecting

these industrial assets from security risks becomes increasingly more

important. It requires a defense-in-depth security approach that

addresses both internal and external security threats. A defense-in-depth

security architecture is based on the idea that any one point of protection

may, and probably will, be defeated. This approach requires multiple

layers of defense to help ensure a weakness or fl aw in one layer can be

protected by strength, capabilities or new variables introduced through

other security layers.

In This Issue of Security Matters

The control system is no longer an

isolated operation, and industrial

organizations are recognizing that

a seamless fl ow of information

created by connecting control

systems to the enterprise is critical

for making signifi cant operational

improvements. As organizations seek

greater visibility into their operations,

OEMs must help establish a smooth

fl ow of information from the

machine level to the enterprise.

But eff ectively connecting

the enterprise is a journey. No

single product, technology or

methodology can fully secure

industrial applications. Protecting

industrial assets requires a layered

approach that helps mitigate various

types of security threats – both

internal and external. It also takes a

comprehensive approach – one that

extends beyond the stand-alone

machine to include data, policies

and procedures – to help address

the myriad of people, process and

technology-related security risks.

This issue of What Matters discusses

the steps OEMs can take to securely

integrate machines and equipment

into a plant network, protect

intellectual property at the machine

level, and provide secure remote

access for the end customer.

Information from Rockwell Automation for OEMs

2

Optimizing Exceptional Equipment

Information from Rockwell Automation for OEMs

Building in Layers of Security

Defense-in-depth security is a layered approach focusing

on physical, network, computer, application and device

security. Rockwell Automation teams with industry

leaders, such as Cisco and its other PartnerNetwork™

members, to help OEMs build these layers of security

into machinery and end users’ facilities. Physical security

mechanisms, such as guards and gates, and a network-

security framework that includes fi rewalls, intrusion

detection and prevention systems (IDS/IPS), and managed

switches and routers, are the building-block layers of a

defense-in-depth approach.

Software vulnerabilities can provide an easy route for

intruders to gain access to automation systems. OEMs

can use advances in computer hardening to help protect

end users against unwanted access. Computer hardening

options include:

• Antivirus software

• Application whitelisting

• Host intrusion-detection systems (HIDSs) and other

endpoint security solutions

• Removing unused applications, protocols and services

• Closing unnecessary ports

Computers on the plant fl oor, such as a human-machine

interface (HMI) or industrial computer, are susceptible

to malware cyber risks, including viruses and Trojans.

Software patching practices can work in concert with

these hardening techniques to help further address

computer risks. Device hardening also can help protect

machinery and involves changing the default security

confi guration of an embedded device, such as a

programmable automation controller, router or managed

switch, to make it more secure.

Restricting Access to Valuable Data

Setting up policies that control human interaction with

end-user systems can help prevent information theft,

whether users are internal or external, on-site or remote.

Using software tools such as the FactoryTalk® Security

architecture allows end users to centralize authentication

and access control by verifying the identity of each

user who attempts to access the automation system.

The software then communicates with the FactoryTalk

Directory services platform to determine what the user

is and is not permitted to do with that software. It either

grants or denies each user’s request to perform particular

actions on features and resources within the system.

In addition, Logix Source Protection, a feature in

Rockwell Software® Studio 5000™ Logix Designer

application from Rockwell Automation, enables OEMs

to assign a password to any routine or add-on instruction

to help protect the valuable intellectual property

contained within the applications.

4

Optimizing Exceptional Equipment

Information from Rockwell Automation for OEMs

Secure Remote Access

With the correct security procedures and architectural

systems in place, remote monitoring through open-

standard networks can provide OEMs and end users with

an unprecedented ability to remotely oversee operations,

perform real-time diagnostics and keep maintenance

costs low.

Many end users are further reducing their costs with

cloud-based computing that enables manufacturing

operations on virtually any scale to deploy 24/7

monitoring of valuable applications. Moving remote

access and support to the cloud, through a secure

EtherNet/IP™ connection, helps OEMs monitor

performance and quickly send critical data to the

appropriate person.

The increasing sophistication of remote-systems

monitoring, asset management and engineering support

demonstrates how cloud technology facilitates IP-enabled

“intelligent enterprise” advances in plant-fl oor security,

connectivity, performance and ease of integration. A

mission-critical production asset like a medium-voltage

drive illustrates the point.

A nonfunctioning, isolated drive can result in a signifi cant

loss of revenue. With cloud technology, when this

drive issues a warning or fault, the information is easily

propagated to create a work ticket for a support engineer.

Within minutes, a cloud-based, asset-monitoring

application has an expert looking at the fault and taking

corrective actions.

OEMs can add an additional layer of security in remote

monitoring with secure routers. For example, the

Allen-Bradley® Stratix 5900™ services router from

Rockwell Automation enables users to help protect their

information by creating encrypted tunnels which limit

access to the traffi c to authorized users, all while using the

existing untrusted network.

By making ongoing investments in secure integration,

property protection and remote access, OEMs can reduce

exposure to unnecessary risks as they capitalize on the

opportunities presented by the connected enterprise.

10 Steps to Building Security Into Machinery

OEMs can enhance their industrial reliability and security with these 10 actionable steps.

1. Control who has network access using tools, such as access control lists and port-blocking features/devices.

2. Ensure robust and reliable operations by employing fi rewalls and intrusion detection/prevention.

3. Use anti-virus protection and whitelisting.

4. Establish a system-patching policy to keep software up-to-date.

5. Develop procedures for employee-security practices, for example: managing and protecting passwords, managing removable media and use of personal devices.

6. Physically block changes to your controller by putting it in Run Mode.

7. Control who is allowed to do what from where in the application with FactoryTalk Security architecture.

8. Monitor what is going on in your system with Controller Change Detection and FactoryTalk AssetCentre system.

9. Protect your intellectual property with Logix Source Protection.

10. Ensure all Ethernet devices are connected using standard Internet Protocol.

5

Optimizing Exceptional Equipment

Information from Rockwell Automation for OEMs

Product and Service Highlights

Allen-Bradley® Stratix™ Family of Industrial Switches and Routers

Rockwell Automation is expanding its Allen-Bradley Stratix

family of industrial switches and routers, and announcing

new wireless and security products designed to meet

industrial networking requirements. Expansions include:

Stratix 5700™ managed industrial Ethernet switch with

embedded Network Address Translation; Stratix 5900

services router; and new fi ber and Power over Ethernet

(PoE) options for the Stratix 5700, Stratix 8000™ and Stratix

8300™ switches. New products coming in 2014 include the

Allen-Bradley ArmorStratix™ 5700 switch and Stratix 5100™

wireless access point. This expansion will help you and your

customers build a more cost-eff ective, unifi ed and secure

network infrastructure from the enterprise to end devices

used in the production environment. The Stratix switches

use Cisco technology and are featured in the Converged

Plantwide Ethernet (CPwE) Design and Implementation

Guide from Rockwell Automation and Cisco.

For more information, visit:

http://ab.rockwellautomation.com/Networks-

and-Communications/Ethernet-IP-Infrastructure#/

tab3

FactoryTalk® Security Architecture

The FactoryTalk Security architecture from

Rockwell Automation provides centralized

authentication and access control by verifying the

identity of each user who attempts to access the

automation system. The architecture either grants or

denies each user’s request to perform particular actions

on features and resources within the system. The

FactoryTalk AssetCentre system provides a set of asset-

centric tools to securely and centrally manage factory

and process automation production environments. It

helps secure access to the control system, tracks users’

actions, manages asset-confi guration fi les, confi gures

process instruments, and provides backup and recovery

of operating asset confi gurations.

For more information, visit:

http://www.rockwellautomation.com/rockwellsoftware/

factorytalk/security.html

5

Optimizing Exceptional Equipment

Information from Rockwell Automation for OEMs

Product and Service Highlights

Virtual Support Engineer™ Service

The Virtual Support Engineer service from

Rockwell Automation off ers a simple and secure

approach for you and your customers to monitor your

machines and collect valuable performance analytics.

You can connect to your equipment from any Internet

connection quickly and securely. Using IT-approved,

outbound-only communication, the service off ers access

to assets and allows access to valuable information

about machinery without sacrifi cing the security of the

transferred data. The service sends alerts regarding any

machinery issues in real time, via email or text messages.

For more information, visit:

http://www.rockwellautomation.com/services/online-

phone/virtual-support-engineer.page

Industrial IP Advantage

Industrial operations have a tremendous opportunity to

improve productivity, quality and fl exibility through more

eff ective connectivity and information fl ow between

all of the various data-generating and data-consuming

devices, processes, systems and people within the

organization. Machine and process skid builders can use

standard, unmodifi ed Internet Protocol (IP) to help their

end customers achieve this end-to-end connectivity.

Industrial IP Advantage was established by a coalition

of like-minded companies (Rockwell Automation, Cisco,

Panduit and ODVA) who share a vision of an educational

community where best practices, successes and failures

can be shared on the use of standard, unmodifi ed

Ethernet and IP, together with the leading open industrial

Ethernet standard, EtherNet/IP.

For more information, visit:

http://www.industrial-ip.org

Allen-Bradley Stratix 5900 Services Router

This new services router is the fi rst in the

Rockwell Automation network product portfolio to

deliver virtual private network (VPN) and fi rewall

capabilities simultaneously. These capabilities make the

router well-suited for securing cell/area zones, as well as

connection to a cell/area zone from a remote location

over an untrusted network.

For more information, visit:

http://ab.rockwellautomation.com/

networks-and-communications/stratix-5900-services-router

Optimizing Exceptional Equipment

Information from Rockwell Automation for OEMs

Publication OEM-AP043A-EN-P – March 2014 Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. Printed in USA.

Allen-Bradley, ArmorStratix, FactoryTalk, PartnerNetwork, Rockwell Software, Stratix, Stratix 5100, Stratix 5700, Stratix 5900, Stratix 8000, Stratix 8300, Studio 5000, Total Cost to Design, Develop and Deliver and Virtual Support Engineer are trademarks of Rockwell Automation Inc.Trademarks not belonging to Rockwell Automation are property of their respective companies.

For more information on OEM Solutions from Rockwell Automation visit:

www.rockwellautomation.com/oem

Rockwell Automation OEM Program for Machine and Equipment Builders

As an OEM, you are challenged to diff erentiate yourself

amid global competition and rapidly evolving technology.

To eff ectively compete, you need to defi ne value beyond

the cost of your equipment and maximize company

performance. Rockwell Automation can help improve

your performance with solutions and services to lower

the Total Cost to Design, Develop and DeliverSM

equipment and meet your customers’ requirements.

As part of the OEM Program, you can expect increased

comarketing opportunities, better market planning with

our sales force, and improved customer engagement

with comanaged objectives.

For more information, visit:

http://www.rockwellautomation.com/go/wmoem

Events Around the World

Rockwell Automation hosts events around the globe to

help you learn more about how to use technology as a

competitive advantage – to help you get your products

and services to market faster, reduce costs, better utilize

power and plant-fl oor assets, and minimize risk in your

manufacturing environment.

For a list of events worldwide, visit:

http://www.rockwellautomation.com/rockwellautomation/

events/overview.page

Visit the Rockwell Automation Connection Point at Interpack 2104

Hall 06, Booth A61

http://www.rockwellautomation.com/rockwellautomation/

events/interpack/overview.page?

Save the Date: Interpack 2014

Join more than 166,000 attendees and 2,700 exhibitors

from more than 60 countries at this year’s Interpack 2014

trade fair, May 8 – 14 in Düsseldorf, Germany. Visit the

Rockwell Automation “Connection Point,” where you

can take the fi rst step in learning about leading-edge

machine and equipment builder technology.

For more information, visit:

http://www.rockwellautomation.com/rockwellautomation/

events/interpack/overview.page?