Q & A with Rich Ryan, President, Rockwell Software

IEN: Describe the major security concerns facing industry. How can they be addressed?

Ryan: Terrorist attacks, food scares, and computer hackers have all contributed to raising awareness of the ability of outside forces to cause havoc with day-to-day business.

Security has been identified within market studies as being a number one priority for manufacturers. They recognize that the potential cost of unanticipated security breaches can be in the millions of dollars. New regulatory requirements -- such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), 21 CFR Part 11, and the Bio-Terrorism Act -- are further driving companies to protect against the loss of intellectual property as well as liability associated with the compromise of individual and/or corporate confidential information.

The plant floor has not typically been a target of security breaches. However, the threat to plant floor automation coming under attack increases as control systems become more open and Ethernet becomes prevalent on the plant floor and in the process control system architecture. Even though plant floor security is now high on a lot of companies' radar screens, the corresponding investment is still relatively low.

IEN: Where are strides being made: In risk management? Integrated systems design? Emergency response? Hazard controls? Computer security? Elsewhere?

Ryan: Rockwell Automation recognizes the risks to manufacturing should either an employee or an outside attacker decide to tamper with a plant floor control system. It is taking a number of steps to help its customers better protect themselves from such attacks by:

proactively supporting security standards, particularly ISA SP99

implementing security measures within the products and solutions it offers

testing all EtherNet/IP products to minimize vulnerabilities

collaborating with IT security specialist companies such as Cisco to leverage off their expertise in this area

gather and publish network architecture and security "best practices."

IEN: How significant a role will the web play in security? Wireless? Why?

Ryan: In the future, look for a security infrastructure that supports central administration of users and users' rights -- i.e., enable end users to clearly define "who can carry out what operations, on which secured resource, from where and at what time."

To support unique product needs, the infrastructure must be scalable across the range of automation needs, from I/O devices to HMI and everything in between.

IEN: How can companies integrate security technologies with manufacturing operations?

Ryan: Rockwell Automation suggests that access to the plant floor network should be limited to those with a real need and to allow only network traffic that is really required. One important step toward achieving a secure environment is to create an "Inner Defense Perimeter" to logically separate the Enterprise network (intranet) from the manufacturing floor network, recognizing that intrusions/disruptions may come from inside or outside the enterprise:

Utilize traditional IT network devices configured to meet plant floor data access requirements and managed by plant floor personnel

Implement plant floor network security processes, policies, and procedures.

Implement strict plant floor user "Authentication and Authorization" (like RS Security Server) for secure access to automation devices.

Implement a "business continuity and recovery program" (RSMACC).

Implement strict controls on plant floor workstations. Minimize both the loading of unnecessary office tools and the ability to move portable PCs inside and outside the plant floor environment.

Support automatic program backup, verification and recovery, audit trail, event logs, etc.