Who is the security guardian of the plant floor?

What do Buzz Lightyear and more than a few chief information officers (CIOs) of manufacturing companies have in common? The animated character from the movie Toy Story thinks he’s a real space ranger, but he’s a toy. He’s delusional. Likewise, many CIOs delude themselves by believing that they are fully aware of the information flowing in and out of the enterprise through the plant floor.

In the old days (circa 1995, and before Pixar’s hit movie Toy Story was released), there was little integration of technology between the concrete floor of the factory and the carpeted floor of the corporate office. In the past 20 years, both machine makers and equipment owners have sought to capture, store, analyze, and act on data originating on the plant floor. Historically, each machine provided an important function or task yet was often isolated from other machinery, unable to share data. At the same time in corporate offices, desktops and laptops were being connected to servers, many for the first time, and the CIO title was starting to appear. Local area networks brought email, file sharing, and, before long, the problems of malware and other cybersecurity threats. Focused on these types of networks, CIOs rarely thought about the factory floor. While plants had fieldbus and control networks, they weren’t connected to corporate information systems. Security was assumed because of network isolation, making the plant an “air-gapped” environment.

Later, M2M (machine-to-machine) communication started to take off. Machine makers wanted to get reliable diagnostics information from equipment they had installed at their customers’ manufacturing facilities. They also wanted to provide remote support and configuration to minimize response times and costs. Suddenly, many machine makers were installing cellular modules in machines to provide this remote capability. Similarly, machine owners wanted to connect machines on the plant floor to MES (manufacturing execution system) and ERP (enterprise resource planning) applications, in much the same way that desktops and laptops had been connected to email and file sharing two decades earlier. Slowly, machines began to connect to a plant network that was not just used for machine control, but also for information exchange.

Vendors wanted to either bypass enterprise networks or punch special holes in firewalls to get remote access to remote diagnostics and configuration data. Business people wanted to feed production data directly into business systems to improve operational awareness and decision-making. Typically, there was no over-arching view of what information was flowing where and whether all these new connections were creating attack vectors for cyber criminals.

Controlling what information flows between OT (operations technology) and IT (information technology) networks is critical. Within the enterprise, the flow of information is necessary to maximize productivity and customer satisfaction. Externally, supply chain partners need the right information to maximize efficiency and reduce unnecessary costs, and customers want visibility into what they are buying. Yet to protect a company’s intellectual property and proprietary manufacturing know-how, those partners and customers must get only the information they need, and only when they need it.

Far too many companies think about their OT and IT infrastructure as two completely different worlds. Indeed, I’ve had meetings with enterprise clients where people from OT and IT organizations were introducing themselves to each other, never previously having had a reason or opportunity to meet.

Industrie 4.0 and the Industrial Internet of Things (IIoT) are radically changing that approach to the “two solitudes” of OT and IT. Today we expect full operational awareness, and thus we need to harvest all the untapped information locked within industrial equipment and other industrial data sources. Increasingly, OT and IT organizations need to work together, while respecting the value each provides to both facilitating and protecting the business.

For example, allowing vendors to establish encrypted VPN (virtual private network) tunnels to individual pieces of equipment may help an OT organization get a machine diagnosed or repaired quickly or get a manufacturing line up and running again quickly. But if IT has no visibility into that encrypted tunnel, it has no way to monitor what the vendor is retrieving from the machine. Likewise, IT may want to retrieve information from an industrial system resident on the manufacturing floor to feed into a corporate application. However, most industrial equipment can’t be configured and managed using the same tools that IT uses for desktops and servers, and any attempt to do so could interfere with proper operations on the manufacturing floor.

The best approach allows OT to continue to work with the equipment and protocols that serve the needs of manufacturing while also enabling IT to fully manage and configure the interface between the IT and OT networks. OT networks can continue to be isolated and protected, with a secure, transparent, manageable interface to IT networks and authorized systems.

For example, consider a machine manufacturer looking to provide customers with better response times to equipment issues through remote diagnostics and configuration. Typical approaches require an encrypted tunnel into the customer’s location, the use of a special gateway, and the approval of the local IT organization each time a connection is made. Those methods work, but are inconvenient, require too much manual intervention, and leave IT personnel with no visibility into what’s going on over a part of their network. That is an ill-advised approach.

A better alternative would be an interface to the equipment requiring no inbound ports on the customer’s OT or IT networks, with predefined network telegrams that could be inspected and filtered by IT routers and firewalls. This could be further secured by integrating identification and authentication methods into the customer’s existing IT infrastructure.

Such alternatives are possible today using off-the-shelf products that relay information between OT and IT networks in a normalized form via standard protocols. Encryption allows monitoring of information inside the organization and protection outside the organization. To make this happen, OT and IT organizations must work together to lay out clear requirements about what information is relayed between networks, what company IP and other confidential information can be shared, and how authorization is granted and controlled. It is also important to decide where data can be processed and stored (on the plant floor; in an IT data center; in public, private, or hybrid cloud systems; or in supply chain partners’ systems).

Unfortunately, in many cases decisions about sharing data with vendors, customers, application providers and others are being made at the plant level without the knowledge or involvement of IT, or with IT only as an afterthought. That decision-making process leads to sub-optimal solutions. Consider the automotive manufacturer that was prepared to allow almost anything during the pilot phase of a recent industrial IoT (Internet of Things) project. The team claimed that if the pilot was successful then security would be implemented for the production deployment, following strict IT requirements. That strategy should be strongly discouraged, because it undermines the very reason for doing a pilot in the first place. Such a pilot might prove an application performs as expected, but it provides no information as to whether it can be securely–and therefore successfully–deployed in production. Turning a blind eye to security considerations during a pilot is an invitation to be attacked. There’s no code of honor among cyber attackers whereby they don’t attack pilot projects! Attackers will look for any vulnerability, anywhere, at any time.

CIOs need to quickly recognize that they will be responsible for all information flowing in and out of their organization, regardless of the source. CIOs are the security guardians of the plant floor. Finding a suitable relay between OT and IT systems and between OT systems and external organizations is critical to securing corporate information while enabling the benefits and new business value to be gained from Industrie 4.0 and IIoT. Or as Buzz Lightyear might say, securely connecting OT and IT systems will allow enterprises to go “To Infinity…and Beyond!” And that’s no delusion.

About your Guest Blogger: John Traynor is Vice-President and Chief Operating Officer at C-Labs Corporation. C-Labs Factory-Relay software provides live access to industrial equipment and IoT data without side-stepping enterprise IT security. John has more than 25 years of experience in software, mobility, and embedded systems, at Microsoft, Palm, Bsquare, and other firms in the US and internationally. He received his MBA from York University in Toronto, Canada.