Wednesday, December 14, 2016

Blue Collar and White Collar Security in Manufacturing

I first used these terms in a conversation with a friend of mine who is an internationally recognized expert in security.  We were discussing security in manufacturing and I made the distinction between blue collar and white collar security.  My friend commented it was an interested way to state the problem.

The more I thought about it, the more this might be the right model for manufacturing to ultimately think about security.  This is the first blog post on this topic, with more posts expected, but I wanted to lay out the foundation in this post.

At the 100,000' view, just as all towns look the same, and all security problems look the same.  With security, the canonical advice is that you must protect data at rest and data in-flight.  Stated another way, if you are moving data it must be encrypted and if you are storing data it must be encrypted.  One might ask, "well, does that about cover everything?"  The answer is no.  The obvious example is when processing is occurring ie data is in memory and  not encrypted.  In manufacturing, there are use cases (examples) where, because of the age or type of equipment, it is not possible to have the data encrypted directly to the device.  I will go more into that a little later.

First, let's define blue collar and white collar security in manufacturing.

  • Blue collar security would be those individuals who either are physically or need remote physical access on the shop/plant floor to devices and device data.
  • White collar security would be those individuals who are in the back office or non-plant floor management.
In large manufacturing plants, the will likely have someone that is IT person that does system administration, system security, networking, and basically gets involved with anything that is a computer or needs to talk to the network.  In very large plants, there will be a team that is typically sub-divided in terms of IT responsibilities.

A key point is that the blocking and tackling of system and network security still apply here, but there are domain challenges that also come into play - as you would see in any vertical.

It is interesting that networking companies like to distinguish between Information Technology (IT) security and Operational Technology (OT) security, but this is not the model I am referring to.

Just as a reminder on OT and IT:

Wikipedia defines Operational technology (OT) has "hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise."

Wikipedia defines Information technology (IT) has "the application of computers and internet to store, study, retrieve, transmit, and manipulate data,[1] or information, often in the context of a business or other enterprise."

In these definitions, OT is a subset of IT and is defined primarily at the hardware/software transactional layer versus the blue collar and white collar security which is at the business security layer.

A simple example regarding some of the challenges in manufacturing regarding security is the network movement of part programs.  A part program is the low level G-Code that is what is sent to the machine tool to actually make the part. 

How this typically works, when either the part is too large for the memory of the CNC controller or there is a need for centralization of part programs, is that a Direct/Distributed Numerical Control (DNC) system is used to make life easier for the operators. Typically, an external computer is connected via RS-232 to the CNC and it is the external computer that feeds (drip feeds) that part program to the CNC.  There is a central server someplace in the plant where the part programs are stored.

That is all fine and good, but then the question becomes, "are these part programs encrypted on the disk of the remote and local systems?", and "are these part programs encrypted when they are moved across the network?"  The answer is typically no.  I bring this up because the attitude is sometimes, "well if it is not encrypted from the computer sitting next to the CNC when it moves over the RS-232 link, then why worry about it in other areas?"

Going back to the blue collar versus white collar discussion, who should have what access to which files on what systems? The policies and governance become critically important.  Simple concepts such as network segmentation and DMZ's (Demilitarized Zones) could mean the difference between losing your IP and keeping it.

This example further brings out why most people in manufacturing are scared to death of the cloud.  They believe it opens up their plant floor, with all of its lack of security issues, to the bad guys.

At the [MC]2 2016 conference, I presented with Bryce Barnes of Cisco on the topic, "Manufacturing Cyber-Physical Security".

The “Orange Book” was the bible for computer system security in the 80s, 90s and early 2000s
A — Verified protection
B — Mandatory protection
C — Discretionary protection
D — Minimal protection
The industry needs a Manufacturing Trusted Plant Evaluation Criteria Standard

     The summary point of this first post on Blue Collar and White Collar Security in Manufacturing is that while the challenges are complex and cannot be adequately defined at 100,000', deciding to not digitize your plant or shop is not an option if you want to stay in business.  This is why thinking about your plant from the blue-collar and white-collar perspective might the conversation to have regarding your plant's security.

No comments:

Post a Comment