Wednesday, August 14, 2013

Manufacturing Authentication and Authorization

By: Dave Edstrom
"On the Internet, nobody knows you're a dog." That’s the caption on a classic cartoon that was created by Peter Steiner and published 20 years ago by The New Yorker. This cartoon has one dog sitting on a chair and typing on a computer while speaking to a second dog that is sitting on the floor. Besides its humor, it also perfectly summarizes the problem with computer security. Specifically, how do you know a person is really who they say they are, and what exactly is that person allowed to do?
In the world of security, this is called authentication and authorization, which are two of the key pillars upon which applications and data depend for safe operations. Think this is just for computer geeks to know? Think again. Security in manufacturing is everyone’s job.
As a shop owner, or plant manager, there are two basics questions that you should ask:
  • Who and what have access to which systems in our plant?
  • Of these individuals and entities that have access to our plant, what are they allowed and notallowed to access and do?
If you or someone in your plant cannot answer these questions immediately, then your security measures could best be described as “crossing your fingers and hoping for the best.” This type of response is typically not a good idea in business. Those two questions fall into the high-level categories of computer security known as authentication and authorization.
Authentication is verifying that an entity (human or system) is who it really says it is, and authorization is what that entity is allowed to do. In the June 2013 edition of IMTS Insider, I wrote about cyber security and manufacturing, and in the July 2013 edition, I wrote about manufacturing passwords. In this round we will take a look at how authentication and authorization work together in manufacturing systems. Authorization is what these entities (human or system) are allowed to do and not do ¬¬¬¬ once you have verified their identities.
There is a misconception that if an individual has ‘password’ or the name of their pet as their password, that it only affects them and their account. The problem with this thinking is that it just takes one open account for the bad guys to get into your system. If you read about computer security break-ins, the scenario is typically the bad guys find a known vulnerability in the system and take advantage of it.
Instead of including a number of long paragraphs on authentication and authorization, I thought it might make more sense to first include a series of questions that should be answered. These are just a few and certainly not an exhaustive list:
  • Do you know everyone who has access to your systems?
  • What are your onboarding security procedures?
  • If an employee leaves, how quickly are they removed from all your systems? This can be a real issue. If you fire a poor performing employee and it takes two weeks to get them out of your system, that’s likely not a good scenario.
  • Is the access just a login name and a password, or is it multiple factor? In other words, if someone steals an employee’s login and password, can they get into your shop or plant, or do you have multiple-factor authentication in place? See my previous article in July 2013 on this topic.
  • Do employees have access remotely?
  • Are your passwords safe? In other words, how easily can the password be guessed or cracked by an intruder? How do you know? Have you run a password-guessing program on your system?
  • What systems have access to what other systems? If someone in the front office leaves his or her system open, could someone get access to the plant or shop floor?
  • Do you have a security firewall in place? Have you run a penetration test on your plant?
  • When employees login remotely, is there a requirement for the security on those machines?
  • Remember, a company’s biggest security holes are always people. If you change your passwords too often and the requirements are too severe, then employees start writing their passwords down and put them in a desk drawer. Or even better, they put a sticky note on their monitor. Take one guess how people find other employees’ passwords?
  • Do you provide access to your suppliers?
  • How does your company protect itself and its employees from viruses, worms, spyware, malware and the plethora of bad software that wants to infect, take over and do havoc on systems?
  • Who has access to equipment on the shop floor?
  • Do you have a network monitoring system?
  • Do you have log files on who is coming and going electronically? Is there a reason an employee should be logging in at 11:30pm on a Friday night?
  • Do you have a remote monitoring system? How is that secured? Is everything encrypted?
  • Do you keep all of your operating system updates current? How about your applications or plugins?
  • If you use Java, is that current? Do you keep older versions of Java around when you don’t need to?
  • Do you have an access control list?
  • How are security policies defined?
  • Is file sharing enabled? How is security handled?
  • Is your Wi-Fi wide open with no security? What security are you using for Wi-Fi? Some systems are easily breakable.
  • When was the last time you spoke to your employees about plant cyber security?
  • If your system was compromised with a security breach, what would you do?
  • Do you have a backup in the cloud if all your systems and the backups were compromised?
  • Most importantly, who is responsible for your shop or plant’s security?
You need to be as serious as a heart attack about protecting your plant or shop’s computer security. If you think you’re too busy to worry about security, then pay someone to come in and do a security assessment.
The only way you can be absolutely sure that you are safe when it comes to cyber security is to not use anything that has a processor or a connection. Unfortunately, that’s not an option for most manufacturers on this planet.
Think about security the same way the Secret Service thinks about protecting the President of the United States – a series of layers with multiple contingency plans. The great folks at the Secret Service ask a couple of simple but very difficult questions:
  • Can we protect the President in this physical location? If the answer is yes, then a detailed plan is put together on how.
  • Second: If something bad happens with the president here, can we secure the area, or do we have to get the President out of here immediately? If the answer is to get out, then a series of options are exercised to determine where and how.
Since abandoning your shop or plant on a cyber security breach is a non-option, then careful planning is your only real course of action. Maybe there needs to be a cartoon showing bots flying around the shop floor on networking cables, stealing parts programs and with the caption, “why do we need to create new designs, when we can just as easily steal them?”
The sad part is that this scenario is real today and it is certainly not funny. Just as protecting the President of the United States is not 100% risk free; neither is protecting your shop or plant from a security breach. The key is to plan with experts, constantly monitor and then continue to update your plans.
Next month, I will continue my series in the IMTS Insider on manufacturing cyber security by discussing Manufacturing Encryption. Just as a reminder, I am just touching on the absolute tip of the iceberg in these series of articles, so if you are not sure about your security practices, please hire a security consultant. Please keep your comments and suggestions coming!

You can place a question here by simply hitting the comment button!