Monday, March 9, 2009

Control System - ERP Integration has been one of the few industry sites that has been a vociferous and informed proponent for control system security measures. With this in mind I was totally flabbergasted when they posted a series of articles (Make Business Case First, Clearing the Integration Hurdles, and Middleware Melds Manufacturing Info) recently on the integration of process control systems and ERP and only one of the articles even mentioned (one brief sentence) the security implications of such integration. Integration Provides Avenues of Attack In the ‘old days’ electronic process-control systems were stand alone systems with no connections outside of the production facility. This made hacking these systems difficult because the potential system intruder also had to physically enter the facility. Since system hacking is usually a time intensive operation these control systems were essentially protected against all but insider attacks. The integration of control systems with business IT systems has all but eliminated that protection. Dedicated high-speed data lines between corporate and manufacturing facilities have provided physical points of attack on control systems outside of the physical protection of corporate or facility security. The connection of the business systems to the internet has provided numerous gateways for purely electronic attacks on both the business IT and manufacturing control systems. Control-system security has become virtually none existent at many high-risk chemical facilities. System Integration is Inevitable For many of the reasons outlined in these articles, it looks like the integration of ERP and control systems is going to continue. The increased variability and volatility of energy and raw materials combined with shrinking margins means that company survival is more dependant than ever on accurate information and data integration back into the manufacturing sector. The increased business efficiency requirements can only be satisfied by integration of ERP and process control systems. Protection of these systems from outside attack increases for the same reason. Process development can be effectively bootstrapped by stealing process control data from competitors. This means that there is an economic incentive for process control data theft. Process sabotage could be used to counter a production advantage by a less advanced competitor. The increased awareness of production facilities as potential extortion targets provides a criminal incentive for system penetration. Finally the use of a process control system at a high-risk chemical facility as the method for executing an attack cannot be ignored. Security Integration Should be Addressed Any discussion of system integration in a publication like Control should also provide a significant discussion of the problems of integrating the security procedures of process control and ERP systems. Straight forward adoption of IT security systems like automated software updates and anti-virus protocols will cripple industrial control systems. IT security personnel would never consider doing intensive off-line testing of software updates on their business systems prior to loading them onto their ERP system. Given the extensive work being done by Joe Weiss as a strong advocate for security standards for industrial control systems, I was surprised and upset that this critical issue was essentially ignored in these three articles. I understand that the articles were not written by staffers, but the editor should have insisted that authors at least briefly addressed the control system security issue. Also, I would have liked to see an authoritative article on the security issues included in the series.

1 comment:

Anonymous said...

Knowing the principle of system integration and automation help us understand better the use of it..

/* Use this with templates/template-twocol.html */