iPhones Are Coming to the Plant Floor – Can we Secure Them?

Wednesday, February 20, 2013

Eric Byres

682e0e796084e163c5ca053dd8573b0c

Browsing industry newsletters, I noticed that Automation World had two related stories on new technologies:

Industry Interrupted: Tablets and Smart Phones Poised to Make a Big Impact

Industrial Networking Desires Revealed

 

Both articles indirectly point to an issue that industry needs to come to terms with quickly if we are ever going make our plant floors secure.

The BYOD Iceberg?

Let’s start with the Tablets and Smart Phones story. It is about the issue of mobile devices, especially personal mobile devices, showing up on the plant floor. Never going to happen you say? I wouldn’t be so sure.

 

First, a definition. The topic of personal mobile devices is referred to in the corporate IT world as “Bring Your Own Device” or BYOD. If you haven’t heard of BYOD, Wikipedia defines it as:

 

Bring your own device (BYOD) is a business policy of employees bringing personally owned mobile devices to their place of work and using those devices to access privileged company resources

 

A common example is using your personal iPhone to access your company’s email system. And as I will explain later, the iPhone is only the tip of the iceberg. The whole “Bring Your Own Device” (BYOD) phenomenon is a major concern throughout the corporate world.

 

Like icebergs, mobile technology has become an unstoppable force of nature. They have invaded the corporate office – is the plant floor the next frontier?

 

The iceberg is a good metaphor for the onslaught of this technology. When dealing with an iceberg, pushing against it or ignoring it generally aren’t effective options. It is bigger than you are and will go where it wants. The best you can do is to try to manage it.

Bring Your Own Devices to the Plant Floor?

Most IT departments are beginning to accept the inevitability of BYOD. According to arecent study, the majority of companies surveyed said they are now adapting their IT infrastructure to accommodate employee’s personal devices, rather than restricting employee use of personal devices.

 

“Dear Mom, Today is my first day programming the filling line.”

 

What about the plant floor? Will tablets soon be standard equipment in the refinery? Or will they be banned from moving outside the corporate office. The first sentence of the Tablets and Smart Phones article says it all:

 

Industrial IT teams are likely to rail against the use of mobile devices, but many equipment makers feel they are fighting against the tide to ignore them. Productivity will ultimately determine which side will win.

#1 on the Engineer’s Wish List?

Next read the Industrial Networking Desires Revealed article. You will notice that when engineers are asked to identify their unfulfilled industrial networking desires, the number #1 item is: “Connecting to the factory with a smart phone”.

 

I have discussed in past blogs that in any war between security and productivity, security will lose. The situation is no different here. Smart phones are coming to the plant floor. The only question is “Will we adapt to this new world in a secure way or will it be another source of insecurity”?

What is a Mobile Device Anyway?

One option for the mobile device question is to just ban them outright. There are cases when this might be appropriate (explosive environments for example), but generally outright bans rarely work the way people want them to. One of the reasons is that we have a tendency to see technology only in terms of what is available today or what is popular. This results in narrow definitions of a specific technology that lets other technologies slip through. For example, an iPhone is clearly a mobile device, but what about a personal USB keyboard or mouse that an employee brings in, perhaps for health reasons? (If you don’t think that a mouse can be a security issue then see: Hackers pierce network with jerry-rigged mouse).

 

Sometimes a “mobile device” isn’t even a device at all. Consider a CD that contains a Stuxnet-infected S7 ladder logic file. Or an automated forklift that moves from site to site. At the extreme end, many people know we have been working with Boeing for the past few years – they have large mobile devices called 787s. What is important to remember is mobile devices can range from a CD with what appears to be an innocent document file, to the obvious iPhone, right up to entire mobile platforms.

Managing Smart Mobile Devices Smartly!

The only way to address this range of evolving “mobile” technology is to use the Zone and Conduit concepts promoted in the ISA/IEC 62443 standards. Properly done, zone and conduit security can result in operational requirements that define a security process, rather than proscriptive requirements like “Mobile Devices should not be used on the plant floor”. Restricting devices seems simple and comforting, but since this is so narrow, restrictive and inflexible, it encourages inventive staff to find ways around the rules so they can do their job.

 

Recently I talked to a customer with a very innovative way to manage Wi-Fi-capable mobile devices on his factory floor. Instead of banning wireless technologies (something that is hard to enforce if you have a lot of contractors), he actually set installed Wi-Fi access points throughout the manufacturing areas. Then he routed all the access points into a “Captive Portal” – one of those locked down web pages you run into in hotels and airports.

 

This Captive Portal strategy had multiple benefits – first he immediately had a record of who was trying to use Wi-Fi in his factory. Second, by forcing all employees and contractors to log in, he could track exactly what they were doing and when. Then, based on each user’s log-in credentials, he could restrict network access to specific systems in his factory. For example, a contractor working on the Finishing Line could be restricted to only seeing the Finishing Line PLCs. And finally, by using deep packet inspection, he could force the contractors into a view-only mode by blocking all PLC write and programming commands.

Who Knows What Tomorrow’s Mobile Device Will Look Like?

Information technologies are changing constantly. Trying to manage them with proscriptive rules is a hopeless task, because we can never keep up. Instead we need to work from general principles. For example, the definition of mobile device can be expanded from specific technologies (such as cell phones) to a definition based on their general functionality. For example, one proposed definition is “non-fixed location digital information storage or processing devices”. That covers basically anything that can contain an electronic 1 or a 0 and isn’t bolted down.

 

Once we have our definitions set, we can move onto determining what actions we want to manage. The example with the captive portal showed how all Wi-Fi devices (rather than subsets like laptop or iPad) can be managed in a uniform manner. If we stick to those principles, I believe we can have mobile devices and security at the same time.

 

What is your company doing about mobile devices on the plant floor? Does it have a strategy?

 

Cross Posted From The Tofino Security Blog

Possibly Related Articles:
12919
SCADA
SCADA iOS mobile iphone
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.