Network Security in Food Manufacturing

Network Security in Food Manufacturing

Food manufacturers are reaping benefits from the convergence of operations and information technology – through increased yields and deeper, real-time insight into KPIs. They're moving into a bright manufacturing future.

No longer is information collected with pen and paper, limiting the data set.

No longer does someone enter values into a spreadsheet from handwritten notes, risking incorrectly entered values.

And no longer is data analyzed that's already hours or even days old, because by this time it is ancient history.

Instead, they're imagining the possibility of real-time, contextual data available at their fingertips. They're imagining The Connected Enterprise.

And none of it can be achieved with islands of automation, without a communications infrastructure for information sharing.

In other words: EtherNet/IP™ technology. Whatever your goals are for The Connected Enterprise, they begin with a network infrastructure that is transparent to its users, secure from threats and capable of real-time delivery of information.

But providing access to information changes the threat landscape for food manufacturers.

This territory is shaped by malicious hackers, as well as virtuous employees who are all too often unfamiliar with the impact of their seemingly everyday actions.

Dangers range from product contamination to loss of intellectual property.

Make no mistake: Open, accessible information is a necessary risk for the future of manufacturing.

Today, you can quickly track and analyze the source of raw ingredients in a finished product, batch or lot.

You can understand the conditions under which each product was created and know its final destination. You can have your cake, know where its flour came from, identify if it contains allergens, AND eat it too!

We can do this with confidence because there are ways to minimize security risks, protecting the recipe and protecting your brand.

However, the approach to mitigating security risks in a converged plantwide network must be holistic and multilayered, evaluating both external and internal threats.

Protected Environments Spur Innovation

Network security can seem complex. Scratch that. Network security IS complex. But, looking at it through the lens of a hypothetical food manufacturer can better explain some important concepts.

Let's look, for instance, at a hypothetical cookie manufacturer wanting to move from a manual way of measuring ingredients, configuring equipment and reporting on production, to an automated system that can be accessed remotely using EtherNet/IP technology.

After performing an audit of the facility, our manufacturer has discovered the first two opportunities to enhance security.

First, all employees do not need the same physical access to production servers and clients. Second, employees outside of the plant will need to be authenticated and authorized to keep out malicious individuals.

Our cookie manufacturer has learned that implementing EtherNet/IP technology will cause employees to interact with equipment in unfamiliar ways.

Everyone knows the USB port, for instance, but a USB port on an HMI server or client, while seemingly mundane, requires rules for how it should be used.

What security risk is there in a USB port? On occasion, malicious individuals have left thumb drives outside of food manufacturing plants.

The thumb drives appear harmless to who found it until a virus or spyware has been downloaded onto the network that communicates information directly between the manufacturing and enterprise network.

That's intellectual property up for the taking, enabling a competitor to shortcut R&D investments.

And it is not just thumb drives. Often USB ports are viewed as charging stations for phones, music players, etc. Our virtuous employee is unware that these devices can transport viruses and spyware.

That's why it's important to limit physical access of devices, machines and control rooms to authorized personnel. For example, a lockout/tagout device will help keep unauthorized access from open ports like a USB.

Because our cookie manufacturer wants to be unhindered in refining and learning from the newly automated process, they want employees to view information from anywhere, anytime.

Managers can check on a batch schedule, material usage and similar items. Maintenance can troubleshoot operational deviations from anywhere off-site.

But providing access to employees outside the plant, or even on tablets from anywhere within, means potentially opening up access to a malicious individual also trying to access the network remotely.

What our manufacturer has begun to discover is the importance of network security technology.

In this case, authentication solutions that restrict remote access to a controller based on the level of authorization a user has, even completely restricting certain users and providing read-only access to others.

The point here is to permit or block someone from logging on to the network by offering access to only determinate users, sources, destinations and protocols.

The lesson: protect the physical layer, authenticate and authorize users, and use the appropriate solutions resulting from the initial review of the facility.

Safety in a Complex World

Of course our hypothetical cookie manufacturer lives in a simpler world than our own.

Manufacturers have different types of technology deployed in their plants, and will need to think about security in terms of the devices and applications actually used.

How? A logical topology of the plant should take into consideration each zone from the cell/area zone to the enterprise zone.

When connected to an enterprise business system, consider an industrial demilitarized zone that secures sharing between the plant and the larger organization.

Luckily for food manufacturers in the real world, best practices exist to help navigate the secure deployment of EtherNet/IP technology.

To learn more about what you need for a secure industrial network, check out the Design Considerations for Securing Industrial Automation and Control System Networks and the Industrial IP Advantage e-learning series.

EtherNet/IP is a trademark of ODVA Inc.

Scott Johnston
Posted September 12, 2016 By Scott Johnston, Principal Consultant, Network and Security Services, Rockwell Automation
  • Contact:

Blog

The Rockwell Automation Blog helps our employees and guest bloggers share technology and industry-related trends with you. Be sure to sign up for bimonthly updates with the latest posts.