Modern integrated circuits (ICs) have brought tremendous amounts of processing power into very small and low-cost systems that are available to designers of automation, control, and monitoring systems. Powerful, low-power ARM processors are extremely inexpensive, and highly integrated FPGAs even have ARM processors and network controllers built into them. Often, these systems are using off-the-shelf operating systems to speed development time and provide powerful features. The widespread availability of both wired and wireless network connectivity provides tremendous benefits in industrial environments such as centralized configuration, control, and monitoring of systems spread over a wide physical area.
For all its benefits, the proliferation of inexpensive 32-bit controllers along with the availability of simple network connectivity brings with it a considerable risk in the area of information security. Company IT departments have long experienced fighting electronic attacks on servers and desktop computers, but very little has been done in the way of protecting embedded and controls systems. Recent discoveries of the Stuxnet and Flame malwares revealed that even Programmable Logic Controllers (PLCs) can be targets for malicious code.
In controls systems and automated testing, often the same setups can be used for many years with no changes (especially when changes could require re-verification of tests or processes), thus magnifying the potential vulnerability timespan. Unlike in the IT environment, where patches are a regular part of operation, firmware updates and security patches for embedded systems are infrequent and spotty at best. Now, PLCs, CNC machines, robotic arms, test equipment, instrumentation, and more are becoming network connected. Many of these systems are running embedded versions of desktop operating systems. A good IT department would not allow workstations to run for 5 years without security patches, yet a machine controller or test stand may sit with no updates for easily twice that length of time!
Protection of these systems requires a “security in depth” approach for the designer, integrator, and user. The original vendors of PLCs and instruments need to take defensive programming and regular updates seriously. Integrators and users need to evaluate the need for network connectivity for these systems and only provide the connection where there will be real benefit for it. One approach that Duotech Services has taken is to use IT provided computers for the control machine. This ensures that the machine is kept in the same patch and update cycle as the rest of the network. Another approach that can provide another layer of security is to connect industrial systems on an isolated network with additional firewall between it and other IT managed networks.
Whatever approach is taken, computer security is a growing concern that needs to be addressed at all levels of corporate infrastructure to ensure that appropriate precautions are being taken. Duotech Services approaches each problem with both features and security in mind. Let us help you safely take advantage of technology advances in your application.
