Are hackers interested in industrial systems? Is security an issue for those systems?

Assembly Automation

ISSN: 0144-5154

Publication date: 1 September 2004



Norberto Pires, J. (2004), "Are hackers interested in industrial systems? Is security an issue for those systems?", Assembly Automation, Vol. 24 No. 3.



Emerald Group Publishing Limited

Copyright © 2004, Emerald Group Publishing Limited

Are hackers interested in industrial systems? Is security an issue for those systems?

Are hackers interested in industrial systems? Is security an issue for those systems?

J. Norberto Pires is a Professor based at the Industrial Robotics Laboratory, Mechanical Engineering Department, University of Coimbra, Polo II Campus, Coimbra, Portugal. E-mail:

Keywords: Internet, System design, Security

Internet technologies play a vital role in actual manufacturing systems for production planning, control and supervision, but also for supply, distribution and customer service, and employee management. This is a growing tendency because industrialists keep looking for ways to boost revenues and reduce inefficiencies. That is related with online ordering, online production tracking and control, online access to shop floor for production planning and efficient balancing of the manufacturing systems, etc. This also means that production systems are becoming more autonomous, requiring less operator intervention, being commanded by remote software that manages also the overall manufacturing process. Modern companies incorporate Internet-based solutions and the flow of information can be seen as in Figure 1, for a typical CIM configuration.

Figure 1 CIM organization of a modern manufacturing plant

If these systems are vulnerable to hackers, the consequences can be disastrous. Furthermore, most of the system engineers that design and build industrial manufacturing systems are generally not aware of the security issues that actually threaten the safety and accuracy of their systems. In fact, the majority of these engineers believe that a system is safe when it is not connected to the Internet, since they believe that the hackers (the bad guys) are exclusively on the Internet. They also believe that hackers do not know anything about SCADA, PLCs or DCS systems, and that security maybe a problem to deal with after designing and building a system and not a critical design issue.

When a manufacturing system is based on an industrial network, where controllers, robots, computers, PLCs, printers, scanners, etc., talk to each other, using common Internet protocols (TCP/IP), having other networks to connect special equipments (for example, field buses to connect PLCs and remote IO), it is fairly easy to disrupt the normal functioning of such a system. Sometimes, a well intentioned operator may overload the network just by sending large amounts of data for some presentation, meeting, etc. More than 60 percent of the security breaches are carried out by insiders (using modems, wireless connections, laptops, etc.) or trusted vendors. Furthermore, if a modem is used for remote connections, to avoid the scaring Internet, a telephone line scanner can easily detect the modem and explore its vulnerabilities. A hacker will do that, i.e. scan company numbers for unprotected modems, and he/she does not need to understand a PLC or industrial system to wreck it. The hacker will eventually find codes and commands to block or overload communications, suspend operations, shutdown systems, etc. In fact, most systems rely on standards to increase inter-connectivity, or rely heavily on operating systems very well understood by hackers (Microsoft operating systems, or linux, for example), or have very weak security systems (that is the case of PLCs, SCADA and graphical DCS systems). This mixture is the weakness of industrial systems.

So what to do?

First, security should be considered as an important issue on actual manufacturing systems. Policies for system access must be implemented and taken seriously. Operators should access the systems only at an operator level, with only the necessary privileges. Super-users should be limited and well monitored. Firewalls should protect the companies from the outside, preventing unauthorized accesses and systems scanning.

Second, internal security issues are important. Software to detect system access and log all actions must be implemented. This will allow IT departments to understand who is accessing the system and from where. Most IT departments do not understand industrial systems and protocols, and that is a major problem.

Third, do not use a single layered network. Use multiple layers, with firewalls as doors between layers. But use firewalls as doors, and not as burglar alarms. Malicious activity should be detected using Intrusion Detection Systems (IDS) to analyze traffic and network activity. With industrial systems the traffic is very consistent, and consequently, simple patterns are sufficient to detect intrusions.

Fourth, do not consider standards as a security problem. They are not. In fact, they are a benefit for companies, since they allow very different systems to interconnect, and because of that they are a strong ally of industrialists since they tend to reduce costs and improve overall efficiency due to competition between vendors. But security needs to be considered, since using standards also means that a lot of persons understand how your systems work and interconnect, and because of that they are able to cause damage on unsecured systems, and that can be the cause for loss of production and also loss of life.

Industrial systems cyber-security is a critical safety issue that should be considered as such for system approval and certification. It is really just a question of attitude: play it safely.