America's manufacturing industry has certainly taken a beating over the past 16 months, and the grim reality of buyouts and mergers hasn't exactly boosted building automation vendors' confidence. So where, in a sky blossoming with an endless supply of dark clouds, is the silver lining?
The ARC Advisory Group conducted an end-user survey after September 11 that revealed security improvements as the third-highest (at 43.8 percent) goal to accomplish with building automation systems (BAS) investments. "Despite the fear of ongoing terrorist attacks, the users were still more worried about energy costs and integrating their operations than increasing security," stated David Clayton, senior analyst at ARC. Clayton is still forecasting "a larger growth rate for security systems than any other building automation subsystem," but the survey results indicate "capital expenditures on BAS in general will be relatively flat over the next 18 months because of the weak economy."
Clayton's forecast, then, is that sales for total BAS expenditures in the manufacturing industries will rise from 599.8 million in 2001 to 1,421.8 million in 2006, with a Compounded Annual Growth Rate (CAGR) of 18.8 percent. That CAGR, though, is based on assumptions of higher growth rates from 2004 to 2006.
So where does that leave the security industry vendors and end-user security administrators? Will there be budget for physical and network security implementations? Budgets are designed and based on anticipated needs, but the final determination of those needs and the release of the budget is the decision of executive management.
At a recent ARC Advisory Group manufacturing forum in Orlando, ST&D approached a variety of manufacturing automation vendor and end-user executives and upper-level managers to get their current pulse on physical and network security in their respective companies, and across the industry in general.
Executives defined security in their plant facilities as a way to protect their intellectual property, their assets and their people. "We produce our software in an office building, so our company's security needs are far different than those of our clients who run plants," said Kent Hudson, president and CEO of Indus International, an enterprise asset software manufacturer based in Atlanta, Ga. "Our clients manufacture a diverse line of products, so there are even further differences in the level of security requirements. For instance, a paper mill or steel mill's security will require less stringent applications than a nuclear plant or a defense application?but we see cyberterrorism as more of a future threat than physical terrorism."
Many companies voiced a concern for asset protection. Schneider Electric's vice president of development and strategy, David Sapp, stated, "Our biggest issue is protecting our portable PCs. They are the easiest way to export technology and office equipment."
"No one has ever stolen an airplane at Boeing," said Craig Battles, technical fellow at Boeing's Robotics and Automation Division in Seattle, Wash. "It's a high-value product, but not one you can just walk off with. Instead," Battles explained, "the physical security focuses on preventing unauthorized access to company products, systems and information."
The September 11 Fallout
At Boeing, security measures have increased significantly, according to Battles. "I've definitely seen stepped up security since September 11. For instance, there are additional patrols and monitoring of activity on or near company sites. We also have had more thorough inspection of freight and mail deliveries and tighter visitor screenings."
Dow Chemicals had a similar security change. "Generally, our philosophy hasn't changed," said Sherry Murphree, the company's manufacturing and engineering manager of information technology. "We've beefed up physical security, and everyone has to badge in now. Everyone had badges before, but weren't necessarily wearing them. Now we have an increase in random inspections of people coming and going (through the facility)."
Rob McKeel, vice president of marketing for GE Cisco Industrial Networks, concurred. He said the rules were the same, but they are now strictly enforcing those rules. Now employees and visitors must display proper identification at all times.
Physical Security Methodologies
Most of the companies interviewed use electronic access control, with either magstripe or proximity technology. Some companies use CCTV, and most have either full-time or after-hour guard service. Biometrics products are used in computer rooms, and some labs use palm readers for access.
Companies with multiple facilities aren't always integrated. Invensys Process Systems, based in Foxboro, Mass., is an acquisition company with headquarters in England, but the U.S. arm had purchased companies across the United States. As facilities are consolidated, it will become more realistic to look at integrated access control systems. "At some point in time, we'll integrate all the company's security systems, but for now we just address issues as they come up," said Peter Martin, vice president of Invensys. But, he added, each facility has a security system in place that is commensurate with the level of product development being executed behind closed doors. "At Foxboro, even the executive management of Invensys cannot get in without their Invensys cards." And at one of their software companies, Wonderware, development buildings are in total lockdown to all but the development personnel.
Current Security Issues
Houghton Leroy, director of consulting for enterprise applications at ARC, researches disaster recovery and disaster prevention, including asset management. "People don't understand that they are more vulnerable to inside threats," said Leroy. Companies should ask themselves "what the risks are for the industry we are in and who outside the facility can benefit from (proprietary) information."
E-mail monitoring is growing in the corporate world, and profiling of employees continues to emerge as IT groups monitor the types of sites employees frequent during working hours, according to Leroy. His research findings conclude that the most likely cause of a security breach is in hardware and software failure. The second most likely is internal attack from employees.
"Development areas should be locked with keypads and accessed only by authorized employees," said Leroy. "Our society loves cards, but I don't think they are as practical, because people lose cards." He emphasized that the extra care given to securing R&D areas "creates a mindset and an awareness to employees that this area is secure."
Wireless networking may well be the wave of the future for manufacturing plant systems, but it still has some drawbacks. The legacy automation networks of the '80s do not support IP, which is central to remote functionality, according to Chantal Polsonetti, vice president of strategic consulting at ARC. Manufacturing companies who are looking at wireless encryption protocol (WEP) will find that the value proposition includes cost, ease and flexibility of installation, mobility and productivity. However, wireless LANs that run on IEEE 802.11b (Wi-Fi)-the current dominating wireless solution-compete with Bluetooth (the new technology standard that uses short-range radio links), causing interference.
IEEE 802.11b and ultimately 802.11a will replace automation LANs, control level networks, fieldbuses and possibly sensor/actuator wiring, according to Polsonetti. But the problems lie in the fact that devices still need a power source, the cost of wireless is still high, and there are still issues regarding the unknowns, including electromagnetic interference and the effects of sunspots. Polsonetti predicts that "wireless networks will continue to win new applications, and both Ethernet and wireless networks must be intelligently implemented and isolated from competing traffic."
"Many companies don't recognize the security issues," McKeel said. "There are security configurations within the wireless hardware, but many people don't properly enable the security features. Proper configuration based on 802.1x or other wireless security standards is critical."
"Dow is pouring more and more resources into network security," said Murphree. "We are balancing that with people's desire to have higher-speed connections and greater bandwidth. The use of firewalls and other detection programs to keep outsiders out of company Extranets is also important."
"Everybody will have to review and increase their network security for two reasons," Hudson said. "Mobile computing and pervasive computing (wireless) allow breaks through firewalls and can jeopardize network security. Then there is the real concern of cyberterrorism."
"Network security is a big deal," said Buddy Creef, director of end-user sales for Cognex, a leading supplier of machine vision systems. "Our intellectual property defines our net worth. Because of that, our outside sales force accesses our internal systems either through a secure dial-up or a VPN connection."
While many companies are addressing the issues of implementing or improving physical security measures, they are also acknowledging the pressing issues of network security. As company employees become increasingly mobile, the requirement for remote access is generating the evolution of augmented security features across the network.
But how do companies face the challenge of safeguarding their systems while allowing for the technological advances to provide secure links to the authorized personnel?
"We use secure ID key fobs that have six-digit numbers that change every six seconds," said McKeel. "That, paired with a PIN, becomes the password." The technology comes from RSA Security, an early pioneer of Internet security with headquarters in Bedford, Mass. "Additionally, we have access lists for particular shared infrastructures and for specific access."
Schneider Electric has a "fairly elaborate process to get security access," said Sapp. "You need a security clearance to access different levels of company access. That's the first line of defense. If you need remote access, we use AT&T Global Net, a global dialer that allows you to access your e-mail and systems that are generally available on the Web site. If you want inside the company's Intranet, we have a Novell client that is the point-to-point contact to the company's firewall. You have to have the right IP address to access the Intranet, and the Intranet itself has secure sites within for further segmented areas."
At Dow Chemical, Murphree said that in Manufacturing and I/S there is a group of system architects whose responsibility is to set the technical architecture in balance with the access needs of the employees. "Some of those discussions are done at a high level, but sometimes they have to be educated on (the avenues) to provide security and still meet the business objectives, i.e., partnerships with semi-competing companies." These partnerships aren't completely new in the manufacturing business. The industry buzzword is "collaborative manufacturing." "It's a negotiation," stated Murphree. "We evaluate the risk and determine the level of risk. Usually, the education needed is just a misunderstanding of what the implications are."
Integrating Electronic Access Control and Network Security
In an effort to compile an all-in-one network, some end users are requesting that manufacturers integrate various systems. Many plant automation packages are already on the market to provide integration of plant automation systems with enterprise systems, including supply chain networks and inventory control. Now some companies are beginning to respond to requests to integrate the software programs for electronic access control and network security.
There are some potential pros and cons for this integration process. The most obvious advantage of an integrated system is that the security and IT administrators only have one system to be the watchdog for all security-related incidences. The most obvious disadvantage is that if a hacker breaks into the system, he or she has access to all the security in one fell swoop.
Creef believed that it could be a good idea, but his major concerns were cost-effectiveness and benefits. Hudson agreed. "By getting all of the information on a single network, you have the preferred platform for utilizing information. For example, you may not expect anyone to be using a facility after a certain time based upon standard schedules. However, a calendar of events on the network would hold data about a special meeting schedule which could be used to update the security system; and using one network saves the administrator time."
Across the board, employee education was key. It doesn't matter how much security, physical or network, you install if your employees don't do their part in making the plan work. "Our current security is excellent," said Battles. "We have a good communications program for ensuring employee responsibility?Personal safety is key, and we take it very seriously."
Joanne Harris is a published writer and photographer for such magazines as Security, Technology & Design, Control Engineering, PC104 Embedded Solutions, Florida Living and Better Homes & Gardens. She has more than eight years' experience in marketing, PR and advertising for the aerospace, security, industrial automation and telecommunications industries. She can be reached at firstname.lastname@example.org.