User-access security is critical to safeguard industrial operations, as well to protect the most valuable assets — including intellectual property.
Individual authentication and authorization help control access to everything from factory doors to programmable logic controllers. Today, authentication is most commonly accomplished using username/password logins and access cards. Biometric scanning will become more prevalent in the future, as security companies refine systems to instantly identify people by scanning eyes, fingerprints and even voices.
The most obvious objective of user-access security is keeping unauthorized people from places they don't belong, be they physical (plant floor) or digital (industrial network). A less obvious, but equally critical objective is ensuring that workers can only perform certain functions on the plant floor, in keeping with their expertise and assigned tasks.
In fact, the biggest threat to industrial operations is a non-malicious insider — meaning an employee who innocently or accidentally does something they're not qualified or authorized to do. For instance, the results could be disastrous if a machine operator had the same kind of network access as a plant engineer when it comes to troubleshooting a production line.
Plants that use Internet Protocol-enabled network architecture, such as EtherNet/IP (Industrial Protocol), can help simplify and strengthen user-access security by leveraging the users and groups already assigned under the IT structure. That's because EtherNet/IP can communicate seamlessly with Ethernet-based IT systems at the enterprise level. That's not the case with propriety industrial networks that don't depend on IP for communication.
A single, centralized user database offers multiple operational benefits. One of the most important is helping safeguard the plant when a user must be removed from the network. Consider this scenario: A worker is fired. IT eliminates the worker's access to the company email network. But before the worker leaves the premises, he decides to meddle with a machine on the plant-floor network. Or steal proprietary information that resides there.
This worker is far less likely to succeed if the company has a single, IP-based database, which allows management to simultaneously revoke the disgruntled worker's access to every entry point in the plant — physical or digital. All at once.
Multiple databases increase the probability for error and oversight, potentially putting your plant — and your trade secrets — at risk.
Do you think it's a good idea to have a separate approach to securing your enterprise and industrial networks?