Emerson’s DeltaV team announced news of new smart switches for the DeltaV control network. The topic of cyber-security is on the minds of a lot of process manufacturers right now. In fact, the November 2008 issue of Control magazine is devoted to security-related issues for process manufacturers.
I discussed in an earlier post how commercial off-the-shelf (COTS) technologies rapidly advanced the capabilities and performance for all of the process automation systems. Since these technologies are no longer totally proprietary and within the total control of the automation suppliers, security is a fundamental issue that must be addressed by both suppliers and process manufacturers.
The use of COTS technologies, like Ethernet-based control networks, has caused a collision in the worlds of IT and plant automation teams. Much has been written about the competing objectives and methods between these teams. DeltaV product manager, Bob Huba, has been in these discussions for several years, ferreting out requirements in his role managing security for the DeltaV system.
Bob notes that the fundamental premise behind the smart switch is to make it easy for automation engineers to secure their control networks and give them a way to help their IT organization help themselves. They can do this without having to involve the IT group in the setup and ongoing support of the Ethernet-based networks used for process control.
These switches, used to connect workstations, controllers, WirelessHART gateways, and other Ethernet-based devices are built-for-purpose and fully accessible from inside the DeltaV system. The switches are designed to work with the DeltaV control network with no configuration nor network specialization required.
Instead of COTS, the DeltaV team has coined the acronym, POTS–purpose-built, off-the-shelf to describe this class of device.
Bob described how it helps the IT team by saying that they are fully simple network management protocol (SNMP)
version 3 capable, which provides three valuable services: authentication, privacy and access control.
With the proper authentication, IT staff members can get view-only access to these switches and incorporate the information into their network management processes. Bob threw a new term I hadn’t heard, MIB-II. Google, always my trusty friend, told me it meant Management Information Base, and Wikipedia defined it:
A management information base (MIB) stems from the OSI/ISO Network management model and is a type of database used to manage the devices in a communications network. It comprises a collection of objects in a (virtual) database used to manage entities (such as routers and switches) in a network.
From the automation team’s viewpoint, knowing that it’s view-only access helps them all sleep better at night. They don’t have to know a thing about SNMPs, MIBs, OSIs, ISOs and other IT stuff, which is of great comfort to them.
In addition, for local access to switch information, each switch has a built-in read-only, web browser interface. Process maintenance folk can browse any switch and get the diagnostic information they need.
What automation folks care about is that their automation systems are secure. The smart switches address one of the largest concerns–open Ethernet ports that people can plug into, or add wireless access points to–and open up the control network to all sorts of security risks. The release describes an easy way to prevent this–one-button lockdown:
The one-click lockdown application automatically scans the DeltaV network to find the DeltaV switches and then allows the user the choice to automatically unlock or lock the switches. Unlocking also enables an auto-relock of the switches in 60 minutes if the user does not perform a manual relock before then.
If you can have a way to bring peace between the automation and IT groups, have the level of security you need, and have the ease-of-use so it is in fact used, then Bob just may have ferreted out something good in all those conversations.
Update: ARC Advisory Group has a nice summary of these smart switches.