Raise your guard

By Cliff Kittle

Chemical Processing magazine

Several factors drive concern for better security on the plant floor. Better technology — including iris scanning — can help you more effectively protect your plant from threats.

Many plants, such as those engaged in regulated manufacturing, must maintain the integrity, authenticity and confidentiality of information on the development, testing and manufacturing of their products. Accomplishing this presented a challenge with paper documents, but the difficulty has significantly increased with electronic recordkeeping. Electronic records are much more susceptible to changes that can go unnoticed.

In addition, today’;s business environment raises issues that might not have been as important in the past. For example, as outsourcing has grown, so too has the need for sharing proprietary information. In the quest to get product to market sooner, “coopetition” has become a buzzword. The question then becomes, “Who are you sharing this information with and what are they doing with it?”

The same technologies that make business operations and manufacturing processes more efficient also introduce new vulnerabilities. The plant, once an island of automation and information security, now must share information with new personnel within its own organization, as well as with suppliers and vendors outside the corporation’;s control.
Also, concerns about physical incursions into plants and site vulnerability are receiving more attention in the aftermath of Sept. 11, 2001.


Fingerprint Scanning

Figure 1. A fingerprint reader checks 25 to 30 points to authenticate a person's identity.

The reasons are compelling
Several factors, including government regulations, protection of intellectual property, improved productivity and increased plant safety, drive concern for better security on the plant floor. Also, batch process control has evolved from proprietary to open systems and, therefore, is much more susceptible to myriad security breaches and attacks.

The most compelling government regulation is 21 CFR Part 11. According to industry analysis firm IDC, the life sciences industry alone will invest upward of $6 billion per year on this regulatory requirement. This is not the only government regulation that deserves process manufacturers’; attention. On the surface, the Sarbanes-Oxley Act appears to be directed solely at a corporation’;s CEO and CFO, requiring them to accurately report financial information.

Something as simple as a change in a manufacturing process, the use of a new raw material or the addition of production equipment impacts a company’;s financial information and, therefore, must be shared with corporate personnel responsible for creating these financial reports. Controlling the access to this information now becomes a security concern. Finally, the Health Insurance Portability and Accountability Act (HIPAA) imposes requirements about the privacy of employee information.

The Computer Security Institute and the FBI conducted a survey of 530 organizations and reported that the average annual loss of intellectual property in 2003 was $2.7 million. Gartner Group estimates that employees commit more than 70% of the unauthorized accesses to information systems and that more than 95% of these intrusions result in significant financial loss.

In the book “Netspionage,” published in 1999, authors William Boni and Gerald L. Kovacich state that the FBI has a list of 23 countries that promote industrial espionage on the theory that it’;s cheaper to steal technology than develop it. The world’;s economic system revolves increasingly around information transported by the Internet. “However, high technology also makes the information- and technology-based nations and businesses more vulnerable,” the authors warn.

Today, the threat of terrorist acts remains high. This demands that companies reduce the possibility of unauthorized personnel getting into a facility. Ensuring that only properly trained and authorized personnel can access and control software and hardware also is essential.

Developing the security net
The SANS Institute white paper titled “It’;s All about Authentication,” by Doug Graham, promotes a security pyramid that contains five layers: auditability, integrity, encryption, authorization and authentication of information. Authentication of people is the foundation. In Graham’;s view, all security starts with a methodology for ensuring that an individual is who he or she claims to be. (Many organizations view identification and authentication as being synonymous, but there is a difference. Identification is the act of claiming to be a specific person. Authentication is the verification of that claimed identity.)

Currently, most corporations attempt to satisfy this requirement by giving each employee a user ID and a password. However, this system provides a false sense of security. For example, in a survey conducted at the 2003 InfoSecurity Europe conference, two-thirds of workers surveyed said they had freely given their passwords to colleagues and 75% knew coworkers’; passwords.

Password sharing and written password lists create security gaps and place the 21 CFR Part 11 requirement of irrefutable identification in jeopardy.

A number of security options can be considered to replace the user ID and password system. These include biometrics, smart cards, radio frequency identification (RFID) badges, proximity tokens or a combination of these technologies. A March 2004 ARC Advisory Group paper, “Identity Assurance Strategy,” advocates a tiered model that uses multiple authentication factors. This tiered level of security would apply to physical access as well as to operational, transactional, and other activities and records.