Many plants, such as those engaged in regulated manufacturing, must maintain the integrity, authenticity and confidentiality of information on the development, testing and manufacturing of their products. Accomplishing this presented a challenge with paper documents, but the difficulty has significantly increased with electronic recordkeeping. Electronic records are much more susceptible to changes that can go unnoticed.
In addition, today’;s business environment raises issues that might not have been as important in the past. For example, as outsourcing has grown, so too has the need for sharing proprietary information. In the quest to get product to market sooner, “coopetition” has become a buzzword. The question then becomes, “Who are you sharing this information with and what are they doing with it?”
The same technologies that make business operations and manufacturing processes more efficient also introduce new vulnerabilities. The plant, once an island of automation and information security, now must share information with new personnel within its own organization, as well as with suppliers and vendors outside the corporation’;s control.
Also, concerns about physical incursions into plants and site vulnerability are receiving more attention in the aftermath of Sept. 11, 2001.
Figure 1. A fingerprint reader checks 25 to 30 points to authenticate a person's identity.
The reasons are compelling
Several factors, including government regulations, protection of intellectual property, improved productivity and increased plant safety, drive concern for better security on the plant floor. Also, batch process control has evolved from proprietary to open systems and, therefore, is much more susceptible to myriad security breaches and attacks.
The most compelling government regulation is 21 CFR Part 11. According to industry analysis firm IDC, the life sciences industry alone will invest upward of $6 billion per year on this regulatory requirement. This is not the only government regulation that deserves process manufacturers’; attention. On the surface, the Sarbanes-Oxley Act appears to be directed solely at a corporation’;s CEO and CFO, requiring them to accurately report financial information.
Something as simple as a change in a manufacturing process, the use of a new raw material or the addition of production equipment impacts a company’;s financial information and, therefore, must be shared with corporate personnel responsible for creating these financial reports. Controlling the access to this information now becomes a security concern. Finally, the Health Insurance Portability and Accountability Act (HIPAA) imposes requirements about the privacy of employee information.
The Computer Security Institute and the FBI conducted a survey of 530 organizations and reported that the average annual loss of intellectual property in 2003 was $2.7 million. Gartner Group estimates that employees commit more than 70% of the unauthorized accesses to information systems and that more than 95% of these intrusions result in significant financial loss.
In the book “Netspionage,” published in 1999, authors William Boni and Gerald L. Kovacich state that the FBI has a list of 23 countries that promote industrial espionage on the theory that it’;s cheaper to steal technology than develop it. The world’;s economic system revolves increasingly around information transported by the Internet. “However, high technology also makes the information- and technology-based nations and businesses more vulnerable,” the authors warn.
Today, the threat of terrorist acts remains high. This demands that companies reduce the possibility of unauthorized personnel getting into a facility. Ensuring that only properly trained and authorized personnel can access and control software and hardware also is essential.
Developing the security net
The SANS Institute white paper titled “It’;s All about Authentication,” by Doug Graham, promotes a security pyramid that contains five layers: auditability, integrity, encryption, authorization and authentication of information. Authentication of people is the foundation. In Graham’;s view, all security starts with a methodology for ensuring that an individual is who he or she claims to be. (Many organizations view identification and authentication as being synonymous, but there is a difference. Identification is the act of claiming to be a specific person. Authentication is the verification of that claimed identity.)
Currently, most corporations attempt to satisfy this requirement by giving each employee a user ID and a password. However, this system provides a false sense of security. For example, in a survey conducted at the 2003 InfoSecurity Europe conference, two-thirds of workers surveyed said they had freely given their passwords to colleagues and 75% knew coworkers’; passwords.
Password sharing and written password lists create security gaps and place the 21 CFR Part 11 requirement of irrefutable identification in jeopardy.
A number of security options can be considered to replace the user ID and password system. These include biometrics, smart cards, radio frequency identification (RFID) badges, proximity tokens or a combination of these technologies. A March 2004 ARC Advisory Group paper, “Identity Assurance Strategy,” advocates a tiered model that uses multiple authentication factors. This tiered level of security would apply to physical access as well as to operational, transactional, and other activities and records.
Facing problems and challenges
Chemical makers are beginning to take a closer look at what is needed to improve the security in their plants from both electronic and physical access perspectives.
ISA, in cooperation with a number of manufacturers and their suppliers, has begun to explore technology and implementation standards within production facilities for more robust security deployments. In March 2004, they approved the technical report, “Security Technologies for Manufacturing and Control Systems.”
The Chemical Sector Cyber-Security Information-Sharing Forum published the U.S. Chemicals Sector Cyber-Security Strategy report in June 2002. This group consists of global chemicals trade associations and individual companies representing important industry segments.
Many manufacturing facilities contain a variety of elements such as offices, production units, clean rooms and storage areas. Each of these imposes a different demand on any security technology being considered. As a result, the solution must be flexible enough to accommodate a variety of requirements.
A second challenge is the user community. For instance, if biometrics is being considered, the company should realize that no single technology would likely satisfy an entire user community because of differences in culture, physical features, age, etc. Once again, the flexibility of any solution is important to its success.
Plants should consider four alternatives to help strengthen security.
Figure 2. This template can't be used to reverse-engineer an individual's full fingerprint, therefore privacy issues are not a concern.
Biometric technology is the most secure for an unattended environment, that is, where a third party does not observe each time individuals must authenticate their user identities. The two most widely used technologies in this area are fingerprint scanning and iris scanning.
Fingerprint scanning. As the oldest biometric technology in use, it tends to be more readily accepted by personnel. Unlike the fingerprint taken by the police or military, this is a template of about 25 to 30 points that can be used in a one-to-one authentication of an individual rather than the one-to-many identification used by police (Figure 1). The template can’;t be used to reverse-engineer the individual’;s full fingerprint (Figure 2). As a result, individual privacy issues are not a concern.
Iris scanning. This is the most accurate biometric technology. About 250 points are captured to create the template for each person. The iris does not change during an individual’;s life, which contributes to the accuracy of the method. Although often confused with retina scanning that is shown in popular movies, iris recognition is nowhere near as invasive. During iris scanning, a person positions his eye about 18 in. to 24 in. from the camera, whereas during retina scanning the eye is right against the camera. The technology has proved to be valuable in those areas in which an employee wears gloves, as well as in controlled areas such as a Class I, Div. II environment, where the individual wears full-body protective gear, a hood and, in many cases, safety glasses under the hood.
Biometrics has suffered from the perception that it won’;t work consistently in the harsh environment of a manufacturing facility. This simply is not true. The cost of the technology has raised additional concerns. However, both fingerprint and iris technologies are in their third generation and costs have fallen dramatically. IDC estimates that help desk costs to support password systems now cost $300 per user per year. This approximates the investment for fingerprint technology. Iris cameras cost more than fingerprint readers, making the iris approach more expensive where installation at every desk is necessary. However, in many instances, iris recognition is used in a shared workstation environment or where the required dress makes fingerprint identification difficult or impossible.
Both technologies require about the same time to perform authentication; so, this is not a factor in deciding between them. Whereas an iris template is slightly larger than a fingerprint template, storage requirements don’;t come into play when making a choice.
There has been a lot of publicity about biometric technology being susceptible to spoofing, that is, being fooled by copies. The most publicized study was performed about five years ago. It involved only five people, making its applicability to a larger population questionable. In addition, it was a cooperative test; researchers knew which fingerprint to use and arranged with the user to provide a good, full print. In a real-life environment, a criminal would need to figure out which finger’;s print to use and get a perfect image. Making and testing multiple fake fingers from various prints likely would lead to a lockout because most systems allow only a certain number of failed attempts. In addition, technology has advanced significantly and many of today’;s biometric systems feature built-in methods to reject replicas (silicone or gummy). This, combined with policies such as limiting the number of attempts, provides an additional safeguard.
Smart cards can be viewed as credit cards with brains. The security features built into these chips are among the most sophisticated of their type available commercially. What they can’;t guard against is the willingness of individuals to share their cards or the theft of a card by someone intent on wrongdoing. The advantages of using smart cards instead of magnetic stripe cards include:
â¢ Greater reliability;
â¢ About 100 times more information storage capacity; and
â¢ Much more resistance to tampering.
In addition, smart cards come in a choice of disposable or reusable versions and can perform multiple functions in a range of industries.
Radio frequency identification technology is making headway in warehouse and supply-chain applications. RFID also has a lot to offer for security and authentication. For instance, it frees a user from having to remember to remove his card from a reader when leaving a work area.
For this technology to become pervasive, however, there needs to be agreement on standardization both of the actual technology and the functionality deployed within the various RFID chips as well as the syntax and semantics of the RFID signals themselves.
For a site employing a station-based security system, proximity/physical token technology can provide significant benefit. It can allow a workstation to remain active while an authorized employee is nearby. Otherwise, the workstation locks up or provides a read-only display, whichever the company mandates. Tokens can be used in combination with biometrics. For instance, a token can identify an approaching employee, whereas a biometric system can limit what that person can do to only authorized actions.
Authentication is key
The ARC Advisory Group stresses, “Security is a corporate governance issue with site-by-site considerations. Facilities and systems security should be a single-closed-coupled system, rather than disparate systems seen today.” The foundation of a completely integrated security system covering physical and electronic access is the irrefutable authentication of an individual.
Such an integrated system offers financial benefits in many elements of plant operations, from improving the productivity of transactional systems to preventing employee fraud. Each of these elements provides its own return on investment. To be cost-effective, the organization must look at the cumulative picture when making implementation decisions.
For instance, in addition to the help desk costs mentioned earlier, password systems incur other expenses. The Network Consortium calculates that an individual spends about 44 hours per year performing network login activities. This is based on using four applications requiring a unique user ID and password. Many employees must deal with as many as three times more.
During an eight-hour shift, a typical manufacturing-execution-systems operator performs about 300 to 600 transactions that require user authentication. The authentication time can be cut in half through the use of biometrics instead of user ID and password. This can translate to as much as a 5% increase in productivity.
The American Payroll Organization estimates that 7% to 12% of total payroll costs are the result of “buddy punching” fraud. A more irrefutable authentication method can eliminate this cost, with benefits going directly to the bottom line.
Succeeding with a security upgrade requires selection of the right technology and the right vendor. It’;s crucial to answer these four important questions:
1. What is the best technology for my environment? Address two areas prior to vendor selection. First, determine the technology or combination of technologies that most suit your user community. Then, evaluate whether the hardware devices can withstand the daily physical demands of the environment and still function reliably.
2. What special considerations or limitations, such as the type of protective wear currently in use, must be accommodated? This is related to the first question. One technology may suffice for most users, but special physical requirements may demand the use of a second technology on a more limited basis. Ideally, a single vendor should supply both technologies. In addition, a plant should consider how different authentication procedures impact the potential speed of response during an emergency situation.
3. Do any cultural issues favor the use of one technology over another? It has been proved that different cultures will struggle with a particular biometric technology. Take this into account during your evaluation and consider multiple biometric technologies. Addressing the issues on the front end should lead to greater user acceptance and, consequently, project success.
4. How should multiple technologies be implemented? Many companies will find that a tiered approach that involves several methods, including those already in place, is desirable. This can present coordination and compatibility issues. A single vendor that is familiar with all of the technologies of interest may be able to provide better integration and support.
In addition, evaluate system support. Ideally, the selected vendor should provide a one-call support capability for both software and hardware. Also, find out if the firm honors all hardware warranties.
It’;s clear that in today’;s business environment, security technologies play an increasing role in maintaining a company’;s reputation and profitability. Moving forward, it’;s not a question of whether tighter security should be deployed — but more a question of how quickly, efficiently and cost effectively it can be installed.
Cliff Little is director of sales for emerging markets of SAFLINK Corp., Bellevue, Wash.