Process Control PC Security

7 04 2012


Manufacturing plants use two main types of devices to control process: programmable logical controllers (PLCs) and personal computers (PCs).   For this discussion, I will focus on PCs with Microsoft operating systems as PLCs are yet to be heavily targeted by Malware.  PCLs have been targeted but only by a few attacks such as the Stuxnet worm which was considered “groundbreaking” because of its sophisication1.   Meanwhile, the PCs are vulnerable to the same types of attacks that any PC is.  What most people do not realize is there are hundreds of PCs in a large manufacturing plant scheduling lines, gaging parts, controlling robots, and providing many other critical services.  Without these PCs most plants would stop production.

What’s the problem?

Having hundreds of PCs doesn’t seem like much of a problem until you consider the fact that the software running on these PCs is very complicated and often written for a dedicated purpose.   Therefore, the PCs can easily fail if they are subject to changes such as OS patches.   Combine this with the fact that many of these machines aren’t refreshed in a consistent manner and you end up with a large security problem.  You have PCs that cannot be patched because they have an out of date OS (95, 98, 2000, NT, etc.) and others that need to go through a time intensive process of thoroughly testing any patches before they can be deployed.

Alternative security methods

The best way to keep these PCs secure is to ensure timely OS system patching and virus protection updates but if that is not possible due to the issues above, you need to do the best you can and those solutions fit into a few broad categories:

  1. Software that locks down the PC so only authorized programs can execute (Whitelisting)
  2. Remove from network and disable other inputs (e.g. USB)
  3. Isolate the PCs using network access control lists and disable other inputs
  4. Change the operating system to one with a smaller threat footprint (e.g. CE, Linux)

Locking down the PCs with a whitelisting product makes a lot of sense in the manufacturing environment as you can install and enable the product then never touch the machine again.  If in the future, the PC needs to update functionality you can uninstall the product, remove from the network, run virus protection on it, complete the updates, then re-enable the whitelisting software and have little fear that your PC will be infected by Malware.   There are drawbacks: malware can still reside on the PCs but can’t execute so you have to be careful when the software is turned off, malware can become part of the whitelist if the user allows it, and the user needs to exercise the PC well to ensure no executable are missed while building the whitelist.  Still, this is a good choice if the PC rarely gets updated and needs to retain communication to other devices.

Removing a device from the network eliminates the most used path to infection and eliminating or highly regulating use of other input devices like USB brings the chance of infection to near zero.   But removing the PC from the network limits the use of this approach as PCs are generally used to gather data and report out on operational status of the manufacturing device they are attached to.  Also, blocking use of other devices (e.g. USB) severely limits the use of data produced by the machine.  Therefore, this method is good only for devices that can’t be whitelisted and don’t need to communicate to other devices.

Isolation through network access control lists is similar to removal from the network but allows the PCs to communicate to a defined group of devices.  This is of course is less secure than the removal technique as malware could infect the PC via a “trusted” device or a device acting as a trusted device.   Therefore, this is a good choice for PCs that can’t be whitelist and need to communicate to a few other definable devices.

In some cases, the PC can be converted to run on an operating system that is considered to be less of a threat such as Linux or Windows CE.  This is generally very hard to do with legacy equipment and costly as the original vendor for the software will usually have to make code changes.  For new PCs, this can be a good route to take in order to avoid malware or patching consequences.  That said, all operating systems can be attacked by malware, this choice just significantly reduces that threat.


Vendors and equipment purchasers have begun to realize the threat posed by malware to their PC based process control devices.  As they have made this realization, new devices have begun to arrive in manufacturing facilities they are more manageable and less of a threat.  But, there are huge numbers of legacy PC devices that need to be protected.  The list above is not complete and none of the methods are foolproof but it’s a solid start for anyone dealing with this problem to look at it.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: