IT networks for manufacturers have to be more complex than most other industries — but also simple enough to facilitate workflow.
By Dave Bykowski
Manufacturers often assume that a network should simply connect all the machines in the business. But the machines on the manufacturing floor should not necessarily be connected to the ones that handle corporate functions, like billing or payroll.
Industrial machines require a different level of protection from what’s needed in the corporate environment. The machines on the floor were designed to be functional. They don’t typically have security features built in.
They were also built to last decades, meaning that many of them predate concerns about cybersecurity. This leaves them potentially vulnerable to hackers. And if hackers get access to the equipment on your manufacturing floor, there’s more than data at stake: They could gain control of a machine and use it to physically injure your workers or destroy your product.
The trouble is, most of your machines probably need some connectivity. So how do you design your network so that your industrial devices are segregated from the rest of your machines and only talking to the ones they need to talk to?
Protect Hardware with Multiple Layers
Networks can be designed with layers so that machines on the deepest layer are the most secure. This is where key company data and machinery should live in a manufacturing network.
In an ideal world, the outermost layer of your network would consist of your corporate machines, which handle day-to-day business operations. Below that, separated by a firewall, would be a layer of machines handling data collection, and below that, the industrial control computers.
The base layer would be the physical machines on the floor. That base layer should have the most protection and strictly limited access. The more layers you have, the better, but in practical terms it’s hard to have more than three layers: the corporate layer, the manufacturing equipment layer, and a layer that manages communication between those two.
Limit Employee Access
If layering is your best tool for hardware protection, controlling user access is the best way to protect your company’s data. Each employee should have access only to the information they need, and nothing more.
This might sound restrictive. Should you really lock everything down? Won’t that interfere with people doing their jobs? If it does, adjust. Establishing permissions is something that can evolve over time. Access is a tool that can be used in tandem with layers of security to fine-tune your network for the best balance between safety and functionality.
Someone with access to the corporate layer of your network, such as your HR team, doesn’t need (and shouldn’t have) access to the base-layer tools. The employees who work on payroll and contracts, for example, don’t need to be connected by your network to CNC machines, lathes and other manufacturing equipment on the floor.
A receptionist doesn’t need to be able to add or delete network users. A project manager does need access to your project management software. But your manufacturing equipment doesn’t need access to payroll or customer credit card information.
Use Kiosks to Reduce Interference with Work
When you start talking about layers of network protection and restricting employee access, it’s natural to wonder how this will affect your staff. Will your machinist need to navigate through three layers of network security every morning when she clocks in?
While that’s one possibility, a better solution is to set up kiosks on the manufacturing floor where employees can log in directly to the network they need access to.
Older Machines Are More Vulnerable
Without sufficient layers of protection, industrial equipment that is networked can potentially be accessed over the internet — whether by hackers or by a disgruntled employee, or even by accident.
It’s difficult to add enough security to these devices, because many older machines don’t have large amounts of memory or processing power, and security features increasingly require large amounts of both.
In these cases, over-networked equipment is a major vulnerability. Not only can hackers potentially take over machines, but they can also use them as a weak link to gain access to the broader network. Combining layers of network protection and limited access will help make sure your manufacturing equipment doesn’t leave your business at risk.
Dave Bykowski is manager of information security and compliance at Kelser Corporation, an IT managed services provider in Connecticut. He leads Kelser’s manufacturing IT team and works directly with manufacturers throughout the US to align technology and business objectives.