Shielding the shopfloor

Today’s networked enterprise is not only vulnerable to viruses and spam arriving through the office systems, the shopfloor is also under attack. Brian Davis reports on shopfloor IT security

T raditional virus checkers, firewalls and spam alerts installed on the office systems are no longer sufficient to insulate the enterprise systems from damage and malicious interference – and the risks are significant. The points of entry are also multiplying. Contract maintenance staff, for example, plug in USB sticks; portable devices such as smart phones feed unsuspected malware into manufacturing systems; games and music are downloaded; or disgruntled employees try to export valuable IP or databases.
“End-point security is paramount for protection against viruses, spyware, adware, peer-to-peer file sharing and instant messaging,” says John Shaw of Sophos. Multi-user terminals are often scattered around the shopfloor with no password protection, yet offer direct access to the network. What’s more, “half the world’s servers run on Linux and we now see a big trend to secure them in a connected world.”
It takes only a maintenance engineer with a laptop to download some new drives for a photocopier, to infect multiple terminals with a worm. However, network access control software ensures that only authorised users can connect to the network, and checks the security of visiting contractors if necessary. Furthermore, a good security system will monitor computers throughout a network to ensure they are appropriately patched, have the right service packs installed, run up-to-date virus software, and check that the firewall is actually running.

Vigilance is essential. Foam manufacturer Zotefoams used to keep its manufacturing systems separate from the office network. “But this is beginning to change as we bring our manufacturing machines under the umbrella of the IT network,” admits IT manager Michael Richards. At present the process machines only write to disc and data is extracted by floppy. But the company is upgrading to Wonderware’s In Touch software which will link into the network and write to a back-end SQL database.

Consequently, the IT department is installing a firewall to protect access to those machines. “We are more concerned about the threat of malicious code than viruses,” reflects Richards. Indeed, Zotefoams contracts NTA Monitor to carry out independent penetration tests of firewalls and web servers on a quarterly basis.

Checkpoint is used as an external firewall, and Richards intends to extend coverage to all networked processes, giving a single view of internal and external security on a security dashboard. Checkpoint Secure Client also provides a virtual private network that ensures employees worldwide have secure remote access to the network with an encrypted connection. The firm is also going to implement SecureWave’s Sanctuary Device Control to control access to portable devices, such as CD drives and USB memory sticks, as well as blocking access to games, MP3 files or undesired executable code. A combination of Symantec, Kaspersky anti-virus software and MIMEsweeper is used to scan email.
Companies are understandably reluctant to divulge serious security leaks or incidents of disruption. A major automotive firm discovered that one of their employees was trying to smuggle out pictures of a prototype car. Fortunately they used Clearswift’s MIMEsweeper as an email scanner which registered images that shouldn’t leave the site.

“Once a company realises the software can also be used to block content leaving the organisation, it will often be configured for new rules,” explains Clearswift’s Alyn Hockey. Most companies deploy some form of gateway security on their servers. However, many are still focused on anti-virus or spam prevention. This is only part of the story. Hockey believes “it’s important to go to the next level, managing the content so only the relevant data enters or leaves the organisations to the appropriate recipient.”
As one vendor pointed out, a lot of anti-spyware products marketed on the internet are actually spyware themselves. The only answer is to go with a reputable brand. There is also the increasing issue of SPIM – spam carried over instant messaging. Frankly, if corporations don’t lock down their terminals, then employees can install any number of potentially vulnerable applications.

Companies are also forced to become more vigilant as adoption of wireless spreads through manufacturing networks. “We deliberately changed the password control access on the router from the standard password setting,” explains Jack Akerman, sales and logistics manager at Thornbury Manufacturing in Plymouth. “We’re not worried about customers with laptops using the wireless network to check emails, but strangers gaining access to our wireless system.”

Thornbury manufactures switch components for white goods and the automotive sector, and has about 12 terminals around the enterprise. The company brought in an IT professional to draw up a security policy after a virus attack a few years ago. Here again, MIMEsweeper issued a warning and no serious disruption occurred. Consequently Thornbury’s Windows 2003 small business server was configured using AVG anti-virus network edition for security purposes, and to limit internet access to key individuals. “I enquired about using Norton, but it was far too expensive and resource hungry for a small business, so we selected a 12 port licence with a two year service agreement from AVG for just under £350. Since then we’ve had no more problems.”

Mark Moody, managing director of Focal Point Fires, sought an alternative for protecting a relatively small IT network. The Dorset firm is currently converting from Sageline 100 to SAP Business One for ERP. Equipped with about 40 terminals throughout the plant, everything is currently hardwired using a VPN. Most of the transactions with customers like B&Q, Argos and Currys are secure and carried out by EDI.
Local reseller Aspect Systems suggested the company should use ESET/NOD 32 as an anti-virus system, as it came with a fully integrated firewall and anti-spam capability, for £3,000 under a three year contract. “At first I was sceptical,” says Moody. “The price seemed pretty unbelievable. But we signed up for a three year contract and have had no problems with viruses.”

Moody operates a strict security policy, which specifies that nobody can bring in floppies, keys from discs at home or CDs. “Occasionally suppliers want to demonstrate something which has to plug into our network. ESET can spot anything that looks suspicious, and updates are regular and live.” However, Moody refuses to segregate IT systems between different departments “as I don’t believe that approach would work for a small firm like us.”

Security experts take the opposite view. “Manufacturers should use some form of segregation of IT systems in different areas of the business,” suggests Tom Newton, product manager of Smoothwall. “If admin goes down for a day, it may be inconvenient. But if your shopfloor is hit by malware then it can really affect the bottom line.” Nevertheless he recognises that in the increasingly collaborative world of PLM, more and more systems are integrated. “In this case, you should specify paths between the networks, according to what is actually needed.”

Some organisations prefer to have all internet traffic scanned and cleaned before it reaches their network. “The threat has moved from the inbox to the browser,” says Eldar Tuvey, chief executive of Scansafe. “Anything an employee can access through a web browser should be scanned and filtered before it reaches the organisation.” What’s more, services like Scansafe help a firm’s central administrator control access and identify staff who may access inappropriate content.

Global food brand Heinz was an early adopter of MessageLabs to protect mail from viruses and spam. Though no viruses and very little spam got through, lifecycle costs were climbing with over 16,000 users. Three years later, Heinz decided to look at alternative options, and managed security service supplier Integralis recommended e-Scan from Postini after formal evaluation against MessageLabs and Black Spider. E-scan scored on functionality and more competitive pricing.

Developing the right security strategy is paramount. “Malware can penetrate easier than ever through the connected enterprise,” warns David Robinson, UK general manager of Norman Defence Systems. “You need a robust security strategy in addition to conventional IT security measures like firewalls, intrusion prevention systems and content checking systems. The secure single point of entry can no longer be classified as secure, because any port or protocol could be used to inject malware into the network.”
Robinson suggests: “Enterprise security doesn’t mean putting anti-virus measures on all computers, but using a layered approach which protects both production and office networks from cross infection.” A proxy server, for example, means that any data entering the LAN is intercepted and scanned before it is passed on to its destination. But this also raises the issue of latency as delays will be introduced into the system.

Alternatively, firewalls can be used to limit access to certain network addresses or restrict services according to tables of rules. However, a firewall does not look for malicious content. For that purpose an additional layer of malware scanning is required on a real time basis, providing protocol scanning without introducing any noticeable delays into the system.

Ultimately, a secure network defence strategy must be adopted in addition to traditional perimeter security measures, so all gates are defended in the modern networked enterprise.