pharmaceutical industries as a result of new and evolving                           COURSE STRUCTURE
electronic records re...
environment. The United States has passed several                                        Logical Security
regulations requ...
particular manufacturing environment scenario and will                                FUTURE DEVELOPMENT
follow this scena...
Upcoming SlideShare
Loading in …5

(2006) Graduate Course Development Focusing on Security Issues in Manufacturing


Published on

In the past decade, global business has experienced substantial growth; the manufacturing industry has played a large role in this expansion. Growth of the manufacturing industry, increased intelligence of manufacturing equipment, plus connectivity of equipment and software within and among companies has increased the probability of attacks and threats to these systems. Security infrastructure technologies in the manufacturing industry have not kept pace with the technological advancements that spurred the industry’s growth. A course is being designed at Purdue University to provide the working professional with knowledge in the integration of Automatic Identification and Data Capture (including biometrics) into the manufacturing environment. This paper discusses the issues and challenges facing the manufacturing industry and how these are incorporated into the curriculum design.

Published in: Education, Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

(2006) Graduate Course Development Focusing on Security Issues in Manufacturing

  1. 1. GRADUATE COURSE DEVELOPMENT FOCUSING ON SECURITY ISSUES FOR PROFESSIONALS WORKING IN THE MANUFACTURING INDUSTRY Shimon K. Modi 1, Stephen J. Elliott, Ph.D. 2 Abstract  In the past decade, global business has These figures, discussions with industry leaders and experienced substantial growth; the manufacturing industry anecdotal evidence pointed to the need to offer such a has played a large role in this expansion. Growth of the course. The course examines a fundamental problem: the manufacturing industry, increased intelligence of manufacturing community uses industrial manufacturing manufacturing equipment, plus connectivity of equipment equipment that does not require any strong form of and software within and among companies has increased individual authentication or identification as a prerequisite to the probability of attacks and threats to these systems. performing a product manufacturing transaction. Initiatives, Security infrastructure technologies in the manufacturing legislative mandates and security briefs have been launched industry have not kept pace with the technological and disseminated throughout the manufacturing community. advancements that spurred the industry’s growth. A course The Instrumentation, Systems, and Automation Society is being designed at Purdue University to provide the (ISA) regularly distribute information on this important working professional with knowledge in the integration of subject. For example, ISA-TR99.00.01-2004 Security Automatic Identification and Data Capture (including Technologies for Manufacturing and Control Systems biometrics) into the manufacturing environment. This paper categorizes security issues related to hardware and software discusses the issues and challenges facing the systems, including “Distributed Control Systems, manufacturing industry and how these are incorporated into Programmable Logic Controllers, Supervisory Control and the curriculum design. Data Acquisition Systems, Networked Electronic Sensing Systems and monitoring, diagnostic, and assessment systems” Index Terms –biometrics, case study, logical and physical ([2] pg. 2). The technologies associated with protection of acces, manufacturing security. these systems include: “authentication and authorization; filtering/blocking/access control; encryption; data validation; MOTIVATION AND BACKGROUND audit; measurement; monitoring and detection tools, and operating systems” ([2] pg.2). And whereas this report only Computer integrated manufacturing systems have changed addresses physical and logical security, additional benefits can ways in which industrial manufacturing equipment interacts be gained by ensuring these technologies comply with with different systems within and outside the manufacturing governmental regulation (such as the Food and Drug environment. Manufacturing equipment has become more Administration’s 21 CFR 11, as required in the health and sophisticated. The increased connectivity between this more pharmaceutical industry) and safety requirements. sophisticated manufacturing equipment and internal and According to [3] and the ISA-SP99 committee report, external systems has changed the way that manufacturing “computer systems in the manufacturing environment typically security systems are designed. As manufacturers move rely on traditional passwords for authentication” (pg. 3) adding towards a more connected and collaborative environment in to the risks to their security. A study conducted by the their quest for market share in the global environment, American Society for Industrial Security and concerns are raised regarding potential for compromises to PricewaterhouseCoopers (ASIS/PWC) determined that the proprietary manufacturing processes and intellectual greatest losses occur in information related to research and property; such compromises could expose industry on a development (R&D) and manufacturing processes. This is worldwide scale to devastating consequences. According to a particularly relevant to the pharmaceutical industry. The 2003 report, manufacturers were urged to reexamine their Pharmaceutical Industry Profile for 2002 noted that this security policies. This report noted that only 40 percent of industry’s R&D budget grew from $1.3B in 1977 to an respondents had completed physical risk assessments; that estimated $32B in 2002.The use of biometric technology to figure dropping to 35 percent when asked about cyber- incorporate access control, authentication, electronic security [1]. signatures, and action traceability will grow rapidly in the 1 Shimon K. Modi, Purdue University, Industrial Technology, 401 N Grant St, W Lafayette, IN, 47906, USA, 2 Stephen J. Elliott, Ph.D., Purdue University, Industrial Technology, 401 N Grant St, W Lafayette, IN, 47906, USA,
  2. 2. pharmaceutical industries as a result of new and evolving COURSE STRUCTURE electronic records regulation and the business-critical need to safeguard intellectual property. New regulations in the The primary objective of this course is to provide those United States and European Union require the seeking knowledge in this area with the skills required to pharmaceutical industry to ensure the integrity, authenticity analyze security issues within the manufacturing and confidentiality of regulated electronic records. There is environment so that they can lead or participate in teams also increased need to protect intellectual property because, involved in developing design solutions for those problems. unlike many industries, patented and non-patented Since no single security framework fits all manufacturing intellectual property is the primary source of pharmaceutical environments and problems, a wide range of factors must be companies’ revenues. The course will first target the user considered in the design of security frameworks. The course community within these pharmaceutical organizations, will be offered over a 16-week period and will accommodate particularly operators of distributed control systems about offsite (remote) participation; three classroom sessions held which the FDA has expressed concern regarding the on weekends during the semester will address those topics authentication of individuals who perform any type of and hands-on activities that cannot be managed remotely. transaction in the manufacturing process subject to the The course will include practical case studies: one in which regulations and guidelines of 21 CFR Part 11. the students will have to develop the security plan for a As manufacturers move toward a more connected and particular facility and another in which the students will collaborative environment among geographically disparate assess the physical security weaknesses within their own facilities as a means of better competing in the global manufacturing facilities. The course’s modules are noted market, concerns for the possibility of exposing their below: proprietary manufacturing processes and intellectual • Security principles relative to industrial technology and property to compromise and damage on a worldwide scale industrial distribution are increasing. Industrial automation suppliers (e.g., • Government regulations affecting manufacturing Emerson and Rockwell Automation) will need to regard the • Physical security security of plant systems with the same sense of urgency that • Logical security the IT community now uses to address the security of • Policy development computing and the Internet behind and in front of firewalls. • Course Project - Case study application It is also important to consider the potential impacts of the Sarbanes-Oxley Act and HIPAA on the manufacturing Security Principles environment, made even more complicated by perceptions This module introduces basic security principles and and speculations of less than completely understood how they relate to the manufacturing environment. Topics regulations. covered include confidentiality, integrity, availability, access These various initiatives enable an increased number of control and nonrepudiation. In today’s manufacturing manufacturing systems to be designed to provide remote environment, physical and logical security is seen as operations capability. To date, there have been no means to independent components. Nonetheless, understanding the ascertain the identity of machine operators and whether they basics of security can help to avoid pitfalls in the overall or their actions were authorized. Security in the design of the security framework and to determine manufacturing environment has lagged behind advancements requirements of the security framework within the context of of interconnectivity and sophistication of manufacturing the business processes. systems. Using passwords as the sole means of The course addresses security principles common to the authentication fails to provide the level of security that many different manufacturing environments that match the modern manufacturing equipment necessitates. According to participants’ various backgrounds. Other topics in this a white paper by ARC Advisory Group, as the sophistication module include general authentication and authorization of security attacks has increased, the knowledge required by technologies; advanced automatic identification and data the attacker has decreased. But security should not be capture technologies such as biometrics and token considered only from a technological perspective; it must authentication (RFID and smart cards); as well as device-to- also be considered from social and personnel perspectives. device authentication. Firewalls and virtual local area With the objective of addressing these issues, a networks (VLANs) will be reviewed, per ISA graduate-level course was designed to meet needs of today’s recommendations [2]. professionals, as well as students who intend to work in some sort of manufacturing environment. Students enrolled in this Government Regulations class are expected to possess a basic knowledge of biometrics and other forms of automatic identification and This module explains the government regulations that data capture technology as a result of having successfully were intended to address the manufacturing industry and the completed prerequisite courses. implications of these regulations on the manufacturing
  3. 3. environment. The United States has passed several Logical Security regulations requiring companies take into account general concerns such as physical and logical security. The Increased internetworking of resources in the Sarbanes-Oxley Act of 2002 and the Food and Drug manufacturing environment is accompanied by increased Administration’s 21 CFR Part 11 are two such regulations security risks. Companies are challenged to safeguard their that require companies to apply specific controls to ensure systems while providing their employees with the advantages authenticity, integrity and auditability of electronic records. of technology. At present, the established methodology of Traditional authentication technologies do not comply with authentication in the manufacturing environment is these regulations. A security system program that relies on knowledge-based — usage of usernames and passwords. usernames and passwords does not provide authenticity, Replacing knowledge-based authentication methods with integrity and auditability of records. A more robust biometrics provides an extra level of non-repudiation in the authentication system is required in order to comply with authentication framework, as well audit control logs that these regulations. Biometrics has been suggested as a knowledge-based authentication cannot provide. solution to satisfy this stringent requirement. Several Commercially available biometric solutions provide single implications relative to business processes must be sign-on capabilities that replace “antiquated” knowledge- understood in order to optimally design a security framework based authentication mechanisms. This module focuses on that complies with these requirements. This module will the advantages and disadvantages of using different cover existing government regulations that apply to the biometric modalities for logical access. Remote manufacturing environment and will explain their authentication is another type of logical access whose implications on existing business processes. security risks are significantly higher than those associated with logical access from within the manufacturing Physical Security environment. Biometric technology suitable for use in today’s manufacturing environment can provide a higher Physical security systems are the first line of defense for level of protection, but a number of other issues must be asset protection, restricting access to different parts of the evaluated when considering the deployment of biometrics for manufacturing environment. Physical security systems are remote authentication. This module discusses the issues generally designed around the periphery of the related to use of biometrics for logical access control. manufacturing environment, thereby deterring potential intruders. Automatic identification and data capture Policy Development technologies play a vital role in physical security. Biometrics provides additional security, but only if used in suitable Security in any system is only as strong as the policy environments. Security professionals who recognize the that supports it. Security technology can continue to advance advantages of biometrics may fail to consider the but will never, on its own, overcome the obstacle of the environment in which the technology will be deployed. For human factor. Development and implementation of sound example, the biometric system deployed for physical access policies will foster realization of the benefits associated with purposes will be exposed to a wide range of climate technological advancements. Good policies must take into conditions [4], [5]. Performance of face recognition is account the concerns of the people who will use the new diminished when the deployment environment is affected by security mechanisms; without user cooperation, the system varying levels of light [5]. A biometric system unsuited to will not perform as well as advertised. Policies are the basis the particular target environment will fail to provide of procedures and guidelines that form a strong foundation additional security, perhaps even less security than a for effective implementation [7]. This module addresses the traditional physical security system. basics of policy development with the intent of striking a Certain environmental factors specific to the proper balance among business objectives, security and manufacturing environment, such as grease or dirt residues personnel approval. on machine operators’ fingers, can affect fingerprint recognition performance [6]. This module is intended to COURSE PROJECT increase awareness of environmental issues that may have an The various modules in this course are intended to impact on biometrics so that those issues can be taken into expose students to the many facets of building a security consideration during the design of a physical security framework and expand their knowledge gained from this framework. More and more companies are considering course and the companion course (TECH 621W AIDC for utilizing an integrated security framework, one that the Enterprise). The curriculum includes a five-phase course seamlessly blends physical and logical security. Biometrics project, introduced at the end of the first module. Each provides that advantage, and this module will focus on how successive phase of the course project builds upon the to maximize the potential of these advantages from a previous phase’s work and reinforces the knowledge gained physical security framework perspective. from that module. Students will be presented with a
  4. 4. particular manufacturing environment scenario and will FUTURE DEVELOPMENT follow this scenario throughout all phases of the course project. In the project’s first phase, students will be required Radio Frequency Identification (RFID) is gaining to document basic security requirements. In the second prominence as an automated identification technology that phase, the students will revisit their documented security could be used in the manufacturing environment. RFID can requirements, assess whether they satisfy government do more hold product data. For example, combinational use regulations and, if necessary, modify them accordingly. The of RFID and biometric technologies could be used in intent of the iterative process is to hone students’ ability to providing a dual-layer identification methodology for adjust requirements to satisfy changing regulations and to employees working in the manufacturing environment. The incorporate utilize requirements flexible enough to knowledge and experience of working with biometric accommodate new requirements without disrupting the technologies allows manufacturing professionals make better security framework. In the third phase, the students will be informed choices about the direction of their security required to design a physical security framework that technologies. Other automated identification technologies provides maximum security to their manufacturing might also be combined with biometrics. The use of new and environment scenario and that adheres to the security existing infrastructure could provide additional layers of requirements generated during the project’s first two phases. security. The physical security framework will have to take into consideration different factors, such as environmental CONCLUSION conditions and cost. In the fourth phase, the students will be This paper was written to outline the development of a required to design a logical security framework that provides graduate-level course for security professionals who want to maximum security to the logical components of their incorporate biometrics and other automatic identification manufacturing environment scenario. The requirements of capture technologies in the manufacturing environment. This this phase may include designing logical access security for course might be considered as a vehicle for advancing the remote operators. In the final phase of the project, the maturity of biometric technology in that it applies classroom students will be required to integrate the physical and logical concepts and adapts them to real-world scenarios. This is the security frameworks they designed in the project’s third and first time such a curriculum has been developed with the fourth phases. As part of the project’s fifth phase, students intention of providing industry practitioners with the ability may be required to modify their overall security frameworks to create security frameworks using biometric systems. As so that the physical and logical security frameworks are the course progresses, its developers anticipate that the seamlessly integrated. At the end of the course, the students course will evolve to accommodate more technologies, as will be required to submit a paper (a “term paper”) that well as feedback from the students. outlines the methodology they followed throughout the five- phase project and then make a presentation. One component REFERENCES of the term paper will be a draft of policies for the integrated security framework; the draft must demonstrate the students’ [1] Hill, D., "Manufacturers Plan for Physical and Cyber Security," ability to consider different situations, such as offer an Automation World, 2003. p. 1. [2] ISA, ANSI/ISA TR99.00.01-2004 Security Technologies for alternative to biometric authentication if a user cannot enroll Manufacturing and Control Systems, 2004, pp. 34-38. in a particular biometric system. The course project will [3] Riley, D., "Purdue Proposal," S. Elliott, Editor. 2005. allow the students to apply what they have learned in the [4] Elliott, S., "Biometric Technology: A primer for Aviation Technology classroom within the parameters of a real-world scenario. Students," International Journal Of Applied Aviation Studies, 3(2), 2002, pp. 311-322. [5] Kukula, E., & Elliott, S., "Securing a Restricted Site - Biometric COURSE OBJECTIVES Authentication at Entry Point," IEEE 37th International Carnahan Conference on Security Technology, 2003, pp. 435-439. The course is targeted to reach security professionals [6] Sickler, N, "An Evaluation of Fingerprint Quality Across an Elderly who want to incorporate biometrics into their security Population vis-à-vis 18- to 25-Year-Olds," Industrial Technology, infrastructure. The main objective of the course is to expose 2003. [7] Peltier, T., R., “Information Security Policies, Procedures, and students to components of the manufacturing environment Standards,” Auerbach Publications, 2002. security spectrum, including intellectual property protection, and to maintain integrity of business processes. By the end of this course, the students should be better equipped to design an efficient overall security framework in accordance with conditions of the manufacturing environment.