In the past decade, global business has experienced substantial growth; the manufacturing industry has played a large role in this expansion. Growth of the manufacturing industry, increased intelligence of manufacturing equipment, plus connectivity of equipment and software within and among companies has increased the probability of attacks and threats to these systems. Security infrastructure technologies in the manufacturing industry have not kept pace with the technological advancements that spurred the industry’s growth. A course is being designed at Purdue University to provide the working professional with knowledge in the integration of Automatic Identification and Data Capture (including biometrics) into the manufacturing environment. This paper discusses the issues and challenges facing the manufacturing industry and how these are incorporated into the curriculum design.
(2006) Graduate Course Development Focusing on Security Issues in Manufacturing
1. GRADUATE COURSE DEVELOPMENT FOCUSING ON SECURITY ISSUES
FOR PROFESSIONALS WORKING IN THE MANUFACTURING INDUSTRY
Shimon K. Modi 1, Stephen J. Elliott, Ph.D. 2
Abstract In the past decade, global business has These figures, discussions with industry leaders and
experienced substantial growth; the manufacturing industry anecdotal evidence pointed to the need to offer such a
has played a large role in this expansion. Growth of the course. The course examines a fundamental problem: the
manufacturing industry, increased intelligence of manufacturing community uses industrial manufacturing
manufacturing equipment, plus connectivity of equipment equipment that does not require any strong form of
and software within and among companies has increased individual authentication or identification as a prerequisite to
the probability of attacks and threats to these systems. performing a product manufacturing transaction. Initiatives,
Security infrastructure technologies in the manufacturing legislative mandates and security briefs have been launched
industry have not kept pace with the technological and disseminated throughout the manufacturing community.
advancements that spurred the industry’s growth. A course The Instrumentation, Systems, and Automation Society
is being designed at Purdue University to provide the (ISA) regularly distribute information on this important
working professional with knowledge in the integration of subject. For example, ISA-TR99.00.01-2004 Security
Automatic Identification and Data Capture (including Technologies for Manufacturing and Control Systems
biometrics) into the manufacturing environment. This paper categorizes security issues related to hardware and software
discusses the issues and challenges facing the systems, including “Distributed Control Systems,
manufacturing industry and how these are incorporated into Programmable Logic Controllers, Supervisory Control and
the curriculum design. Data Acquisition Systems, Networked Electronic Sensing
Systems and monitoring, diagnostic, and assessment systems”
Index Terms –biometrics, case study, logical and physical ([2] pg. 2). The technologies associated with protection of
acces, manufacturing security. these systems include: “authentication and authorization;
filtering/blocking/access control; encryption; data validation;
MOTIVATION AND BACKGROUND audit; measurement; monitoring and detection tools, and
operating systems” ([2] pg.2). And whereas this report only
Computer integrated manufacturing systems have changed addresses physical and logical security, additional benefits can
ways in which industrial manufacturing equipment interacts be gained by ensuring these technologies comply with
with different systems within and outside the manufacturing governmental regulation (such as the Food and Drug
environment. Manufacturing equipment has become more Administration’s 21 CFR 11, as required in the health and
sophisticated. The increased connectivity between this more pharmaceutical industry) and safety requirements.
sophisticated manufacturing equipment and internal and According to [3] and the ISA-SP99 committee report,
external systems has changed the way that manufacturing “computer systems in the manufacturing environment typically
security systems are designed. As manufacturers move rely on traditional passwords for authentication” (pg. 3) adding
towards a more connected and collaborative environment in to the risks to their security. A study conducted by the
their quest for market share in the global environment, American Society for Industrial Security and
concerns are raised regarding potential for compromises to PricewaterhouseCoopers (ASIS/PWC) determined that the
proprietary manufacturing processes and intellectual greatest losses occur in information related to research and
property; such compromises could expose industry on a development (R&D) and manufacturing processes. This is
worldwide scale to devastating consequences. According to a particularly relevant to the pharmaceutical industry. The
2003 report, manufacturers were urged to reexamine their Pharmaceutical Industry Profile for 2002 noted that this
security policies. This report noted that only 40 percent of industry’s R&D budget grew from $1.3B in 1977 to an
respondents had completed physical risk assessments; that estimated $32B in 2002.The use of biometric technology to
figure dropping to 35 percent when asked about cyber- incorporate access control, authentication, electronic
security [1]. signatures, and action traceability will grow rapidly in the
1
Shimon K. Modi, Purdue University, Industrial Technology, 401 N Grant St, W Lafayette, IN, 47906, USA, shimon@purdue.edu
2
Stephen J. Elliott, Ph.D., Purdue University, Industrial Technology, 401 N Grant St, W Lafayette, IN, 47906, USA, elliott@purdue.edu
2. pharmaceutical industries as a result of new and evolving COURSE STRUCTURE
electronic records regulation and the business-critical need to
safeguard intellectual property. New regulations in the The primary objective of this course is to provide those
United States and European Union require the seeking knowledge in this area with the skills required to
pharmaceutical industry to ensure the integrity, authenticity analyze security issues within the manufacturing
and confidentiality of regulated electronic records. There is environment so that they can lead or participate in teams
also increased need to protect intellectual property because, involved in developing design solutions for those problems.
unlike many industries, patented and non-patented Since no single security framework fits all manufacturing
intellectual property is the primary source of pharmaceutical environments and problems, a wide range of factors must be
companies’ revenues. The course will first target the user considered in the design of security frameworks. The course
community within these pharmaceutical organizations, will be offered over a 16-week period and will accommodate
particularly operators of distributed control systems about offsite (remote) participation; three classroom sessions held
which the FDA has expressed concern regarding the on weekends during the semester will address those topics
authentication of individuals who perform any type of and hands-on activities that cannot be managed remotely.
transaction in the manufacturing process subject to the The course will include practical case studies: one in which
regulations and guidelines of 21 CFR Part 11. the students will have to develop the security plan for a
As manufacturers move toward a more connected and particular facility and another in which the students will
collaborative environment among geographically disparate assess the physical security weaknesses within their own
facilities as a means of better competing in the global manufacturing facilities. The course’s modules are noted
market, concerns for the possibility of exposing their below:
proprietary manufacturing processes and intellectual • Security principles relative to industrial technology and
property to compromise and damage on a worldwide scale industrial distribution
are increasing. Industrial automation suppliers (e.g., • Government regulations affecting manufacturing
Emerson and Rockwell Automation) will need to regard the • Physical security
security of plant systems with the same sense of urgency that • Logical security
the IT community now uses to address the security of • Policy development
computing and the Internet behind and in front of firewalls. • Course Project - Case study application
It is also important to consider the potential impacts of the
Sarbanes-Oxley Act and HIPAA on the manufacturing Security Principles
environment, made even more complicated by perceptions
This module introduces basic security principles and
and speculations of less than completely understood
how they relate to the manufacturing environment. Topics
regulations.
covered include confidentiality, integrity, availability, access
These various initiatives enable an increased number of
control and nonrepudiation. In today’s manufacturing
manufacturing systems to be designed to provide remote
environment, physical and logical security is seen as
operations capability. To date, there have been no means to
independent components. Nonetheless, understanding the
ascertain the identity of machine operators and whether they
basics of security can help to avoid pitfalls in the overall
or their actions were authorized. Security in the
design of the security framework and to determine
manufacturing environment has lagged behind advancements
requirements of the security framework within the context of
of interconnectivity and sophistication of manufacturing
the business processes.
systems. Using passwords as the sole means of
The course addresses security principles common to the
authentication fails to provide the level of security that
many different manufacturing environments that match the
modern manufacturing equipment necessitates. According to
participants’ various backgrounds. Other topics in this
a white paper by ARC Advisory Group, as the sophistication
module include general authentication and authorization
of security attacks has increased, the knowledge required by
technologies; advanced automatic identification and data
the attacker has decreased. But security should not be
capture technologies such as biometrics and token
considered only from a technological perspective; it must
authentication (RFID and smart cards); as well as device-to-
also be considered from social and personnel perspectives.
device authentication. Firewalls and virtual local area
With the objective of addressing these issues, a
networks (VLANs) will be reviewed, per ISA
graduate-level course was designed to meet needs of today’s
recommendations [2].
professionals, as well as students who intend to work in some
sort of manufacturing environment. Students enrolled in this Government Regulations
class are expected to possess a basic knowledge of
biometrics and other forms of automatic identification and This module explains the government regulations that
data capture technology as a result of having successfully were intended to address the manufacturing industry and the
completed prerequisite courses. implications of these regulations on the manufacturing
3. environment. The United States has passed several Logical Security
regulations requiring companies take into account general
concerns such as physical and logical security. The Increased internetworking of resources in the
Sarbanes-Oxley Act of 2002 and the Food and Drug manufacturing environment is accompanied by increased
Administration’s 21 CFR Part 11 are two such regulations security risks. Companies are challenged to safeguard their
that require companies to apply specific controls to ensure systems while providing their employees with the advantages
authenticity, integrity and auditability of electronic records. of technology. At present, the established methodology of
Traditional authentication technologies do not comply with authentication in the manufacturing environment is
these regulations. A security system program that relies on knowledge-based — usage of usernames and passwords.
usernames and passwords does not provide authenticity, Replacing knowledge-based authentication methods with
integrity and auditability of records. A more robust biometrics provides an extra level of non-repudiation in the
authentication system is required in order to comply with authentication framework, as well audit control logs that
these regulations. Biometrics has been suggested as a knowledge-based authentication cannot provide.
solution to satisfy this stringent requirement. Several Commercially available biometric solutions provide single
implications relative to business processes must be sign-on capabilities that replace “antiquated” knowledge-
understood in order to optimally design a security framework based authentication mechanisms. This module focuses on
that complies with these requirements. This module will the advantages and disadvantages of using different
cover existing government regulations that apply to the biometric modalities for logical access. Remote
manufacturing environment and will explain their authentication is another type of logical access whose
implications on existing business processes. security risks are significantly higher than those associated
with logical access from within the manufacturing
Physical Security environment. Biometric technology suitable for use in
today’s manufacturing environment can provide a higher
Physical security systems are the first line of defense for level of protection, but a number of other issues must be
asset protection, restricting access to different parts of the evaluated when considering the deployment of biometrics for
manufacturing environment. Physical security systems are remote authentication. This module discusses the issues
generally designed around the periphery of the related to use of biometrics for logical access control.
manufacturing environment, thereby deterring potential
intruders. Automatic identification and data capture Policy Development
technologies play a vital role in physical security. Biometrics
provides additional security, but only if used in suitable Security in any system is only as strong as the policy
environments. Security professionals who recognize the that supports it. Security technology can continue to advance
advantages of biometrics may fail to consider the but will never, on its own, overcome the obstacle of the
environment in which the technology will be deployed. For human factor. Development and implementation of sound
example, the biometric system deployed for physical access policies will foster realization of the benefits associated with
purposes will be exposed to a wide range of climate technological advancements. Good policies must take into
conditions [4], [5]. Performance of face recognition is account the concerns of the people who will use the new
diminished when the deployment environment is affected by security mechanisms; without user cooperation, the system
varying levels of light [5]. A biometric system unsuited to will not perform as well as advertised. Policies are the basis
the particular target environment will fail to provide of procedures and guidelines that form a strong foundation
additional security, perhaps even less security than a for effective implementation [7]. This module addresses the
traditional physical security system. basics of policy development with the intent of striking a
Certain environmental factors specific to the proper balance among business objectives, security and
manufacturing environment, such as grease or dirt residues personnel approval.
on machine operators’ fingers, can affect fingerprint
recognition performance [6]. This module is intended to
COURSE PROJECT
increase awareness of environmental issues that may have an The various modules in this course are intended to
impact on biometrics so that those issues can be taken into expose students to the many facets of building a security
consideration during the design of a physical security framework and expand their knowledge gained from this
framework. More and more companies are considering course and the companion course (TECH 621W AIDC for
utilizing an integrated security framework, one that the Enterprise). The curriculum includes a five-phase course
seamlessly blends physical and logical security. Biometrics project, introduced at the end of the first module. Each
provides that advantage, and this module will focus on how successive phase of the course project builds upon the
to maximize the potential of these advantages from a previous phase’s work and reinforces the knowledge gained
physical security framework perspective. from that module. Students will be presented with a
4. particular manufacturing environment scenario and will FUTURE DEVELOPMENT
follow this scenario throughout all phases of the course
project. In the project’s first phase, students will be required Radio Frequency Identification (RFID) is gaining
to document basic security requirements. In the second prominence as an automated identification technology that
phase, the students will revisit their documented security could be used in the manufacturing environment. RFID can
requirements, assess whether they satisfy government do more hold product data. For example, combinational use
regulations and, if necessary, modify them accordingly. The of RFID and biometric technologies could be used in
intent of the iterative process is to hone students’ ability to providing a dual-layer identification methodology for
adjust requirements to satisfy changing regulations and to employees working in the manufacturing environment. The
incorporate utilize requirements flexible enough to knowledge and experience of working with biometric
accommodate new requirements without disrupting the technologies allows manufacturing professionals make better
security framework. In the third phase, the students will be informed choices about the direction of their security
required to design a physical security framework that technologies. Other automated identification technologies
provides maximum security to their manufacturing might also be combined with biometrics. The use of new and
environment scenario and that adheres to the security existing infrastructure could provide additional layers of
requirements generated during the project’s first two phases. security.
The physical security framework will have to take into
consideration different factors, such as environmental CONCLUSION
conditions and cost. In the fourth phase, the students will be
This paper was written to outline the development of a
required to design a logical security framework that provides
graduate-level course for security professionals who want to
maximum security to the logical components of their
incorporate biometrics and other automatic identification
manufacturing environment scenario. The requirements of
capture technologies in the manufacturing environment. This
this phase may include designing logical access security for
course might be considered as a vehicle for advancing the
remote operators. In the final phase of the project, the
maturity of biometric technology in that it applies classroom
students will be required to integrate the physical and logical
concepts and adapts them to real-world scenarios. This is the
security frameworks they designed in the project’s third and
first time such a curriculum has been developed with the
fourth phases. As part of the project’s fifth phase, students
intention of providing industry practitioners with the ability
may be required to modify their overall security frameworks
to create security frameworks using biometric systems. As
so that the physical and logical security frameworks are
the course progresses, its developers anticipate that the
seamlessly integrated. At the end of the course, the students
course will evolve to accommodate more technologies, as
will be required to submit a paper (a “term paper”) that
well as feedback from the students.
outlines the methodology they followed throughout the five-
phase project and then make a presentation. One component REFERENCES
of the term paper will be a draft of policies for the integrated
security framework; the draft must demonstrate the students’ [1] Hill, D., "Manufacturers Plan for Physical and Cyber Security,"
ability to consider different situations, such as offer an Automation World, 2003. p. 1.
[2] ISA, ANSI/ISA TR99.00.01-2004 Security Technologies for
alternative to biometric authentication if a user cannot enroll Manufacturing and Control Systems, 2004, pp. 34-38.
in a particular biometric system. The course project will [3] Riley, D., "Purdue Proposal," S. Elliott, Editor. 2005.
allow the students to apply what they have learned in the [4] Elliott, S., "Biometric Technology: A primer for Aviation Technology
classroom within the parameters of a real-world scenario. Students," International Journal Of Applied Aviation Studies, 3(2),
2002, pp. 311-322.
[5] Kukula, E., & Elliott, S., "Securing a Restricted Site - Biometric
COURSE OBJECTIVES Authentication at Entry Point," IEEE 37th International Carnahan
Conference on Security Technology, 2003, pp. 435-439.
The course is targeted to reach security professionals [6] Sickler, N, "An Evaluation of Fingerprint Quality Across an Elderly
who want to incorporate biometrics into their security Population vis-à-vis 18- to 25-Year-Olds," Industrial Technology,
infrastructure. The main objective of the course is to expose 2003.
[7] Peltier, T., R., “Information Security Policies, Procedures, and
students to components of the manufacturing environment Standards,” Auerbach Publications, 2002.
security spectrum, including intellectual property protection,
and to maintain integrity of business processes. By the end of
this course, the students should be better equipped to design
an efficient overall security framework in accordance with
conditions of the manufacturing environment.