Kanoa Blog

Staying Secure in a Digital Factory and how Kanoa MES can Help

Written by Jason Coope | May 7, 2024 7:04:48 PM

Digital Transformation

With the grand age of digital transformation, real-time manufacturing data has never been so accessible to so many. But the journey getting here hasn’t been straightforward…

From the very beginning, Smart Manufacturing initiatives promised to make manufacturing data stored locally in PLCs and process control equipment readily available in web browser applications and mobile devices. This transformation only truly became possible when companies re-organized to create IT/OT synergy between IT professionals and controls engineers.

This transformation hasn’t been easy. Since 2002, IT professionals had been grappling with Sarbanes Oxley compliance regulations requiring ‘segregation of duties’ after the Enron and WorldCom scandals. Their focus had shifted to preventing the company’s CFOs and CIOs from going to jail, and preventing access to financial records stored in databases resulted in a blanket application of severely limiting access to all databases. This happened at the same time as operations were in the process of moving data out of plc’s, flat files and excel exports into databases to provide the needed access to data to drive continuous improvements. Where before, IT and Control Engineers had little overlap in their roles and systems, the proliferation of modern IT technologies onto the manufacturing floor left little choice but for their worlds to collide.

Modern SCADA

You could say Inductive Automation forced the hand. Their tag line was

What if there was a better way to manage control systems? What if we started over using modern IT practices and modern software technology?

Inductive Automation

You can see their classic video here.

Ignition™ was born to deliver web-based software, open standards technology, and unlimited usage licensing to transform the SCADA control system software landscape.

Operations, maintenance personnel and control engineers all now had access to a low-cost, simple to implement solution to modernize their data collection. Barriers to data were no longer because of technology, they were human.

IT/OT Convergence

John Dyck, at the time, the chairman for MESA International wrote

‘MES is a rare breed of solution that spans both the IT and Operations domains and is rooted firmly in a lack of understanding of each other's domains…The six million dollar question is this: Will Operations and IT leadership learn that until there's clear alignment between their respective strategies, goals, and metrics, they and their company have little hope of successfully rolling out any systematic, high return manufacturing solutions? …I contend that the very necessary convergence between Operations and IT, will come about only through the education of both parties…and that one without the other will not succeed.’

John Dyck

Information Confidentiality

As manufacturing data moved from the controls world to the IT world, companies grappled with how to protect the data. Bianca Scholten wrote in her book MES Guide for Executives

‘In enterprise automation, information confidentiality is the most important point of concern, then comes integrity and only then does information availability become important. In production automation, it’s the other way around. Primary goal of security is to ensure availability of all parts of the system’
‘Company-wide IT procedures shouldn’t be naively applied to the MES. The ISA-99 standard has been developed for control system security to provide practical solutions without causing more damage than the things you are trying to prevent will cause!’
 
Bianca Scholten - MES Guide for Executives

Where We Are Today

Thankfully, the challenges between IT and Operations are now well-documented, widely known, and specifically addressed when discussing new Smart Manufacturing initiatives, and we can thank John Dyck and others at MESA and CESMII for their tireless work on this. Today's modern organizational structures now include Manufacturing IT support teams.

So we live in a world where employees can receive notifications and alerts on their phones wherever they are, in real-time regarding production issues. Or they can log in again from their phones to see how production is progressing. But with greater access and dissemination of information, comes a responsibility to protect access to that information.

Security In Ignition™

Kanoa MES is built on top of the Ignition™ platform and they take security very seriously.

  • Secure Communications Ignition supports secure communication so you can seamlessly integrate your Ignition system with your existing security strategy. We know that your industrial data is vital to your business: that's why Ignition comes with the ability to safeguard your data with ultra-secure TLS 1.2 and 1.3 technologies. TLS is trusted by financial institutions all over the world to protect data and the communications channel it passes through.
  • Powerful Client Authentication Ignition supports modern, web-based authentication strategies such as federated identity, multi-factor authentication (MFA), and single sign-on (SSO). With Ignition you can centralize identity management through trusted federated identity technologies such as SAML and OpenID Connect. Ignition gives you the power to assign user roles natively or to integrate with corporate network security using Microsoft Active Directory™. You can grant access to system areas for different users, and turn access on and off with the click of a button.

  • Auditing Ignition’s built-in user auditing gives administrators incredible insights about what is happening in the system, when and where it is happening, and who is doing what. This enables you to quickly resolve issues and mitigate costly downtime incidents.

Resources

MQTT and The Industrial Internet of Things

Cirrus Link’s MQTT modules are built on the Ignition™ software stack, extending the standard functionality for solutions using MQTT to connect OT data.  The modules are used for distributed field devices using Ignition™ Edge, or on local factory networks running Ignition™ Gateway and provide real-time data connectivity. The MQTT architecture decouples devices from applications and connects the data to MQTT infrastructure for a superior operational solution and enables cloud for AI applications.

MQTT pushes data upstream while isolating systems and providing security at every step from client to server to the data destination. Data is remote originated, outbound, and encrypted with TLS. Sparkplug adds the context information as the data moves upstream. Only approved clients can subscribe to specific data that can be read and ingest-only, and the data is self-discoverable if changes are pushed up as well. MQTT allows OT to share data with those applications without letting them come in and connect to their systems or do any remote management that opens up security concerns.

Resources

Cloud, SaaS and the Shared Responsibility Model

Ignition™ and MQTT all provide significant security layers for every aspect of the data journey from PLC to end user application. When pushing data to the cloud, AWS manages security of the cloud, however security in the cloud is the responsibility of the customer.

Resources

Kanoa User Management

Kanoa MES leverages the built-in security models provided by Ignition™ and further extends it to manage the access control levels a user has within the application. So how does this work?

Ignition™ provides essentially several user authentication models, Internal, Active Directory and Hybrid. These configurations allow users to be authenticated directly against Active Directory, via federated Identity providers or by Ignition.

Kanoa MES supports multi-enterprise asset hierarchies on the same gateway server. Because of this we provide a Gateway Admin' role that provides 'Administrator' level rights for all enterprises. The Gateway Admin is the only user who can make another user an 'Administrator' for one or more enterprises. The 'Administrator' can then manage the access and roles users have within that enterprise.

Our security model allows for custom roles to be created and functions can be assigned to that role. A function is a reserved term that is used throughout the MES application to determine if a user has rights to perform these functions.

When the Ignition user source is set to internal or AD/Internal, users can be added and deleted within the Kanoa MES application. If the userSource is set to Active Directory, only a user’s roles can be configured.

Kanoa MES extends the built-in security model provided by Ignition to ensure that operators, supervisors, managers, engineers all have the access they need to only the assets they are responsible for. When a user is no longer employed, iDP authentication will automatically prevent them from accessing the systems. Even when a user is removed from Active Directory or the internal Ignition user source, all production data they modified, production runs they started, remain in the Kanoa MES data store.