Individual User Login

Have a question for the community and what you are seeing in industry.

I would like to implement individual user logins for all the operators but am getting a little push back from operations. How is everyone handling user accounts? With the push towards cybersecurity and our plans of moving to ISA 62443 compliant I see it as necessity. Operations is worried about the time it will take for one user to log off and the new user to logon.  I feel is not only strengthens the security but it also us to more accurately audit events and provides user accountability.

We will be using mostly thin clients and virtual sessions for our operators in the control room so I was wondering if anyone has successfully implemented badge readers on thin clients as well.

4 Replies

  • Thats an excellent topic Mr. Werner and one I will be very interested to see what responses you get. I am currently in a similar situation and meeting with the same resistance. While I understand and appreciate the concerns around individual login requirements, I have been at too many sites where this was implemented and never heard of any serious repercussions from it.
  • In reply to Matt Wicks:

    So Matt you have actually seen this implemented. What industry? I am in Oil and Gas so it would be great if that is where you saw it implemented. They are big at hearing "so and so" has it implemented.
  • I completely agree with the need for individual logins to perform critical functions - such as alarm suppression, interlock bypasses, and configuration changes. Good security to control/prevent remote access is also highly critical. And, control rooms that are not permanently manned may need extra security including login controls.

    Beyond that, I’m not completely sold on the idea. Most of the argument I’ve heard revolves around the disgruntled employee or an undetected intruder making control system changes. But for someone who is on-site, I don’t see the control system as the weak-link. Much of the motor driven equipment has local start/stop buttons. Air lines can easily be removed from valves. Shims can be placed on valve stems to prevent movement. There are a large number of manually operated valves and bypass lines in plants. And many plants with a DCS still have panel mounted controls in the control room or field with no way to add security.

    All that being said, I am sure most of us will implement some form of individual logins in the not too distant future. I have been involved in a couple of different attempts at this. IMO, the first was a complete failure. The process was driven by corporate IT types who had no real understanding of control system environments, and they never really tested the process in a DCS system (it was a fingerprint based system). Often, multiple patches per day were issued to fix bugs found in live systems. Luckily, I was able to slip below the radar and did not ever really try to use the fingerprint readers.

    The next implementation was mandated by the same group, but driven by control systems engineers – and had a higher level of success. But to protect against locked accounts and forgotten passwords during a 2am alarm flood, an “Easy Button” was given to give the operators temporary access to the control system with a generic login. Use of this login would sound an alarm on the other consoles and was only available for a short duration. This “Easy Button” helped with the acceptance of the individual logins in operations. This wasn’t a totally secure function. But in control rooms with multiple operators, visibility of the use of the generic login does lead to accountability in the usage fo the function.
  • In reply to David Nelson:

    It sounds like everyone agrees that the principle is sound, but the execution may be problematic.

    Regarding an operators ability to mechanically bypass process equipment, I am certain that more and more facilities are installing security cameras for the specific purpose of 'auditing' personnel activity in the physical world. Before long, industrial wearable technologies will be prolific, creating tremendous benefit to operations, but also facilitating greater oversight and accountability.

    If individual passwords are a problem (I guess it depends on the industry, as every life sciences site I have ever seen employs individual log-ins, but they may have less need to react lightning-fast to process disturbances), DeltaV does support smart cards to make things easier.