Securing Confidences

Securing and validating critical vision data

Manufacturing companies are placing increasing emphasis on data security throughout their operations to protect confidential data and to validate their systems are protected against unauthorized and unwanted changes. The critical role that vision plays in many manufacturing processes makes it essential that system security be improved for vision applications. A new generation of vision-specific security tools offers improvements in access control, change tracking, auditing and general network security to help ensure the integrity of vision applications while at the same time protecting data confidentiality.

Vision System Security Concerns

A few decades ago, when production systems were primarily analog, they were often completely isolated from outside access. Since that time, plant operations have migrated to PC-based controls and monitoring with graphical human machine interfaces (HMIs) to graphically depict facility processes in real time. The personal computers that these systems run on as well as the programmable logic controllers (PLCs) used to execute many industrial processes are now usually connected to the larger corporate network in order to provide management reporting of production systems and communicate product data and information.

Vision systems often store or generate sensitive information such as product tolerances, inspection recipes and quality control data. A particular concern involves the transfer of serialized data in the pharmaceutical industry. Various international traceability and serialization initiatives are being implemented to protect billion dollar drugs from counterfeiting. The validation of the program is dependent on the integrity of this serialized information which is managed and verified throughout the supply chain by vision systems.

Another critical concern is unauthorized changes made internally to bypass inspections as well as unauthorized changes that may seem innocuous but are actually detrimental to the quality or integrity of the product. The danger is particularly great for regulated industries such as pharmaceuticals and medical devices where a failure of the manufacturing process could possibly lead to a customer injury.

Vision System Vulnerabilities

Like many other nodes of factory networks, traditional vision systems provide little protection against unauthorized access. Communications between vision systems and other devices traditionally occurs without encryption which could leave data vulnerable to intended or unintended subversive action. Vision systems have long offered password protection but user access has been administered locally which makes it very cumbersome to administer security parameters and creates the risk that user access information will become outdated which can create vulnerabilities. For example, previously Cognex In-Sight vision systems could be configured with one of three access settings.

Like other smart camera designs, administration occurred locally: administrators were required to log into each vision system from the In-Sight Explorer programming software to modify user credentials and privileges. These settings were not readily transferrable: user lists were unique to each In-Sight vision system. The result was that systems administrators often did not have the time to maintain good security practices, especially on larger vision installations which sometimes include thousands of devices. Furthermore, it was normally not possible to maintain an audit trail of access to the devices which in turn made it difficult to detect intruders.

Securing Vision Systems from Unauthorized Access

In today’s networked world, vision systems need to provide much higher levels of data security in order to secure critical manufacturing and quality control recipes and settings against tampering. Cognex has addressed these challenges with several products that substantially increase the level of data security of critical vision information. One of the key requirements is controlling who is accessing the system and what type of changes they are allowed to make. Cognex Directory Server (CDS) provides authentication and access rights from a central server including secure centralized control for all username and password settings network-wide and customized per-user permissions for job parameters, In-sight camera settings and In-Sight Explorer functions.

With the Cognex centrally managed smart camera architecture, privileges are configured remotely through the browserbased Cognex Directory Management Utility. For companies with large installed bases of In-Sight systems on the plant floor, the ability to update user information and access privileges remotely, offline, and in aggregate, without having to log into the individual smart cameras to configure this information, reduces downtime and increases administrative management efficiency.

From the Management Utility, CDS server administrators can add users and assign a multitude of permission levels, ranging from full programming access, to access to a single command embedded in the HMI graphical user interface, to readonly access. Administrators can group CDS-enabled In-Sight vision systems and assign users permissions based on these groups. This makes it easy to effectively manage, control and update access to In-Sight vision systems according to production line or section of a production floor.

Each time a user attempts to access an In-Sight vision system, the In-Sight vision system encrypts the username and password and queries them to the server ensuring that login information is verified to current information. Once the vision system verifies the user login information, the set of privileges associated with the user accessing the In-Sight vision system are queried from the server to the In-Sight vision system and to In-Sight Explorer before the user is allowed to perform any action.

Incorporating such an advanced level of security in the smart camera architecture is particularly beneficial for companies in regulated industries such as pharmaceutical and medical device. In conjunction with In-Sight vision systems’ built-in audit messaging capability, CDS makes it possible implement a more stringent interpretation of the FDA’s 21CFR Part 11 code of federal guidelines. CDS also offers a deeper level of eSignature security for companies following the GAMP5 approach to specification and verification of a validated system.

Confirming Process Specifications

Even when user access is controlled, the potential still exists for a user to make a change that will have an adverse impact on the performance of the system. Cognex TestRun addresses this challenge through its ability to be configured to run a series of tests to ensure that the vision system has not been tampered with and is operating according to process specifications. TestRun compares the current settings with the expected settings and flags anything that’s different. The next layer uses a database of stored images, often called a challenge set, to confirm that the current settings will correctly accept good parts and reject bad parts. Test cases can verify that the part is accepted with the right measurement tolerances or rejected for the right reason. TestRun can also incorporate tests that verify the physical environment to detect if the camera has been bumped and is out of position, if the lens is out of focus or if there’s a problem with the lighting.

Maintaining an Audit Trail

The Cognex Audit Message service application runs on a PC and tracks significant events on the camera. When the audit messaging is enabled, cameras send XML formatted messages to the audit messaging service whenever a user logs in, changes a job, puts the camera online or offline and changes a parameter. These messages can then be archived. If for some reason, the Audit Message service is down, the camera will buffer up to 1000 events on the camera, and then transmit them after the connection to the server is restored. In addition to logging camera events, the Audit Message service also logs events from Cognex Directory Server such as changes to access rights or privileges and who made the changes. Audit messaging helps meet the requirements established by 21 CFR Part 11 for electronic signatures and records for Cognex vision systems.

Maintaining Network Security

Network security in the factory is a critical issue. With increased dependence on Ethernet as the factory networking backbone, integration of production systems with ERP (Enterprise Resource Planning) systems and manufacturing execution systems (MES) has led to more Ethernet-enabled devices being accessible from the corporate LAN. As a result, the migration of IT into the factory is driving the demand for increased security.

CDS provides authentication and authorization services for In- Sight vision systems using the standard Ethernet security protocol SSL (Secure Socket Layer). All In-Sight vision systems with CDSmode authentication confirm user credentials and access privileges based on data stored in the server. This data is communicated securely so as to ensure that the data is not subverted or intercepted. The data security further extends to the Management Utility with the transmission of information encrypted over HTTPS.

To ensure that sensitive data is appropriately protected, Cognex has integrated standard encryption protocols to data transmission. IPsec provides secure transmission of data between an In-Sight vision system and other devices or PCs on the same network. IPsec is an open standard for encrypting and authenticating IP (Internet Protocol) traffic, and any two devices that are IPsec-capable can communicate securely. Additionally, In-Sight vision systems can securely write images to a secure FTP server (SFTP) on the network, communicating over the encrypted SSH protocol. Using IPSec or SFTP, companies can ensure sensitive proprietary or serialized data remains protected.

The challenge of securing vision applications boils down to controlling who is accessing the system and what types of changes they are making while protecting information as it moves from the vision system to the corporate network. Cognex CDS, TestRun and Audit Server and integrated encryption protocols make up a comprehensive suite of network security tools that can provide the level of system security needed to ensure that vision systems are operating according to process requirements while protecting critical data and reducing administration burdens.

This article originally appeared in the November 2016 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3