Manufacturing companies are placing increasing emphasis on data security throughout their operations to protect confidential data and to validate that their systems are protected against unauthorized and unwanted changes. The critical role that vision plays in many manufacturing processes makes it essential that system security be improved for vision applications. A new generation of vision-specific security tools offers improvements in access control, change tracking, auditing, and general network security to help ensure the integrity of vision applications while at the same time protecting data confidentiality.

Vision System Security Concerns

Users can set a variety of application-specific access rights to functionality in the Custom View GUI display.
A few decades ago, when production systems were primarily analog, they were often completely isolated from outside access. Since that time, plant operations have migrated to PC-based controls and monitoring with graphical human machine interfaces (HMIs) to graphically depict facility processes in real time. The personal computers that these systems run on, as well as the programmable logic controllers (PLCs) used to execute many industrial processes, are now usually connected to the larger corporate network in order to provide management reporting of production systems and communicate product data and information.

Vision systems often store or generate sensitive information such as product tolerances, inspection recipes, and quality control data. A particular concern involves the transfer of serialized data in the pharmaceutical industry. Various international traceability and serialization initiatives are being implemented to protect billion-dollar drugs from counterfeiting. The validation of the program is dependent on the integrity of this serialized information, which is managed and verified throughout the supply chain by vision systems.

Another critical concern is unauthorized changes made internally to bypass inspections as well as unauthorized changes that may seem innocuous, but are actually detrimental to the quality or integrity of the product. The danger is particularly great for regulated industries such as pharmaceuticals and medical devices where a failure of the manufacturing process could possibly lead to a customer injury.

Vision System Vulnerabilities

The Cognex Directory Server provides authentication and access rights including secure control of username and password settings, and per-user permissions for camera settings.
Like many other nodes of factory networks, traditional vision systems provide little protection against unauthorized access. Communication between vision systems and other devices traditionally occurs without encryption, which could leave data vulnerable to intended or unintended subversive action. Vision systems have long offered password protection but user access has been administered locally, which makes it very cumbersome to administer security parameters and creates the risk that user access information will become outdated, which can create vulnerabilities.

For example, previously Cognex In-Sight vision systems could be configured with one of three access settings. Like other smart camera designs, administration occurred locally; administrators were required to log into each vision system from the In-Sight Explorer programming software to modify user credentials and privileges. These settings were not readily transferrable; user lists were unique to each In-Sight vision system. The result was that systems administrators often did not have the time to maintain good security practices, especially on larger vision installations that sometimes include thousands of devices. Furthermore, it was normally not possible to maintain an audit trail of access to the devices, which in turn made it difficult to detect intruders.

Securing Vision Systems from Unauthorized Access

In today’s networked world, vision systems need to provide much higher levels of data security in order to secure critical manufacturing and quality control recipes and settings against tampering. There is a way to address these challenges with several products that substantially increase the level of data security of critical vision information. One of the key requirements is controlling who is accessing the system and what type of changes they are allowed to make. Cognex Directory Server (CDS) provides authentication and access rights from a central server including secure centralized control for all username and password settings network-wide, and customized per-user permissions for job parameters, In-Sight camera settings, and In-Sight Explorer functions.

With a centrally managed smart camera architecture, privileges are configured remotely through the browser-based Directory Management Utility. For companies with large installed bases of In-Sight systems on the plant floor, the ability to update user information and access privileges remotely, offline, and in aggregate, without having to log into the individual smart cameras to configure this information, reduces downtime and increases administrative management efficiency.

From the Management Utility, CDS server administrators can add users and assign a multitude of permission levels, ranging from full programming access, to access to a single command embedded in the HMI graphical user interface, to read-only access. Administrators can group CDS-enabled In-Sight vision systems and assign users permissions based on these groups. This makes it easy to effectively manage, control, and update access to In-Sight vision systems according to a production line or section of a production floor.