Defense in depth: Best practices to secure your networked system

With the development of the Internet of Things (IoT), securing a connected system is becoming a critical issue. Here are some tips and concepts provided by network security experts from Pack Expo 2014.


Amadou Diaw, business development leader at Rockwell Automation talks about ways to protect connected enterprise systems from system attacks during Pack Expo 2014 in Chicago, Ill. Courtesy: Joy Chang, Control EngineeringConnected enterprise systems are on the rise. With more and more devices connected by the Internet of Things (IoT), network security becomes crucial since connected systems are more susceptible to malware and attacks. One misconfiguration can shut the whole system down.

According to Amadou Diaw, business development leader at Rockwell Automation, 80% of industrial network operators have faced a large scale of denial-of-service (DDoS) attack; $8.4 million dollars is the average cost per day for network downtime; and $60 million dollars was spent on global cyber security in 2011. Diaw added that 91% of breaches took less than a day to execute; 62% took months to years to discover; 53% took months to contain.

Defense in depth

Alan Raveling, a manufacturing IT senior analyst at Interstates, emphasized defense in depth to counter system attacks. Defense in depth requires users to overlap different security systems in case one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS).

Alan Raveling, manufacturing IT senior analyst at Interstates, emphasized the concept of defense in depth and how it can help protect connected systems. Joy Chang, Control EngineeringRaveling suggests these steps when establishing a defense in depth security network:

  1. Identify integrated computer systems (ICS) vulnerabilities
  2. Establish vulnerability awareness and initiate secure programming
  3. Set up network configurations and follow firewall rules
  4. Provide training on procedures and maintenance policies.

Defense in depth is not limited to just the network. It also involves security to I/O, applications, PLCs; encryption on PLCs; and user access controls via active directory. There are also ways to secure the network physically like disabling Ethernet ports on network switches, controlling access to areas, and having a policy of how/when to connect to the control network.

Firewalls, NAT, and DMZ

Raveling suggested the use of firewalls and network address translation (NAT), and demilitarized zones (DMZ) to secure industrial networks. Firewalls allow only predefined network traffic to pass while preventing untrusted traffic from reaching devices. NAT can acts as a go-between appliance to communicate between internal networks and provide address translation. DMZ is used to create buffer zone between enterprise and manufacturing networks. DMZ can hold data resources when requested by untrusted outside personnel. The use of multiple security networks separates I/O networks from the control local area network (LAN) and partition network traffic based on functionalities. This makes data more sensitive to details and increases the system's complexity.

Global system attacks tracking device at the Rockwell Automation booth during Pack Expo 2014. Courtesy: Joy Chang, Control EngineeringDiaw also provided some extra tips for defending integrated computer systems (ICS):

1. Separate control network from enterprise network

2. Harden connection to enterprise network

  • Protect all points of entry with strong authentication
  • Make reconnaissance difficult from inside
  • Avoid single points of vulnerability
  • Frustrate opportunities to expand a compromise

3. Harden field sites and partner connections to establish "mutual untrust"

4. Monitor both perimeter and inside events

5. Periodically scan for changes in security posture.

- Joy Chang, digital project manager, CFE Media, 

See other Pack Expo stories below.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Integrated mobility; Artificial intelligence; Predictive motion control; Sensors and control system inputs; Asset Management; Cybersecurity
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me