Defense in depth: Best practices to secure your networked system

With the development of the Internet of Things (IoT), securing a connected system is becoming a critical issue. Here are some tips and concepts provided by network security experts from Pack Expo 2014.


Amadou Diaw, business development leader at Rockwell Automation talks about ways to protect connected enterprise systems from system attacks during Pack Expo 2014 in Chicago, Ill. Courtesy: Joy Chang, Control EngineeringConnected enterprise systems are on the rise. With more and more devices connected by the Internet of Things (IoT), network security becomes crucial since connected systems are more susceptible to malware and attacks. One misconfiguration can shut the whole system down.

According to Amadou Diaw, business development leader at Rockwell Automation, 80% of industrial network operators have faced a large scale of denial-of-service (DDoS) attack; $8.4 million dollars is the average cost per day for network downtime; and $60 million dollars was spent on global cyber security in 2011. Diaw added that 91% of breaches took less than a day to execute; 62% took months to years to discover; 53% took months to contain.

Defense in depth

Alan Raveling, a manufacturing IT senior analyst at Interstates, emphasized defense in depth to counter system attacks. Defense in depth requires users to overlap different security systems in case one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS).

Alan Raveling, manufacturing IT senior analyst at Interstates, emphasized the concept of defense in depth and how it can help protect connected systems. Joy Chang, Control EngineeringRaveling suggests these steps when establishing a defense in depth security network:

  1. Identify integrated computer systems (ICS) vulnerabilities
  2. Establish vulnerability awareness and initiate secure programming
  3. Set up network configurations and follow firewall rules
  4. Provide training on procedures and maintenance policies.

Defense in depth is not limited to just the network. It also involves security to I/O, applications, PLCs; encryption on PLCs; and user access controls via active directory. There are also ways to secure the network physically like disabling Ethernet ports on network switches, controlling access to areas, and having a policy of how/when to connect to the control network.

Firewalls, NAT, and DMZ

Raveling suggested the use of firewalls and network address translation (NAT), and demilitarized zones (DMZ) to secure industrial networks. Firewalls allow only predefined network traffic to pass while preventing untrusted traffic from reaching devices. NAT can acts as a go-between appliance to communicate between internal networks and provide address translation. DMZ is used to create buffer zone between enterprise and manufacturing networks. DMZ can hold data resources when requested by untrusted outside personnel. The use of multiple security networks separates I/O networks from the control local area network (LAN) and partition network traffic based on functionalities. This makes data more sensitive to details and increases the system's complexity.

Global system attacks tracking device at the Rockwell Automation booth during Pack Expo 2014. Courtesy: Joy Chang, Control EngineeringDiaw also provided some extra tips for defending integrated computer systems (ICS):

1. Separate control network from enterprise network

2. Harden connection to enterprise network

  • Protect all points of entry with strong authentication
  • Make reconnaissance difficult from inside
  • Avoid single points of vulnerability
  • Frustrate opportunities to expand a compromise

3. Harden field sites and partner connections to establish "mutual untrust"

4. Monitor both perimeter and inside events

5. Periodically scan for changes in security posture.

- Joy Chang, digital project manager, CFE Media, 

See other Pack Expo stories below.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
Mobile HMI; PID tuning tips; Mechatronics; Intelligent project management; Cybersecurity in Russia; Engineering education; Road to IANA
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me