Securing your industrial control network

Cyber security for industrial networks is rapidly becoming necessary. In recent years, there have been numerous attacks where critical infrastructure, private industry and public sector control networks have been compromised or taken down. Protecting a control network is often more challenging than protecting a traditional office network.

11/01/2009


Cyber security for industrial networks is rapidly becoming necessary. In recent years, there have been numerous attacks where critical infrastructure, private industry and public sector control networks have been compromised or taken down.

Protecting a control network is often more challenging than protecting a traditional office network. There is generally much less IT support on the plant floor than in an office. Plant networks also have older equipment running without support and non-patched operating systems. They need to avoid downtime that can occur when installing or updating firewall software or anti-virus programs.

Steps you can take to protect your control networks include setting up a firewall, segmenting the control network from the office network and taking some common-sense security steps.

Firewall protection

Implementing firewall protection secures your control network from unwanted and unnecessary traffic. A network firewall is hardware and/or software designed to protect network devices by inspecting each packet trying to pass through it. It denies or permits passage based on a set of rules.

Firewalls are grouped into categories based on rule complexity and traffic inspection level. These categories include access control lists, stateful inspection and application layer.

Access control list %%MDASSML%% Access control lists (ACLs) are the simplest firewalls. They inspect IP addresses bidirectionally. ACLs may also allow filtering on basic protocol choices such as TCP or UDP. You should be very explicit in setting up your rules. For example, to allow a PLC and an HMI to communicate, you must provide a rule that covers PLC-to-HMI and a rule that covers HMI back to PLC. ACL-based firewalls generally have the least latency because they evaluate only basic IP header information. They are still vulnerable to certain types of attacks such as spoofing.

Stateful firewalls %%MDASSML%% Stateful firewalls add a level of protection beyond ACLs without a significant increase to latency or cost. They still allow bidirectional IP header filtering. They also allow filtering on specific application layer protocols such as http, ftp, Modbus/TCP and EtherNet/IP.

Stateful firewalls also keep track of the connection state of the traffic flowing through them. Unlike ACLs, you don’t need to configure separate rules for your PLC and HMI to talk to each other. Create a rule allowing the PLC to talk to the HMI, and the firewall notes that you established a connection to the HMI’s IP address. The stateful firewall can also protect against spoofing and other attacks where invalid IP addressing is used.

Application layer firewalls %%MDASSML%% An application layer allows deep packet inspection; you also see what the packet contains, allowing you to filter out certain types of content within otherwise valid packets. However, the inherent latency is not compatible with typical industrial applications, where tens of milliseconds can make a difference.

Control network segmentation

Segmenting your control network from the office network provides further protection. This is done by using a router. Available for less than $1,000, a router keeps broadcast traffic such as ARPs off the control network. Of course, the router still allows communication between the control and office networks, but it will allow you to manage it better.

Common sense

Finally, don’t forget to take simple security precautions such as:

  • Using strong passwords (6+ character, mix of letters and numbers)

  • Auditing who has access and to what on the network

  • Logging any configuration changes to verify who is doing what.

    • Treat access to your control network the same way you treat access to your credit card information; your network will be much more secure.

      Securing your network is not a one-time task; it is an on-going process that you should revisit frequently to keep up with emerging threats. Take the steps needed to protect your network to ensure that your data, processes and business are safe.

       


      <table ID = 'id1120875-0-table' CELLSPACING = '0' CELLPADDING = '2' WIDTH = '100%' BORDER = '0'><tbody ID = 'id1120886-0-tbody'><tr ID = 'id1120888-0-tr'><td ID = 'id1120890-0-td' CLASS = 'table' STYLE = 'background-color: #EEEEEE'> Author Information </td></tr><tr ID = 'id1121353-3-tr'><td ID = 'id1121355-3-td' CLASS = 'table'> Dan Schaffer is a product marketing lead specialist for Phoenix Contact. He has more than 10 years experience as a network engineer, specializing in troubleshooting and design. </td></tr></tbody></table>


No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
Detecting security breaches: Forensic invenstigations depend on knowing your networks inside and out; Wireless workers; Opening robotic control; Product exclusive: Robust encoders
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide
 

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.