Industrial network security best practice advice
Four myths about networking and cybersecurity related to operations technology (OT) systems are highlighted as well as three pillars for securing industrial networks.
Cybersecurity is a major concern for those deploying Industrial Internet of Things (IIoT) or Industry 4.0 systems. Often, when operational technology (OT) systems are connected to the internet or connected to other information technology (IT) systems, they become a point of weakness for malicious attacks or accidental data loss. Why, then, is cybersecurity so often overlooked by OT engineers?
The answer can be traced to four common myths that are no longer true in today’s highly interconnected world.
Myth 1: My industrial network is physically isolated and not connected to the internet, so my network is secure: This may have been the case ten years ago, but today many IIoT devices are already directly connected to the internet, bypassing traditional IT security layers. A question often asked is: Why do so many IIoT devices need to connect to the internet? The main reason is because IIoT systems need to collect large amounts of data for further analysis. Since the data sources may not be in the same locations, it is necessary to send the data to a remote server by connecting your systems to the internet.
Even if your industrial control systems (ICS) or industrial networks are not connected to the internet, they may still be vulnerable to unauthorized connections. For example, a third-party vendor or an automation engineer may update systems by connecting unauthorized laptops or USB drives to conduct regular maintenance or troubleshooting, which opens the ICS up to insecure access and ultimately makes ICS devices more vulnerable.
Myth 2: Hackers do not understand ICS, PLCs, and SCADA systems, so my network is secure: Since 2010, there have been several sophisticated cyberattacks that targeted ICS networks: There has also been malware designed to target industrial control devices. This trend indicates hackers are changing their focus to target industrial sectors, such as oil and gas, energy, and manufacturing, which suggests attacks on industrial sectors are likely to increase in the future.
Myth 3: My network is too small to be targeted, so my network is secure: Internal breaches often come from trusted users, employees and external contractors that have authorized access on a network. Often times, the unintentional breach is due to human error or a device that malfunctions, which is not relevant to the size of a company. Although these attacks are unintentional, they can still result in substantial damage and financial losses to your business.
Myth 4: I already have a firewall to protect my industrial network, so my network is secure: Firewalls may provide the first level of protection but they are not 100% effective. Moreover, most firewalls are not designed for industrial protocols (for example, Modbus TCP, EtherNet/IP, and Profinet), so without proper configuration, the firewall may block necessary industrial protocols and shut down industrial control systems. Simply put, implementing firewalls cannot guarantee complete protection for ICS networks. Instead, industrial firewalls should be utilised with layered defences (the defense-in-depth approach) to protect critical control devices, production lines, and the entire factory. In addition, industrial devices should be frequently updated with security patches to protect against cyberattacks.
Network security best practices
Despite the differences in priorities and techniques used to protect industrial control systems versus enterprise IT systems, several industrial associations have developed standards and security guidelines for connecting or converging ICS with IT systems. In particular, the Industrial Internet Consortium (IIC), National Institute of Standards and Technology (NIST), and International Electrotechnical Commission (IEC) focus on three major areas for improving ICS cybersecurity.
These three pillars for securing industrial networks include:
- Deploy defense-in-depth protection for industrial networks.
- Enable security settings on your industrial networks.
- Manage security through education, policies, and monitoring.
Based on these three pillars the following best practices are recommended as the first step to shoring up an ICS cybersecurity.
Pillar 1: Secure network infrastructure
Secure networks are made by design. Unfortunately, most automation networks have been deployed, added to, and modified slowly over years or even decades. Many PLC networks and devices were not designed to be connected to a plant network or the internet and often lack strong security features. Since the priority was to keep the plant operating, networks were designed more with simplicity in mind than security.
In order to deploy a secure industrial network, the first thing you need to consider is a ‘defense-in-depth’ network design. This will start with segmenting the network into logical zones, each of which is isolated and protected by industrial firewalls. Between each zone, set up conduits, which are firewall rules that filter or manage data communication across the zones in your network. In short, a defense-in-depth design seeks to protect the network from the inside out.
Consider the example of a smart factory. Although it is important to deploy a firewall between the IT network and the OT network, this is not enough. Within the OT network, additional firewalls for critical assets, such as a controller for a distributed control system (DCS), should also be installed. Making it harder for unauthorized personnel to access a critical system, you minimize the potential impact of a security breach by limiting access to a single zone rather than granting complete access to the entire network.
An intrusion prevention system (IPS) or intrusion detection system (IDS) is an advanced system for industrial networks. The IPS/IDS will monitor network data for malicious activity. It is commonly used in IT/office networks, but can also be used for ICS networks as there are many applications that run on Windows-based industrial computers.
Another important factor in secure network design is secure remote access. Similar to using VPN software on a laptop to access a corporate network from home, it is also possible to deploy encrypted VPN connections for remote monitoring or remote maintenance.
Pillar 2: Hardened device security
Another best practice for shoring up industrial network security is device security – often referred to as device hardening. This refers to securing the network switches, routers, and other devices connected to your industrial control system. Some of the methods include user authentication, maintaining the integrity and confidentiality of data, and using authentication to control network access.
While these concepts will be familiar, it is quite common to see industrial devices in critical systems deployed with little to no configuration for security.
Besides the previously mentioned security settings, also consider vulnerability management. Because vulnerabilities can affect components from virtually every software and device manufacturer, working with vendors that have a well-defined response plan for patching vulnerabilities is more important than ever.
Pillar 3: Security management and education
The third best practice is the concept of security management or monitoring network security, which includes educating/training engineers using the ICS to comply with new security policies. Education to ensure cybersecurity policies and practices are followed through could be the most important best practice of all, as well as the most difficult to implement successfully. To facilitate compliance, you may also want to consider investing in specialized software tools to manage ICS security policies more efficiently.
In particular, industrial network management software can help scan network devices, give an inventory list to allow for easy identification if something that should not be there is located, and remove it. Some tools can even help consistently configure new devices to comply with the selected security settings, visually validate the devices have been properly configured, and even back up configuration files to aid in network recovery if an incident occurs.
Another important feature is real-time event notification and logging. Logging can help pinpoint vulnerabilities and fix them before damage is done. Security information and event management (SIEM) systems are very important components in IT network management. Consequently, some industrial network management systems also offer APIs (for example, RESTful APIs) or support for common network protocols (for example, SNMP) for ICS integration with existing SIEM systems.
This article originally appeared on Control Engineering Europe’s website. Edited by Keagan Gay, digital media & production coordinator, CFE Media, firstname.lastname@example.org