Cybersecurity advice for industrial networks

Manufacturers and industrial automation companies are making cybersecurity a major priority. Knowing where to start and what to emphasize can be a challenge. Several tips are highlighted to improve industrial network cybersecurity.

By Jim Mansfield, Dan McKarns and David Schultz August 17, 2022
Image courtesy: Brett Sayles

Cybersecurity Insights

  • There is a greater risk of cybersecurity attack against operational technology (OT) targets as machines become integrated with information technology (IT) systems.
  • Consulting with subject matter experts (SMEs) and system integrators who are knowledgeable about the topic can help provide clarity to unique situations.
  • Manufacturers and industrial automation companies need to remain vigilant and on alert for potential cybersecurity attacks.

Manufacturers and industrial automation companies are making cybersecurity a major priority. The rise of Industry 4.0 and the Industrial Internet of Things (IIoT) makes gathering information about a plant’s operations and potential easier than ever. The problem is the potential of cyber-attacks rises, as well. For these companies, knowing where to start and what to emphasize with cybersecurity can be a challenge. Review insights on cybersecurity protection from a system integrator and how manufacturers and engineers can better protect themselves and industrial networks.

Q: How common are industrial networks as a means of entry for cybersecurity intrusion? How can risk be lowered?

A: With the rapid convergence of information technology (IT) and operational technology (OT) the automation and controls systems across virtually all industrial markets and markets segments are becoming more vulnerable to cyber-attacks. Network Intrusions are coming from the top-down and bottom-up. Manufacturing should be monitoring their networks or have their networks monitored 24/7/365.

The 4th Industrial Revolution (Industry I4.0) and the Industrial Internet of Things (IIoT) are enabling more connected devices and software technology stacks from the shop floor to the top floor. Manufacturers need to be able to identify and quickly recover from any cyber-threat that could undermine the continuity of plant/facility network operations. No matter if the manufacturer has implemented the traditional networks of the Purdue model of the mid-1980s or adopting the latest unified namespace of a digitally transformed organization, don’t take your eyes off the network, ever.

An alternative approach to securing networks is through the use of machine learning models to detect abnormal behavior. Rather than restricting connectivity, which makes it more challenging to collect plant floor data, using a service to monitor traffic on a wire enables the sharing of data across an enterprise.

There are many companies that offer this service that operate both in a cloud and on-premise. When an anomaly is detected, it sends an alert, along with a threat score, to security people to investigate. If there is an issue, the plant can respond appropriately. If not, the result is used to enhance the capability of the machine learning algorithm.

One of the modern challenges for security administrators across both IT and OT is the prevalence of encrypted traffic.  This makes traffic inspection at the deepest levels much more difficult, especially by middlebox devices such as firewalls which classically relied on deep packet inspection of unencrypted traffic to make granular decisions on the permissibility of network traffic.

Now that most of the traffic outside of the OT networks is encrypted (including traffic used by threat actors to establish footholds on IT/OT systems), the application layer visibility that firewalls once had into north/south traffic (traffic leaving or entering the OT network) is greatly diminished.  This problem only gets more challenging as OT networks begin to use encrypted protocols for data transmission to and from the OT edge.

Firewalls are still an important part of any defense in depth strategy.  However, to gain the needed visibility into the network for effective security policy execution, and by extension, the ability to proactively monitor overall OT network health, endpoint solutions are needed.  The idea here is that wherever possible, adding an endpoint client that enforces policy at each node in the network gives us the visibility back because inspection is done before traffic is sent on the wire. Endpoint clients can sit between or directly on (depending on what the network device is) the endpoint.

With endpoint inspection, and a central policy engine giving directives to the endpoints, we have the means of controlling and monitoring network traffic and device health, even when using modern protocols that are encrypted.

With these data gathering techniques, adding in machine learning models for intrusion detection are possible. The system can respond by notifying key people within the plant or even experts outside OT if the plant doesn’t have a dedicated OT security engineer. Visibility is key to early detection and notification. Without good visibility, machine learning won’t have enough information to provide much protection.

Should the worst happen, and indicators of compromise are confirmed, having a well-developed recovery plan is critical. The timeliest recovery is one that is planned for and rehearsed.  Developing such plans is a whole article unto itself, but in a nutshell, they spell out how to restore critical components by whatever means makes sense for a given issue.  The key is that these means are available due to the preparations done before an incident occurred.  This could be anything from swapping in hardware (cold spares) to restoring from known good backups, to isolating key systems.

Q: Beyond traditional industrial network needs there are increasing needs to communicate in the IIoT and for Industry 4.0 and Smart Manufacturing initiatives. How can these risks be mitigated?

A: Those manufacturing organization that are beginning or planning their digital transformation (I4.0) journeys have a real opportunity to secure their network systems for both legacy and new equipment and systems alike.

However, it takes a lot of thought, future forward thinking, a thorough understanding of network technologies and architectures of the past, current and future and a lot of robust planning. First, understand the 4th Industrial Revolution movement and the latest technologies and network architectures that have been proven secure. Pay close attention to those manufacturing organizations that lowered industrial network risk and seek help from members of the system integration community with a well-established and significant manufacturing systems infrastructure practice.

Many of our network security practices are based on an older server-client architecture using a poll-response method to collect data. In these systems, the server instantiates a connection to a client which requires the opening of a network port. This introduces risk.

A preferred approach is to upend this model whereby the client instantiates the connection to another system. Similar to how people connect to secure sites for tasks like banking, a client, like an industrial gateway, makes the connection. This eliminates the need to open a port to a higher-risk system. If there is an issue, the client device can simply disconnect, closing the connection.

Risks can be further reduced in several different ways.  As the need for sharing information with systems outside of the classic OT environment increases, so does risk for exposure.  The key to risk reduction is visibility and governance of that information sharing.

Secure transport of information is one aspect of governance.  Encrypting communication, especially when traversing less trusted networks helps ensure the integrity and confidentiality of information.

The protocol and infrastructure of the information sharing model can have a significant impact on security as well. Protocols like MQTT used in conjunction with a data broker allow for security boundaries to be more easily navigated, due in large part to the fact that the data originating device is the one that initiates the communication.

Coupled with a unified namespace, whereby granular control can be maintained using a structured, hierarchical data model allows least privilege methodologies to be extended to every aspect of the data. 

Q: What are the latest technologies and processes to lower risks related to industrial networks?

A: The industrial demilitarized zone (IDMZ) in industrial networks is the network security layer between the IT/OT networks. It’s the buffer between the two to ensure that no direct network communications are allowed between the two layers.

You’ll hear people talk about IDMZ servers, virtual private network (VPN) servers, firewalls and security appliances, switches, routers, etc.  there is a lot to the IDMZ layer. Examine broker technologies and the network concept of a unified name space.

One of the most common brokering technologies is MQTT. This is a lightweight messaging protocol that was developed for SCADA applications in the late 1990s. While early adoption was mainly in non-manufacturing applications, like phone messenger apps, it has recently emerged as a popular way to connect to plant floor systems.

In broker applications a client, referred to as a device, will make a secure connection to a server, commonly referred to as a broker. Rather than a poll-response method to collect data, the device will publish any changes when they occur. This is called report by exception. Not only is this method more secure, it utilizes less network bandwidth.

The unified namespace by itself is more about having a logical, well-structured single source of truth for all data. However, the benefit of having data organized and consumed in such a manner, is that it is much easier to both inspect and govern its use.  Least privilege security policies can be overlaid on a unified namespace in ways that make intuitive sense to the business (as the unified namespace is laid out using business structures).  Attack surface is reduced when only those who need access to information are able.  When it is easy to maintain, a sustainable data governance model is established, and the system remains more secure than it would if data governance became disjointed.

Q: Do system integrators help clients address industrial network cybersecurity, even if it’s not an industrial networking project?

A: Many industrial system integrators today possess some level of network architecture and technology expertise, but it’s mainly focused on securing the OT layer, up to the IDMZ I mentioned earlier, but they won’t cross into the Level 4 or IT Layer.

Those system integrators focusing on the solution stacks and technologies of the 4th Industrial Revolution are well-versed in the entire IT/OT network and the cybersecurity resiliency needed to secure against the latest risks and bad actors.

That said, these “risks” are changing every day and billions of dollars are being spent annually on the funding and development of bad actors and latest bugs, all over the world.

The best strategy for mitigating cybersecurity risks is through the use of inherent secure technology. Rather than a traditional server-client architecture that requires the opening of ports, deploy systems where a client or device makes the connection. This strategy can be used throughout an enterprise.

Another strategy is the use of machine learning to monitor networks. Collecting more data means there are many more devices and connections. This presents risk. Rather than restricting the flow of information, monitoring services will keep track of network traffic and alert people to any potential threats.

Every project should be approached as part of a larger whole. While a current effort may not involve network cybersecurity, security should always be considered. Integrators can facilitate this by using solutions that can be extended in the future without the need for changes or adding risk.

Q: What role does training have in mitigating industrial cybersecurity risk beyond technologies?

A: Training has a huge impact in mitigating industrial cybersecurity risk. Today, we don’t know what we don’t know and it’s simply not good enough to do today what we know today when it comes to cybersecurity. Chances are if you’re operating in this type of mindset, you’re already in trouble. There is a litany of training opportunities out there, both paid for and at no cost.  Udemy, Coursera, NexGenT and CISA are some good choices.

What is commonly referred to as IT/OT convergence is more about strategy than technology. IT needs to understand operational technology. OT needs to understand networking and the risks they impose. Much like a culture of safety, a culture of cybersecurity needs to be established. It is the responsibility of everyone. To that end, everyone should have some level of training.

Plant floor operators should have basic training on networks, how they work and how to keep them safe. This should be thought of as best-practice training.

Controls engineers should obtain an intermediate level of training. This includes concepts like network segmentation, VLANs and how to connect technology securely. Basic certification should be considered. Consideration of an OT liaison to IT is recommended.

Large enterprise companies should have several people with IEC 62443 certifications. There are many reputable organizations that provide training and certification. 

Q: What are common sense policies needed for industrial networking?

A: Again, manufacturers should be monitoring their networks or have their networks monitored 24/7/365.

Stay up to date on the latest trends and training around bad actors and the super bugs they create daily.  Plan your work and work your plan. Planning today for the future is an absolute must, especially if you’re looking to advance your digital transformation journey. A best-practices roadmap should include these four aspects:

1. Network mapping and connectivity analysis. Networking mapping helps you stay in touch with your system in real-time (ideally). It provides the big picture of what is on your network, and how it’s physically connected. Depending on the type of software and integration with the physical and logical infrastructure, it can give users things like a network inventory and how network devices are connected (to what switch and port). It may also be able to offer application visibility giving real-time insight into how devices are communicating. You need to know what you have and how it’s connected before you can protect it.

2. Consider installing a security information and event management (SIEM) system. An SIEM is a system that collects information from monitored nodes on a network. It contains the logic to take further action, such as creating notifications when it sees correlated bits of information that meet a certain criterion. The SIEM is one of the tools in establishing visibility into the day-to-day operations of the system, especially when needing to correlate events across multiple endpoints.

3. Consider multi-factor authentication (MFA) tools or some level of zero-trust framework. Multi-factor authentication increases the difficulty of bad actors being able to impersonate a user. Many systems get compromised using legitimate credentials that were stolen, often first from a lower privileged user. Once a baseline connectivity is established, a threat actor will then seek to gain elevated privileges to give them an authoritative foothold.  By increasing the difficulty of exploiting stolen credentials, these types of attack can be reduced.

4. Research and select the right remote access tools. The right tool/remote access solution will have the following capabilities:

  • Strong logging
  • Multi-factor authentication
  • Strict access control (who can connect, from what to what, when they can connect, from where can they connect, etc.)
  • Encrypted communication
  • Environmental governance (the remote user should not depend on anything residing on the device they are using to initiate the remote connection to perform tasks) All tools needed should be controlled and reside within the control system, the exception being the connection client itself.

Q: How should people get updates about network equipment vulnerabilities related to industrial cybersecurity?

A: The CISA is a good start. Their National Cyber Awareness System is kept up to date. A couple others would include the US-CERT Alerts Webpage and the Mitre Corp.’s common vulnerabilities exposures (CVE) list.

Q: By the time something hits the news, it may be too late. What are recent threats? How can those in charge of industrial keep ahead?

A: Consider today’s discussion points, remain vigilant about IT/OT networks and understand that other than the people you employ, cybersecurity is the most important part of a business. It can make or break a company.

Jim Mansfield is senior manager at Matrix Technologies Inc., a CFE Media and Technology content partner. Additional content provided by Dan McKarns, associate technology manager at Matrix Technologies and David Schultz, consulting partner for Matrix Technologies. Edited by Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, cvavra@cfemedia.com.

MORE ANSWERS

Keywords: cybersecurity, Industrial Internet of Things

ONLINE

See additional cybersecurity stories at Cybersecurity

CONSIDER THIS

What is the biggest challenge your company faces when it comes to cybersecurity?


Author Bio: Jim Mansfield is senior manager at Matrix Technologies; Dan McKarns, associate technology manager at Matrix Technologies; David Schultz, consulting partner for Matrix Technologies.