Defense in depth: Best practices to secure your networked system
Connected enterprise systems are on the rise. With more and more devices connected by the Internet of Things (IoT), network security becomes crucial since connected systems are more susceptible to malware and attacks. One misconfiguration can shut the whole system down.
According to Amadou Diaw, business development leader at Rockwell Automation, 80% of industrial network operators have faced a large scale of denial-of-service (DDoS) attack; $8.4 million dollars is the average cost per day for network downtime; and $60 million dollars was spent on global cyber security in 2011. Diaw added that 91% of breaches took less than a day to execute; 62% took months to years to discover; 53% took months to contain.
Defense in depth
Alan Raveling, a manufacturing IT senior analyst at Interstates, emphasized defense in depth to counter system attacks. Defense in depth requires users to overlap different security systems in case one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS).
Raveling suggests these steps when establishing a defense in depth security network:
- Identify integrated computer systems (ICS) vulnerabilities
- Establish vulnerability awareness and initiate secure programming
- Set up network configurations and follow firewall rules
- Provide training on procedures and maintenance policies.
Defense in depth is not limited to just the network. It also involves security to I/O, applications, PLCs; encryption on PLCs; and user access controls via active directory. There are also ways to secure the network physically like disabling Ethernet ports on network switches, controlling access to areas, and having a policy of how/when to connect to the control network.
Firewalls, NAT, and DMZ
Raveling suggested the use of firewalls and network address translation (NAT), and demilitarized zones (DMZ) to secure industrial networks. Firewalls allow only predefined network traffic to pass while preventing untrusted traffic from reaching devices. NAT can acts as a go-between appliance to communicate between internal networks and provide address translation. DMZ is used to create buffer zone between enterprise and manufacturing networks. DMZ can hold data resources when requested by untrusted outside personnel. The use of multiple security networks separates I/O networks from the control local area network (LAN) and partition network traffic based on functionalities. This makes data more sensitive to details and increases the system’s complexity.
Diaw also provided some extra tips for defending integrated computer systems (ICS):
1. Separate control network from enterprise network
2. Harden connection to enterprise network
- Protect all points of entry with strong authentication
- Make reconnaissance difficult from inside
- Avoid single points of vulnerability
- Frustrate opportunities to expand a compromise
3. Harden field sites and partner connections to establish "mutual untrust"
4. Monitor both perimeter and inside events
5. Periodically scan for changes in security posture.
– Joy Chang, digital project manager, CFE Media, firstname.lastname@example.org
See other Pack Expo stories below.