Securing network security

Industrial network security is increasingly focusing on networks as they continue to evolve beyond their historical isolation. Networks are making themselves and their data accessible via Ethernet TCP/IP, IT-related systems, and/or the Internet, and are facing the inherent vulnerabilities of these technologies.

By Bennet Levine October 1, 2004

Industrial network security is increasingly focusing on networks as they continue to evolve beyond their historical isolation. Networks are making themselves and their data accessible via Ethernet TCP/IP, IT-related systems, and/or the Internet, and are facing the inherent vulnerabilities of these technologies. The question is how can users access their networks remotely without exposing themselves to unauthorized intrusions?

To begin improving security, managers, control engineers and system administrators must first think of their network as a whole, and become aware of their company-wide infrastructures. It’s useful to literally sketch out the entire network; take an inventory of everything connected to the network; and then ask “Is this network linked to a company intranet or to the Internet?” and “Is the network completely hardwired or are there wireless components?” Next, managers should check what security measures are presently available, and make sure they’re enabled and operating.

Routers rule

Undoubtedly the most important tool for increasing security is having a router/firewall between local networks and larger systems, especially those tied to the Internet. While switches operate at the data link layer (layer 2), routers generally operate at the network layer (layer 3) with most routers handling TCP/IP messages. A router/firewall matches private Internet addresses with data requests, allowing through only specified messages. Very few unauthorized messages get through routers.

Another security question is: “Will the highly repeatable communications on the plant floor be able to handle corporate-level data transfer sizes and bandwidth? To manage these communications, many users employ switches with broadcast storm control capabilities, which block broadcasts from overly noisy ports.

Also, these switches assign slightly different bandwidths for accessing each port on a network. This ensures that each device gets only the messages it’s supposed to receive.

VLANs vital

Beyond basic routing, some users implement virtual local area networks (VLANs) between their plant-floor networks and office systems. Located in the switches’ hardware, VLANs block unauthorized messages between network ports.

In fact, two VLANs overlapping to a specific degree can share data if, for example, a device on the factory floor also sits on the corporate VLAN. This exposes only one device to potential vulnerabilities, and leaves other devices protected.

Yet another option is to simply install an additional router between two locations, which can be dedicated solely to sending data between them. This security strategy doesn’t mask addresses, but it too allows only specific traffic between plant-floor addresses and office addresses. This method is similar to a VLAN, but instead uses the added router to do its job.

Check connected PCs

Back on the infrastructure side, network managers must also be cautious about what devices might be using up available bandwidth on the plant-floor. Ethernet switches are designed to be very inviting, and someone plugging into an available RJ-45 port can potentially hinder or damage manufacturing processes with unauthorized or untested network traffic.

So, besides checking the security of one’s own network, managers also must be careful about the protocols used on PCs and laptops that may connect to switches on their plant-floor network. Managers can test new software or devices by running a plant-floor network in safe mode or by setting up small test networks.

Bennet Levine, R&D manager Contemporary Controls, www.ccontrols.com

Locking in security to-do list

Think of network as a whole, and sketch it out—literally

Inventory what network is connected to—Internet? Wireless?

Check for existing security features, and make sure they’re enabled

Install router switch/firewall between plant-floor network and other networks

Enable router’s broadcast storm control capability

Use virtual local area networks (VLANs) to block unauthorized messages between ports

Overlap two VLANs to allow specific data sharing

Use additional dedicated router to allow only authorized traffic between two networks

Test PCs and laptops plugging into plant-floor network