Create a secure network for shop floor devices

Operations technology (OT) environments consist of many devices using different protocols and different languages. This can cause a security risk if plant operators don’t take steps to mitigate the risk and create awareness for everyone on the plant floor.

01/22/2018


Example of an industrial network that operators should secure and check for compliance. Courtesy: TripwireIn an increasingly connected world, it is critical for manufacturers to strengthen their defenses against cyber threats. However, securing industrial operations is a unique challenge because plant floors can't be secured with the same approach used to secure information technology (IT) networks. Operational technology (OT) has evolved tremendously over the years, creating very complex environments. There is a dizzying variety of devices from different makes, models, and generations communicating through different protocols. Plant operators need to learn to speak these devices' different languages in order to begin securing them.

To begin securing a plant environment, operators need visibility into all the devices and software on the network. To gain that visibility, operators need a way of communicating with their devices. This is easy in a corporate IT environment because these devices are all IP-based and speak the same language. This is more difficult in OT environments because of the variety of devices and protocols and languages involved.

What language a device speaks can depend on the type of device, the age of device, the manufacturer, and more. Programmable logic controllers (PLCs), for example, communicate in a range of different protocols including Ethernet/IP, Modbus, and Simple Network Management Protocol (SNMP). This gets even more complex when considering the different variations of remote terminal units (RTUs) and distributed control systems (DCSs). If operators can't talk to all the devices on the network, it's difficult to know what needs to be secured.

So how can operators approach that tough conversation with OT devices?

In IT environments, automated processes can be used to discover devices on the network. In OT environments, security teams need to overcome the language barrier. However, even if the team is able to send signals to their devices, it is possible incorrect communication with these devices can cause a shutdown and disrupt operations.

Plant operators should start with understanding what languages their devices are speaking and learn to speak them. This involves taking an inventory of the assets that will be critical to secure, then choosing a solution that can speak natively to these devices and monitor a wide variety of systems not typically monitored, including routers, switches, gateways, and firewalls. They should also identify which of those devices are critical to operations and therefore highly sensitive.

In this case, a "no touch" approach is the approach for these devices. The "no-touch" approach uses integration with an intermediary device that talks to the PLCs in order to configure the devices and backup these configurations. Once integration is in place, configuration data can be obtained from the intermediary device by querying the intermediary's database and ingesting the configuration data.

Once network visibility is established, operators can start hardening the environment. OT security solutions should identify what's on the network, detect changes, identify where the risks are, and mitigate them. Hardening the environment starts with looking at how the devices and software are configured. Misconfigurations, though many of them are simple to fix, continue to be the main vector for successful cyber attacks.

A good security solution should be able to assess configurations and enable users to easily fix any that are not in a secure and compliant state. Unpatched vulnerabilities are another major reason for successful cyber attacks. Security solutions should scan for vulnerabilities in the environment and prioritize which vulnerabilities are most critical.

Once the attack surface has been minimized through proper configuration and vulnerability management, the plant's security solution should continuously monitor and alert to any changes made in the environment. Changes made to the environment can indicate an intrusion, and/or point out configuration changes that have weakened the security posture or put systems in a non-compliant state.

Even if certain devices are air-gapped, isolated, and disconnected from any external-facing network, internal staff may introduce system changes without understanding the effect on security or compliance. Or worse, an intruder can bypass the air gap by gaining physical access, for example, through an infected USB drive, to carry out a cyber attack.

Foundational security boils down to understanding the attack surface, minimizing it, and monitoring it. Again, that first step traditionally has been particularly difficult for OT environments because of the language barrier around the different devices. With the right technology, plant operators can navigate past OT language barriers for enhanced visibility and the ability to harden and monitor their environments for more secure and compliant operations.

Gabe Authier, senior product manager at Tripwire. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

ONLINE extra

Gabe Authier is a senior product manager at Tripwire, a leading provider of security, compliance, and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies. He has over 15 years of experience in product management and information technology, with certifications in Agile practices and Pragmatic Marketing methodology. He is passionate about software development that brings solutions to the marketplace to solve customer problems. Gabe holds a BS in Systems Engineering from the University of Arizona and an Executive MBA from the University of Oregon.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
April 2018
Cybersecurity best practices, artificial intelligence, robotic additive manufacturing, embedded systems, IIoT integration, energy efficiency
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me