Create a secure network for shop floor devices

Operations technology (OT) environments consist of many devices using different protocols and different languages. This can cause a security risk if plant operators don’t take steps to mitigate the risk and create awareness for everyone on the plant floor.

01/22/2018


Example of an industrial network that operators should secure and check for compliance. Courtesy: TripwireIn an increasingly connected world, it is critical for manufacturers to strengthen their defenses against cyber threats. However, securing industrial operations is a unique challenge because plant floors can't be secured with the same approach used to secure information technology (IT) networks. Operational technology (OT) has evolved tremendously over the years, creating very complex environments. There is a dizzying variety of devices from different makes, models, and generations communicating through different protocols. Plant operators need to learn to speak these devices' different languages in order to begin securing them.

To begin securing a plant environment, operators need visibility into all the devices and software on the network. To gain that visibility, operators need a way of communicating with their devices. This is easy in a corporate IT environment because these devices are all IP-based and speak the same language. This is more difficult in OT environments because of the variety of devices and protocols and languages involved.

What language a device speaks can depend on the type of device, the age of device, the manufacturer, and more. Programmable logic controllers (PLCs), for example, communicate in a range of different protocols including Ethernet/IP, Modbus, and Simple Network Management Protocol (SNMP). This gets even more complex when considering the different variations of remote terminal units (RTUs) and distributed control systems (DCSs). If operators can't talk to all the devices on the network, it's difficult to know what needs to be secured.

So how can operators approach that tough conversation with OT devices?

In IT environments, automated processes can be used to discover devices on the network. In OT environments, security teams need to overcome the language barrier. However, even if the team is able to send signals to their devices, it is possible incorrect communication with these devices can cause a shutdown and disrupt operations.

Plant operators should start with understanding what languages their devices are speaking and learn to speak them. This involves taking an inventory of the assets that will be critical to secure, then choosing a solution that can speak natively to these devices and monitor a wide variety of systems not typically monitored, including routers, switches, gateways, and firewalls. They should also identify which of those devices are critical to operations and therefore highly sensitive.

In this case, a "no touch" approach is the approach for these devices. The "no-touch" approach uses integration with an intermediary device that talks to the PLCs in order to configure the devices and backup these configurations. Once integration is in place, configuration data can be obtained from the intermediary device by querying the intermediary's database and ingesting the configuration data.

Once network visibility is established, operators can start hardening the environment. OT security solutions should identify what's on the network, detect changes, identify where the risks are, and mitigate them. Hardening the environment starts with looking at how the devices and software are configured. Misconfigurations, though many of them are simple to fix, continue to be the main vector for successful cyber attacks.

A good security solution should be able to assess configurations and enable users to easily fix any that are not in a secure and compliant state. Unpatched vulnerabilities are another major reason for successful cyber attacks. Security solutions should scan for vulnerabilities in the environment and prioritize which vulnerabilities are most critical.

Once the attack surface has been minimized through proper configuration and vulnerability management, the plant's security solution should continuously monitor and alert to any changes made in the environment. Changes made to the environment can indicate an intrusion, and/or point out configuration changes that have weakened the security posture or put systems in a non-compliant state.

Even if certain devices are air-gapped, isolated, and disconnected from any external-facing network, internal staff may introduce system changes without understanding the effect on security or compliance. Or worse, an intruder can bypass the air gap by gaining physical access, for example, through an infected USB drive, to carry out a cyber attack.

Foundational security boils down to understanding the attack surface, minimizing it, and monitoring it. Again, that first step traditionally has been particularly difficult for OT environments because of the language barrier around the different devices. With the right technology, plant operators can navigate past OT language barriers for enhanced visibility and the ability to harden and monitor their environments for more secure and compliant operations.

Gabe Authier, senior product manager at Tripwire. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.

ONLINE extra

Gabe Authier is a senior product manager at Tripwire, a leading provider of security, compliance, and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies. He has over 15 years of experience in product management and information technology, with certifications in Agile practices and Pragmatic Marketing methodology. He is passionate about software development that brings solutions to the marketplace to solve customer problems. Gabe holds a BS in Systems Engineering from the University of Arizona and an Executive MBA from the University of Oregon.



The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
DCS visibility, alarm management, motors and drives, robotic machining, Engineers' Choice winners
Factory automation controllers, Ethernet updates, System Integrator of the Year roundtable, Inside Process and VFDs
Robotic simulation and welding, Process building blocks, Discrete sensor advice, Virtualization advice
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
DCS visibility, alarm management, motors and drives, robotic machining, Engineers' Choice winners
Factory automation controllers, Ethernet updates, System Integrator of the Year roundtable, Inside Process and VFDs
Robotic simulation and welding, Process building blocks, Discrete sensor advice, Virtualization advice
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
DCS visibility, alarm management, motors and drives, robotic machining, Engineers' Choice winners
Factory automation controllers, Ethernet updates, System Integrator of the Year roundtable, Inside Process and VFDs
Robotic simulation and welding, Process building blocks, Discrete sensor advice, Virtualization advice
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
Product of the Year winners, Pattern recognition, Engineering analytics, Revitalize older pump installations
Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me