It’s no longer a secret that industrial networks are susceptible to viruses and hacker attacks. But though awareness has risen, actions taken to prevent problems still range from minimal to those that have isolation and many layers of protection.

As broader use of networking and closer ties to front offices have helped drive a shift to Ethernet, this change also brings the increased threat of viruses, hack attacks and other issues that plague corporate information technology departments. Well-intentioned employees can cause as many problems as malicious people, whether they’re disgruntled employees or nefarious outsiders.  

Although the threat is now widely understood, security is often pushed back by more pressing concerns. “Those who aren’t focused on security know it’s important, but it’s just not a focus for them. Generally that changes when something occurs that makes them more aware,” says Bill Lewins, a requirements analyst who focuses on software security for Rockwell Automation Inc.,  

There’s some good news for those who view network security as an issue that can wait until tomorrow, since attacks aren’t increasing rapidly at present. But the downside is that those who take the time to burrow into manufacturing networks know what they’re doing.

A growing number of those attacks are extortion. Hackers who show that they can get into critical portions of a network, then ask for cash not to deploy their programs. A handful of utilities have paid extortion, and it’s unlikely that manufacturing companies won’t also be targeted. These attacks are more difficult to defend against than hackers out for kicks, forcing a change in protective schemes.

“It’s important to set up a tiered structure, with each cell protected from the others,” says Todd Stauffer, Process Automation marketing manager at automation solutions provider Siemens Energy & Automation Inc., in Spring House, Pa.

Building the tiers

This structured scheme begins with a basic element common even in simple home networks. “Any safety-aware user will put a firewall in front of a device,” says Nate Kube, chief technology officer of Wurldtech Security, a Vancouver, British Columbia, Canada, industrial cyber security firm.

However, that’s where the similarity ends. Installing firewalls for complex industrial networks involves many different factors. Many factory floor networks include a number of older devices with slow data transfer speeds and small buffers, if they even have buffers. If they get too much data too quickly, buffer stacks can overflow, causing serious problems.

As part of their job, firewalls attached to this type of equipment must protect it from these problems as well as others. “Firewalls should provide rate limiting specific to the device, they should do packet filtering to protect the controller from malformed packets and they should automatically configure themselves to what they’re protecting, so the engineer doesn’t need to know what the firewall is doing,” Kube says.

Though firewalls are a powerful first line of defense, they aren’t a panacea. “Putting in a firewall is helpful, but there have to be other levels of security beneath that, with layers of defense going down to programmable logic controllers (PLCs),” Byres says.

Isolationist policies

Another layer of protection comes when networks and their nodes are isolated. One aspect of this segregation is to prevent any problems from getting into a factory network. The other benefit is that if something gets in, its impact will be limited to just a few nodes. There are a number of different ways to set equipment apart from gear that might cause problems. One of the first is to minimize links with front office systems that deal with far more outside links. That can be done with different techniques.

“If you’re not on the Internet, you’ve got a high level of security. We connect to the outside world through a workstation, not a switch, which helps keep our network highly separated from other local area networks (LANs) in the company,” says Bob Huba, Delta V product manager at automation vendor Emerson Process Management’s ...