New year, new plan. When it comes to industrial network security, the most important message of the past few years has been, “Do something.” Everyone agrees that the days of head-in-the-sand, air-gaps-will-protect-us, we’re-too-small-for-hackers-to-care-about-us cybersecurity strategies are gone. You need a plan to thwart industrial network intruders—whether they’re from without in the form of foreign hackers, or from within in the form of disgruntled employees or unintentional malware infections. Here are practical steps to build or augment your plant’s network security strategy.
No matter their identity and origin, industrial network intruders will likely have caused twice as many incidents in 2013 than 2012, according to forecasts from the U.S. Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT). Those incidents will occur across all domestic critical infrastructure, including manufacturing plants. And the actual number likely will be greater, because ISC-CERT bases its predictions only on reported cases.
Potential vulnerabilities exist everywhere, from printers and HVAC systems to unused ports in automation control systems. The effect of an intrusion can range from an annoyance to theft of intellectual property to a system shutdown. These realities led President Barack Obama to issue an executive order on “Improving Critical Infrastructure Cybersecurity” on Feb. 12, 2013, which intends to give industry and others some ways to combat such threats. Many within industry have taken on what he has called “a serious national security challenge.”
As global cybersecurity threats have grown and urged more defensive actions, the private sector’s awareness of the need for greater security and better network design must grow. “That’s been the real mantra over the past year,” says Ken Austin, lead marketing specialist for Ethernet devices for Phoenix Contact.
Layers of protection
No single product, technology or methodology fully secures automation and control-system applications, say Gregory Wilcox and Paul Didier, authors of the June 2013 whitepaper, “Design Considerations for Securing Industrial Automation and Control System Networks” from Rockwell Automation and Cisco Systems Inc. The best network protection combines layering of defenses and network segmentation.
A “defense-in-depth” approach uses multiple layers of defense—physical, procedural and electronic—at different system levels. That policy-and-procedures scheme helps protect networked assets such as data and end points, while multi-layered physical security helps protect high-value assets, explains Wilcox, Rockwell Automation business development manager. Those policies and procedures must protect the assets, while balancing functional and application requirements such as 24/7 operations, low mean time to repair (MTTR), and high overall equipment effectiveness (OEE), adds Didier, Cisco solutions architect.
Wilcox and Didier recommend you set up “an industrial demilitarized zone.” This DMZ is a perimeter network that provides a barrier between industrial and enterprise zones. Harden controllers to restrict logical and physical access to the control system, they say. Also harden area supervisory control stations to restrict logical and physical access. Protect switches and routers through access control lists and port security. Create domains of trust to segment the network into smaller functional- and access-based areas. And develop and apply policies, procedures and infrastructure to give secure remote access to trusted users.
The older common practice of air gapping—physically isolating the industrial network from other networks and the web—isn’t sufficient, Wilcox says. That’s because it fails to protect networks from viruses and other intrusions.
Of course, any solution has to be connected to company culture. “Cybersecurity is not something you can solve with your checkbook—you need a mentality, not a product,” stresses Jim Toepper, Moxa’s product manager for industrial Ethernet infrastructure networking components. Security “is not just a tack-on,” adds Phoenix Contact’s Austin. “It has to be as important as any process.”
To get the most secure network inside a company’s or facility’s electronic security perimeter, the most effective approach would be to not connect a network to anything. That’s impractical, of course, but firewalls are not. Firewalls provide the most basic protection from external threats—and are not optional if your company has an Internet connection. “The firewall is the nightclub bouncer,” says Moxa field applications engineer Nick Sandoval. To bounce undesirables, it looks at Internet protocol (IP) and media access control (MAC) addresses and demands authentication before a message may pass.
Firewalls for individual devices are not generally being done, Toepper says. But if a company wants to protect against internal intellectual-property thieves, he suggests putting in front of each critical device a firewall that’s capable of deep-pocket inspection. DPI looks at the actual data to determine if it should pass through. “DPI could really save the day, Toepper says.
The first questions Shane Duffy, fiber and telecommunications product manager at B&B Electronics, would ask when securing a factory-floor network is, “Is there a firewall or gatekeeper? Is it isolated from the corporate network? Are all networks protected from the network?”
Firewalls also need “a practical partner,” Duffy says, which is what a virtual local area network (VLAN) is. Sandoval calls VLANs and firewalls the tools of the trade to get strong segmentation on the factory floor. The virtual network fits with routers and firewalls to restrict web access. “You want to control any network connections so there are no open holes that can be exploited,” explains Duffy.
Segmentation fills those holes. First, use managed devices to provide security from controls and visibility to what’s occurring, Duffy says. “That’s crucial.” Next, use separate firewalls—and have a separate device that manages only the security gateway.
Where factory floor, corporate and Internet connections exist, get back to security layering between each. And be careful allowing the use of flash drives, Duffy advises. “The awareness [of that threat] has increased just this year. It’s now a daily topic,” he says.
One irritating hole that network segmentation closes is accidental hacking within the company. “Unintentional hacking is probably the most common cause of network disruption and is often caused by devices that are not configured properly,” Toepper says in Moxa’s 2013 whitepaper “Industrial Networking Security Best Practices.”
Perhaps 80 percent of cyber incidents that cause downtime come from insiders, estimates Phoenix Contact’s Austin—and 75-80 percent of those incidents are non-malicious. For example, a bad network card floods the network with a broadcast storm. Or an IT department does a ping sweep to check IP addresses. Austin says a Big Three automaker client had a laboratory network shut down because of such a sweep, because the lab and IT network were connected.
And while Toepper agrees that accidental hacking isn’t malicious, he thinks it’s still best practice to use simple subnet segmentation using routers to prevent it. Each cell—for example, a PLC network—should have its own small, protected network, he says. He’d place a firewall between the rest of the network and a manufacturing cell or a group of critical control PLCs, then configure the firewalls to allow EtherNet/IP communications only from specified senders.
Security appliances complete the segmentation scheme by providing perimeter defense and separate trust zones. Typically, a deny-all approach should be used on the boundary, where only specified traffic can pass through, says Mike Werning, Moxa field applications engineer. The most critical aspect of selecting those appliances and switches is the ability to secure and remotely manage the device, he says. His colleague Sandoval disagrees: He says using industrial-grade equipment with fast boot and recovery times is most critical.
Whatever the right answer, most experts believe in overall defense-in-depth. “Each layer of protection makes a potential attacker’s job more difficult—and significantly increases the chance that he or she will look elsewhere for lower hanging fruit,” says Phoenix Contact’s Dan Schaffer. “Thus, companies should focus on the whole, rather than any single aspect of their floor-to-executive-suite operations. Start first with comprehensive security policies. Then, move on to risk and security assessments. Then, follow those with selection, installation and activation of the remedies.”
Schaffer and Austin recommend the following tips when it comes to using remedies like switches and other network security appliances:
- Don’t discount the security of the switch. That’s especially true when you’re using a defense-in-depth scheme. Switches become another layer of security.
- Design in security. This is a must-do if a new facility’s being built. For retrofits, the fix is much harder because, as Austin emphasizes, “you’re always trying to shoehorn things in.”
- Incrementally add procedures and appliances. Remember security is analog, not binary. Incrementally adding devices that make the plant more and more secure is like the answer to the how-do-you-eat-an-elephant question. Answer: One bite at a time.
- Remember that security is more than technology and widgets. It’s also educating employees, having procedures in place, reviewing logs—things not obtained by buying a good firewall or switch.
Sidebar: Five Steps to a Secure Network