If you’re the person tasked with security—and if you're reading this, you probably are—the ambiguity surrounding industrial network security has probably struck you already. It seems as if no one is offering security like they offer a PLC or drive. There are plenty of experts who can help you, but their approach feels more custom than standardized, and they tell you you’re never completely secure… just more secure than you were before.
The Easy Way Out
As daunting as solving the industrial network security puzzle for your facility may seem, the easy answer has been right in front of you the whole time. You need to reach out to your friends in your IT department. While many controls and process engineers have had their struggles working with IT, when it comes to security, they are your most valuable resource.
Consider this: IT has been implementing security effectively in the enterprise space for many years. In addition, it is not uncommon for IT professionals to have been trained and certified to apply enterprise security. They know what security costs, how to implement security, and how to manage it. They understand the buzzwords and keep up with security trends, technologies and products. They have a budget for security and often can include the industrial space in their security deployments.
Though the security IT can provide is very close to what’s needed in the industrial space, you’ll need to provide your newfound friends in IT with some important information before you turn over the responsibility to them. Here’s your step-by-step guide:
- Repair any bridges you may have burned previously with your IT contact.
- Find out who handles computer and network security at your company, get an introduction from your friend, and meet with them.
- Ask them about the kinds of things they do currently to provide security. Regardless of whether they blow you away with technological sophistication or humbly list a few things like providing antivirus, password authentication and a perimeter firewall, you should acknowledge, respect and compliment their efforts and abilities.
- Ask if they are willing and able to extend their security further into your production area. Be prepared to work through any hesitation on their part to gain their support. Even if it means climbing a mountain, remember that having them carry the security load will be way easier than doing it yourself.
- They may recommend doing a risk assessment to determine how best to add security. This is a good idea, especially if they agree to keep it simple.
- You’ll have an easier time securing your application if you first clean up your networks. Not only does cleaning up your network infrastructure make security easy, your networks will be easier to manage and expand.
- Be sure to insist on the use of industrial switches, routers and physical media. IT typically doesn’t understand your specific needs here, so this is one area in which you’ll need to be actively involved. Make sure IT understands that, even when sitting in a control room, equipment can be exposed to aspects of the plant environment such as shock and vibration, electromechanical noise, temperature extremes and possibly chemical exposure. Also make sure that the industrial-grade firewalls being reviewed are able to check industrial network protocols like Modbus, EtherNet/IP, and OPC.
Share with them these very important considerations for implementing industrial security:
- IT’s standard PC antivirus and authentication approaches are fine.
- IT’s enterprise-style of patch management can’t be automatically deployed on the plant floor. Instead it needs to be planned and scheduled to ensure they don’t download a patch and reboot a plant floor computer in the middle of production. Also, you’ll probably need to test the computer’s applications after applying patches and maintain the ability to roll back the computer if there are problems.
- IT knows little about PLCs, DCSs and drives, so you’ll need to ensure those devices are appropriately secure yourself. Appropriate steps include setting their passwords, locking or disabling unused ports on these devices and ensuring the networks and other connections to them are secure.