Manufacturers and process plants striving to add more intelligent devices to industrial networks that run at higher speeds have yet another challenge: protecting those networks from attacks. Security has become a critical aspect of industrial network design and management as the shift to Ethernet opens up potential pathways for cyber attackers. Like a mom protecting her kids from sunburn or frostbite, security specialists recommend companies install layers of defense mechanisms.
Establishing risk tolerances is one of the first steps for setting up the layers of a security program. Critical equipment might require more safeguarding than machines that process inexpensive elements. Risk analysis will determine how much security is needed.
“It’s best to prioritize various systems according to the criticality to the business,” says Tony Baker, product manager for network security at Rockwell Automation (www.rockwellautomation.com).“Assessments can then be made on the vulnerabilities of said systems. Once you understand that, you can implement the necessary controls to mitigate risk.”
Once risks are determined, design teams can begin the task of building up defenses. Layering different protective products and concepts is generally considered the best overall strategy. Defense-in-depth strategies usually begin with firewalls. Over the past few years, a number of companies have expanded product lines from data center firewalls to industrial versions.
“Five years ago, having a firewall between industrial environment and enterprise environment wasn’t an option,” says Paul Didier, industry solutions architect for manufacturing at Cisco (www.cisco.com). “You could either connect directly to a network or not at all. Now nearly 100 percent of customers are connected with a firewall in between.”
Firewalls can block malware, isolating industrial networks from corporate systems. However, that’s only a small aspect of protection. Networks can be disrupted by many issues that arise within the industrial environment.
“The reality is that a lot of things cause issues,” says Jim Toepper, business development manager for power markets at Moxa Americas (www.moxa.com). “You can have what I call an inadvertent hacker—a device that starts sending out a lot of messages. It sends so many [messages] that latency times start getting terrible. When an unmanaged switch starts multicasting messages like that, you can often find them with something as basic as Internet Group Management Protocol (IGMP) snooping.”
Security strategies must increasingly address changes in commercial technology. In many facilities, employees connect tablets or smartphones to networks. They may also connect their personal laptops to a plant’s wireless networks. These personal systems may potentially carry some sort of malware.
“In manufacturing especially, it’s more important to be able to have threat visibility/identification, because attacks often commence from inside the plant and could be accidental—i.e., a human accidentally hooking an infected device on a port or bringing in a botnet or virus,” Didier says. “Security tools need to be able to segment users, for example limiting contractors to only be able to perform certain types of operations on certain types of devices.”
Connecting to the cloud is another commercial trend that’s seeing heightened interest. When industrial networks access servers outside the corporate boundaries, managers need to consider the threats that may come from computers that may be used by thousands of people and companies located anywhere around the globe.
“A lot of people are talking about leveraging the cloud,” Toepper says. “I hope that when that comes to mind, they realize that the threats are bigger. When you get outside the plant, your vulnerability is greater.”
That’s just one way that threats are changing. Many attacks now come from professionals who threaten to shut down plants if they aren’t paid ransom. Threats may also stem from foreign countries that want to alter marketplace dynamics.
“There’s been a move away from the script kiddies to attacks by cyber professionals,” says Eric Byres, chief technology officer for Belden’s Tofino Security (www.belden.com/aboutbelden/beldencompanies/tofino-security.cfm). “Beyond that, there’s concern that a nation like North Korea could put its resources into a cyber offensive effort.”
Many protective strategies focus on blacklists that prevent unwanted or improper messages from getting to equipment and making changes. A reverse approach is to determine which messages should go from machine to machine and block unwanted messages.
“Critical asset protection protects crucial equipment that you don’t want altered by other equipment,” Toepper says. “The filters prevent anything from sending Start, Stop or certain other commands to critical equipment. There’s a lot of protection in that.”
Whitelisting, patching and more
Others take the time to further winnow down the list of authorized software, allowing only certain programs to communicate with certain machines. Once this strategy is put in place, it can perform well as long as it’s updated when equipment or processes are changed.
“Whitelisting limits run-time privileges to only known and trusted programs,” says Dan Schaffer, business development manager for networking and security at Phoenix Contact (www.phoenixcontact.com). “Common Internet File System (CIFS) Integrity Monitoring scans a file system and notifies the operator if anything that shouldn’t change does; since CIFS IM doesn’t require updated signatures like an antivirus does, it is great at detecting unknown threats.”
In some facilities, it might be necessary to eliminate all unwanted communications from transmission to critical equipment. Instead of blocking at a high level, some security specialists suggest blocking any communications that aren’t needed to keep equipment running efficiently.
“It’s not good enough to say, ‘We allow this protocol and block that protocol,’” Byres says. “We whitelist down to the minimum, allowing only the messages that are needed. Instead of trying to block everything that’s bad, we allow only what’s needed to run each piece of equipment. That way we don’t care what the bad guys do.”
Keeping programs up to date is a vital aspect of the ongoing need for security. Patches arrive regularly, posing challenges for those who must ensure that these updates don’t cause any issues with existing software.
“Patching is important; you will always have to patch,” Moxa’s Toepper says. “You need to make sure the sources of patches are viable and that they install without impact. Some IT groups have separate networks to test patches.”
Duplicating networks is a time-tested technique for testing new software. As an alternative, users who don’t want to set up a fully isolated network can run programs in a quarantined area so any glitches won’t impact the facility’s operations. Either way, ensuring that patches are legitimate is an obvious yet important step.
“One strategy for patches is redundancy, running parallel systems with one running normally and one running the patched software,” says Gary Williams, technology manager of cybersecurity and communications at Invensys, now part of Schneider Electric (www.schneider-electric.com).“The other is sandboxing, running the patch version in a sandbox that is not tied to production. Our strategy is to deliver blessed patches to the site, saying that these patches have been approved for our equipment, even emailing the ID numbers for the machines that each patch is for.”
As with any technology, decisions for deploying and implementing controls is highly dependent on the type of risk users are trying to mitigate. Some components can be updated without much effort. But security programs will be harder to update since they need to remain active any time the network is running.”
“For example, some systems are capable of maintaining proper patch levels, such as operating systems on the HMIs,” says Rockwell’s Baker. “Meanwhile, other systems may require a virtual patching solution provided by intrusion-prevention systems, since they cannot be taken out of service for maintenance.”
While technology plays a crucial role in safeguarding networks, trained employees and well-planned practices are at least as important. Staffers have to recognize potential threats that include emails or even the USB stick dropped in the parking lot.
“The weakest part of any security policy is the human component,” says James Collinge, CISSP application and network security manager at Cisco. “It’s important that employees understand what is expected of them in protecting corporate IP and what behavior is appropriate for threats such as phishing scams, removable media and others.”
Employees must also protect the identification techniques they use to log onto systems. Passwords must be protected so a disgruntled employee can’t steal a co-workers information and commit mischief that will be tracked to an innocent worker. Employee departures should also trigger actions to prevent potential disruptions.
“One of the biggest threats is a Post-It note that’s got a login and password,” says Carl Henning, deputy director for the network protocol organization PI North America (us.profinet.com).“Another common mistake is that when someone leaves the company, passwords aren’t changed.”
Paying attention to personnel inside the plant is a safeguard that can easily be overlooked, especially when contractors or others are allowed inside the plant. Outsiders should be barred from certain areas or escorted in secure spots. Employees may also be barred from sensitive areas.
“From an attacker’s perspective, once you have physical access you are basically in,” Rockwell’s Baker says. “Look at external maintenance and contractor access. Providing the right levels of access needs to work both physically and virtually. Physical security is an extremely important aspect of the overall defense-in-depth approach, but is not sufficient on its own.”
Ongoing training is an important aspect of staff awareness. Threats can change, and employees are likely to turn occasional shortcuts into permanent habits if managers don’t seem to care. Employee training and changes in technology need to change together over time as technologies, markets and other parameters evolve.
“It’s not just about hardware and software, but about continuous assessment, learning and improvement,” Collinge says. “Companies cannot stop once the solution is in place and the systems begin to gather data. They must evaluate and improve based on their assessment.”