Moreover, as industrial networks are connected to the rest of the corporate network, malicious applications or users can cause outages on the industrial floor and a consequent loss of revenue. Security is an integral part of all factory designs that cannot be overlooked.
Reassuringly, today’s Ethernet networking equipment offers built-in safeguards to prevent unauthorized access. By using security techniques common to both factory and corporate networks, manufacturers can be assured of company-wide network security. Here, we will review the most common security measures used in enterprise networks, which can serve as a foundation for factory networks as well.
Middle man out
First, let’s look at ways to secure individual network devices. If the network device has a console port, it should be password protected. If the device allows for telnet or Web access, then more secure mechanisms such as secure shell (SSH) and Secure Socket Layer (SSL) protocols should be turned on. By using these two protocols, traffic (including passwords) is encrypted. This blocks the common “man-in-the-middle” attack from capturing proprietary data.
In addition, a centralized set of passwords may also be employed. Using RADIUS or TACACS+ security protocols in a centralized database eliminates the need for local passwords in each device and also makes for easy upgrades or password changes. If the network device supports Simple Network Management Protocol (SNMP), Version 3, which encrypts the messages, it should be used.
Most factory floor managers do not want to open up their networks to general traffic. In this case, Access Control Lists (ACLs) can be used to limit which devices can talk to which other devices and by which protocol. By using an ACL, traffic patterns can be classified and explictly permitted or denied on individual ports. Security ACLs can also be used to limit access to a particular port or switch based on the Media Access Control (MAC) address. By using a particular MAC address and a mask value, it is possible to create a filter that allows only a specific vendor’s programmable logic controller (PLC) to be connected to a particular port regardless of the unique MAC address on a device.
Intrusion detection
In any network, industrial or otherwise, the administrator wants to know when devices join or leave the network. The network device can be configured to send a trap message to the Network Administration Console, with the particular MAC address, the port and switch that it is connecting to or disconnecting from. This can aid in intrusion detection and fault management.
For security purposes, it may be important to limit or block traffic to end device ports. This ensures that there is no exchange of unicast, broadcast or multicast traffic between these access ports on the switch. A protected port does not forward any traffic to any other port that is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2 of the seven-layer Open Systems Interconnection (OSI) model; all traffic passing between protected ports must be forwarded through a Layer 3 device.
For wireless applications, the IEEE 802.1x protocol defines a methodology to authenticate users based on password schemes. This allows users to be mobile and still provide a layer of security in the network.
In 802.1x, each client device must authenticate via a central server before access to the port is opened to normal traffic. By using the Extensible Authentication Protocol (EAP), each client device sends the device code and password. These are passed through the access layer switch onto the authentication server. If the client is authenticated, a message will travel back to the switch telling it to open that port.
In most cases, 802.1x is used for public access ports. It is hoped that future industrial automation devices include support for 802.1x in their protocol stacks.
