Network Security Demands Less Complexity

As threats multiply, network security technologists rush to neutralize them.

Aw 2178 1002 Infra
Still, though, embarrassments and problems persist.  “Most we’ve seen come from confusion and complexity,” observes Eric Byres, chief technology officer of Lantzville, British Columbia, Canada-based Byres Security Inc. (www.tofinosecurity.com), a firm specializing in industrial cyber security. “People hang stuff on control system networks just as you do ornaments on a Christmas tree.”

Meanwhile, malware attacks and propagation is a big issue getting bigger, asserts Fred Kost, director of marketing for security solutions with network equipment provider Cisco Systems Inc. (www.cisco.com), San Jose, Calif. “This has become a business. The attackers are more clever and trickier.” With malware, the problem is more about styles of attack and more targeted directly on users, not servers, he adds.

Fighting attacks obliges common sense. “How are you using e-mail and the Web? How are you protecting inbound e-mail and restricting access?” Kost asks. According to Cisco’s just-released 2009 Annual Security report, 10 percent of all spam is “hard spam,” but consumes 90 percent of anti-spam vendors’ resources. “It is not only much harder to block, but also more dangerous and sophisticated—and it’s on the rise. For instance, so-called targeted attacks involve sending a few spam messages to a specific corporate domain, in hopes the messages evade spam-detection systems,” the report says.

Keep it simple

Combating intruders also requires simplicity. “Complexity is the enemy of security. We’re absolutely making a huge mistake if we make security complex, to the point you need a consultant to come in and stand on the keyboard and wave a wand,” Byres declares. End-users need something “so simple they don’t have to become experts.” He suggests “drop-it-in, walk-away” automatically configured security systems.

But ease-of-use and maintenance aren’t the only reasons for simplicity. “I’ve seen unbelievably expensive firewalls that are very complicated. If it’s complex, though, you’ll never get it secure,” asserts Byres, who is also senior partner with Byres Research, which merged in March 2009 with Sellersville, Pa.-headquartered exida (www.exida.com), an industrial safety and security firm.

So what are frontline, got-to-have non-negotiables for securing networks? “Firewalls to allow you to segment your work—and intrusion protection to help you look for attacks,” Kost emphasizes.

Byres mentions user-conscious vendors. Provide a security/safety manual that comes with network products, he recommends. Such manuals must clearly state what users must do to deploy the product correctly, he says. Vendors must know products’ vulnerabilities, he also advises. “It’s really important to understand what theoretical things could happen, and then have a strategy if something goes wrong.”

Two recent significant advances should improve manufacturing network safety. One is cooperation between network security and safety functions, something Byres sees in “more sophisticated companies, where it’s more of a culture than a practice.” The other comes through collaboration between the International Society of Automation (ISA, www.isa.org) and the International Electrotechnical Commission (IEC, www.iec.ch). The groups agreed that ISA’s industrial cyber security standard, ISA 99.02.01-2009, will be the IEC standard for industrial automation and control systems. When ratified, “it becomes the ‘gold standard,’ ” Byres remarks. “It’s the first time we’ve had an international security standard for process control.”

Clearly, security will remain crucial to plant environments because, as Kost says, “At the end of the day, the manufacturing environment is network-connected.” He advises segmentation, then having security in place to isolate areas. Byres agrees, noting, “In security, the weakest link in the chain is the problem. As a hacker, I would exploit that.”

ISA’s work should strengthen those links. “You’ll see companies that don’t have one big control network, but instead have zones with firewalls between,” Byres predicts. “I’m seeing that over and over: the concept of zones, breaking the plant down into little pieces.” Thus, simplicity-driven divide-and-defend trumps attack.

C. Kenna Amos, ckamosjr@earthlink.net, is an Automation World Contributing Editor.

Byres Security Inc.
www.tofinosecurity.com

Cisco Systems Inc.
www.cisco.com

exida
www.exida.com

International Society of Automation, ISA
www.isa.org

International Electrotechnical Commission, IEC
www.iec.ch

Subscribe to Automation World's RSS Feeds for Columns & Departments

More in Control