When approaching any problem, the best approach is to consider the optimal solution and see how much of it can be applied to your particular situation. Since the best way to implement security in an industrial network is to design it in from the beginning, let’s start by looking at how that’s done so that as much of that process as possible can be adapted when adding security to an existing system.
If you were implementing a new system with a clean sheet of paper — using a new design and new equipment —the general process to design-in security for that system involves the following steps:
- Perform a risk assessment to determine the level and type of security you need;
- Use a defense-in-depth model to create layered security using:
- Policy and procedures that are reasonable and train, audit and enforce them regularly;
- Physical security such as locks, cameras, etc.;
- Design networking for the system with clearly defined zones separated by firewalls;
- Computer security — ensure computers are locked down in terms of who can access them and what can be installed, and be sure to have a consistent plan for installing antivirus and whitelisting software;
- Device security: Create clean access control defining who can do what, where, when; and
Once these five steps are implemented, it is absolutely necessary to establish regular security audits, reviews, and appropriate budget to update frequently as circumstances change.
With this clear-cut approach in mind, let’s consider the attributes of existing applications that create the security challenges most of us face:
- You likely have an ad-hoc network that evolved over time with poor documentation. This usually means that you're not sure of what your network really looks like, and you’re reasonably sure no one else at your facility does either. On top of this, you know of multiple unsecured points of entry, which means there are likely many more you don’t know about. Things like supplier modems and cell connections, unsecure guest accounts, software being used without locked down security, doors and gates propped open, too many copies of keys, etc.
- This ad hoc network that was built over 20 years with multiple generations of different vendors’ automation equipment now hosts numerous serial devices communicating at least seven different fieldbus protocols, all with different configurations and security features. And most of these security options are disabled.
- Mixed in with all the industrial equipment and communications are IT-deployed commercial-grade network assets.
- Too many entities—individuals or business departments—with too many different business objectives that need and have access to the system. This often means that any changes proposed to the system will appear to make someone’s job more difficult or impossible.
- Your facility operates under a decentralized management structure and culture.
- For years now you’ve been functioning with a reduced workforce and little budget or tolerance to enable you to work strategically.
- Since your system has not been hacked in any way that exposed specific weaknesses, there has been not security directive from management other than you being asked to “do security”.
Applying the Clean Sheet Approach
If any of this sounds familiar, don’t freak out. Here’s what you do to adapt the “clean sheet of paper” approach to the mess you likely have to deal with:
- Turn ad-hoc into an infrastructure. Yes, this takes some thought to sort out and organize what you have, but the best place to start is to identify your physical and/or functional zones, then add Layer 3 switches or routers to create the segmentation within your existing system. Work with the budget you have or beg for a little more to sort this out. This is a core first step in building a securable network infrastructure. So if you’ve been asked to “do security”, securing budget for this step should not be too difficult.
- Add perimeter and zone security devices, turn on the security features in your routers and switches, and improve your physical security by using the network for added surveillance, monitoring, detection and incident action. With industrial Ethernet as your base, adding cameras to your network is incredibly simple, as is ensuring notification gets to the right people anytime, anywhere.
- With segmentation in place, develop a plan for your network infrastructure to evolve with the business. This does not mean you’ll need to plan for your network to become larger. More than likely it will involve moving from the many networks and technologies you currently have in place to fewer. To do this effectively, use industrial Ethernet as the communication physical layer. The sooner you get to an infrastructure with industrial Ethernet at the core, the easier it will be to add security and future proof your design.
- Now you can begin adapting those “clean sheet of paper” ideas to your reality. Step one of this process is performing the security risk assessment. Prioritize them all using the approach government agencies use. This means considering how difficult it is—or isn’t—for something bad to happen to your system, how impactful the bad thing would be, and how long/difficult it would be to recover from it. Quantifying the cost impact if the top risks do actually occur will ease your path in getting approval for the security measures you need. For more information on performing industrial network risk assessments, see “7 Steps to ICS and SCADA Security”.
- Sit down with this prioritized list and consider options for mitigating each risk starting at the top. Assess all of your options with the five-point defense-in-depth approach outlined above. In doing this assessment, you may find that an extensive cleaning up of your infrastructure may be the best, easiest, most cost-effective route to a secure system. If you don't have the green light from management to do it all your way, be sure to devise options to mitigate each risk individually.
- Once you’ve got a few options in place to mitigate the highest priority items, pull together a team of key people. Share your work and ideas with them and ask them for their input and support. As objections are voiced, offer other options for mitigating each risk to determine if the group finds them more attractive. Be sure to ask the group to come up with better ideas if yours are consistently challenged.
- Put together a plan that the team can agree on to gain their support and buy-in even if the resulting plant isn’t pretty or perfect.
- Implement the plan and maintain commitment from the team to take the next steps to pursue the next phase, recognizing that effective, ongoing security requires regular auditing, monitoring, and updating.