Industrial control system (ICS) networks are getting a lot of attention these days, and it is not all good. A few years ago, we were discussing the merits of Ethernet (TCP/IP) based communications. Now it’s accepted as common practice and adopted as a standard platform by all the major automation control manufacturers and system providers.
Smart manufacturing, Industry 4.0, Industrial Internet of Things (IIoT) and other initiatives are all building on the maturity of various technologies used in manufacturing. The convergence of these technologies is being supported by the availability, capability and reliability of the Internet and/or Internet-related technologies. The backbone of these solutions is the ICS network: All promote the collection of data and real-time analytics with the promise of increased profits through greater insight into a more integrated plant floor.
None of this has escaped the attention of those who wish to disrupt your manufacturing operations—whether a targeted or opportunistic attack. Inadvertent actions by well-intentioned employees pose considerable risk as well.
When securing an industrial network, it’s important to note that a single security technology, device, method or procedure is not enough to provide adequate protection. It is important that your network architecture implement defense-in-depth techniques. Using several layers of security of various technologies and methods will minimize the impact when a security measure fails.
Main distribution frames (MDFs), intermediate distribution frames (IDFs) and dedicated rooms are essential to properly disperse and restrict physical access to critical network components. These areas with servers, firewalls, switches and other devices should be limited to only the people necessary—preventing unauthorized access to equipment, configuration changes, adding of unauthorized devices to the network, and other changes to the network. Security measures can be as simple as a lock and key or can include biometric scanners and other measures for more sensitive areas.
Network segmentation will help with performance and prevent communication to and from unauthorized devices. Virtual local area networks (VLANs) will break up the network into several pieces and keep broadcasts contained. By placing firewalls between network segments, you can control which devices can communicate across network segments and what data can pass through. Creating a demilitarized zone (DMZ) between your manufacturing and corporate networks will allow users to access the data they need without compromising security or performance of either network.
In a typical enterprise network, security measures are in place at the device level as well. It is common practice to implement antivirus software on computers and servers, and regularly update with security patches. Careful consideration needs to be given to the ICS network before implementation of these common practices because a number of ICS components—specifically legacy components—might not be compatible. Implementation of device-level security measures on an ICS network could degrade or completely impede the performance of the network, having the same or similar effects on your manufacturing process.
“Failing to address the human component of data protection can negate many of the next-generation defense-in-depth technologies in which organizations are investing handsomely,” noted Will R. Daugherty, counsel with BakerHostetler’s privacy and data protection team.
Reporting indicates that the greatest threat comes from within your organization, which can come from a malicious user, negligence or accident. Your best potential defense and your greatest risk could be your users. Create security policies and educate users on these policies. A well-intentioned user might connect an unauthorized network device, not realizing the vulnerability they have created. USB devices are most suspect and a primary method of delivering malware. It is best to disable these ports if they are not needed. USB ports are used by phones, storage and countless other devices and therefore are a common way for malicious software to spread. This is how the Stuxnet worm was able to disrupt Iran’s nuclear program between 2007 and 2010. Educating users will help them to realize that plugging just any USB flash drive into their computer is a bad idea. Educated users can also alert you of network issues, allowing more proactive measures to be taken, possibly preventing a downtime situation.
This post presents an overview of ICS security essentials and is meant to encourage you to take a closer look at your ICS network and consider your security needs. There are several great resources out there to help you; we like the NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security.
In the future, we hope to post a discussion on information security, network security and cybersecurity. In the meantime, we encourage you consider these security aspects and their roles in your ICS network.
Larry Asher is director of operations and Nick Strahm is systems administrator and operational technology specialist at Bachelor Controls Inc., a certified member of the Control System Integrators Association (CSIA). For more information about Bachelor Controls, visit its profile on the Industrial Automation Exchange.