- Industrial components: First, ensure that all network components — including cabling, cabinets and active equipment — are industrially hardened, resilient and have high mean-time-between-failure (MTBF) ratings. The demands of the plant floor are typically much harsher than the typical IT environment and require equipment to match. Furthermore, the requirement for 24-hour operations means that availability, not confidentiality, is the most important security attribute on the plant floor.
- Redundancy and robustness: Having equipment that is easy to disrupt makes the attacker’s job easier and the support staff’s job much more difficult. Active components of the network, such as switches and routers, need to support industrial redundancy technologies such as Parallel Redundancy Protocol (PRP) and High-availability Seamless Redundancy (HSR). If security or production cameras are part of the network, then the switches must have the bandwidth and multi-cast video support necessary to support these services.
- Seek technologies that integrate with industrial network management systems: Industrial switches and routers are supported and secured by trade personnel that are typically not IT professionals. This means that integration into industrial management systems is critical for both support and security event monitoring. The same holds true for firewalls that secure communications between business networks and industrial networks or other areas of the plant — they all need to integrate into your industrial network management system of choice.
- Deploy firewalls that secure industrial protocols: Firewalls should be optimized to secure SCADA protocols such as Modbus and OPC, rather than email or web traffic. Web and email messages simply have no place on a plant floor system — products that inspect these protocols simply add cost and complexity to the security solution.
- Practice Defense in Depth with zone-level security: Using the best practice of Defense in Depth, security should not end with a perimeter firewall for the plant network. Instead, production networks should be segmented according to ISA IEC 62443 standards. Each zone of devices should be protected with its own industrial firewall that can be deployed into a live plant network without risk to operations.
Focus Your Efforts
Your enterprise IT team focuses its efforts on its most important assets. Every control system has one or more assets that would seriously impact production, safety or the environment if successfully attacked. These might be the safety integrated system (SIS) in a refinery, the PLC controlling chlorine levels in a water filtration plant, or the RTU in an electrical substation.
Your control engineers know what really matters to the operation. If those assets are aggressively protected, the chance of a truly serious cyber incident is massively reduced.
Another area for focus is detection. The industrial automation world is poor at detecting anything unusual on control networks. Make sure your firewalls and other security devices have good reporting capabilities, and are integrated into an industrial management system. Your production engineers and operators should be immediately alerted if a read-only remote operator station suddenly tries to program a PLC.
Waiting for the IT team to analyze the event the next morning is too late.
Teamwork is Required
As the vulnerability of industrial assets increases, it is important to understand the ways in which industrial and enterprise-level security intersect and diverge. IT and engineering teams need to work together within organizations, as all industry participants must work together to ensure that best practices are in place and that innovative advances to security are developed and deployed.
Whether your organization is a critical infrastructure provider or your enterprise has one or more industrial networks, securing these networks has never been more important.
Eric Byres is CTO at Tofino Security, part of Belden’s Hirschmann industrial networking group. He is an expert in the field of critical infrastructure security and can be reached at firstname.lastname@example.org. Brian Oulton is Director of Industrial Vertical Marketing at Belden. He has 27 years of experience in the industrial automation industry and can be reached at email@example.com.
For more information about Belden, please visit www.securityinfowatch.com/10213010.