Steps to Secure Industrial Networks
On the other hand your industrial networks are already—or soon will be—connected to your company’s enterprise networks and migrated to Ethernet. In considering how to decrease cyber risk and protect assets, it's important to look for technology solutions that are designed for the plant floor.
Some of the differences between plant networks and office networks are:
- Different environments—industrial networks often operate in harsh physical environments.
- Different staff skills—you may be a rock star at making products or programming PLCs but designing a cybersecurity solution is likely not your strength.
- Different priorities—plant operators are most concerned about reliability & safety whereas enterprise IT teams usually have confidentiality as their highest system priority.
- Different protocols — plant networks must support industrial protocols required to keep equipment running & production working, which are challenging to secure.
Considering these factors, we share the following 6 steps for securing industrial networks.
1. Select industrial components
First, ensure all network components, including cabling, cabinets and active equipment, are industrially hardened, resilient and have high mean-time-between-failure (MTBF) ratings. In harsh environments with high uptime requirements, it's important to ensure your equipment is up the job.
The heart of IT network systems is often a climate controlled, secured data center where the equipment is typically standardized and less than 10 years old. Conversely, industrial networks operate on the plant floor, often in a hazardous environment, and the average life of the equipment is more than 10 years.
2. Look for redundancy & robustness
Equipment that is easy to disrupt makes the cyber attacker’s job easier and the team's job much harder. Active network components such as switches and routers must support industrial redundancy technologies to ensure operations will continue in the event of a malware attack or other network incident.
There are a lot of acronyms and buzz words in this area such as “zero-failover”, PRP (Parallel Redundancy Protocol) and HSR (High-availability Seamless Redundancy). The important thing to ensure is the networking equipment supports the level of redundancy required for your production needs.
3. Seek technologies that integrate with industrial network management systems
Integration into industrial management systems is critical for both support and security event monitoring. Using such a system will facilitate the detection of unusual activity on the network, an area that is typically poorly done in the industrial automation world.
You or other plant staff should be immediately alerted if a read-only remote operator station suddenly tries to program a PLC. Waiting for the IT team to analyze the event the next morning is too late.
4. Deploy firewalls that secure industrial protocols
Firewalls should be optimized to secure SCADA protocols such as Modbus and OPC, rather than email or web traffic. Web and email messages simply have no place on a plant floor system and products that inspect these protocols simply add cost and complexity to the security solution.
5. Practice Defense in Depth with zone-level security
Using the best practice of Defense in Depth, security should not end with a perimeter firewall for the plant network. Instead, production networks should be segmented according to ISA IEC 62443 standards. Each zone of devices should be protected with its own industrial firewall that can be deployed into a live plant network without risk to operations.
6. Focus Your Efforts
Every control system has one or more assets that would seriously impact production, safety or the environment if successfully attacked. These might be the SIS (safety integrated system) in a refinery, the PLC controlling chlorine levels in a water filtration plant or the RTU in an electrical substation.
You and others in the plant know what really matters to the operation. If those assets are aggressively protected, the chance of a truly serious cyber incident is massively reduced. Secure Industrial Networks with Solutions Designed for Industry. If you are uncertain about how to improve the cyber security posture of your facility, following the recommendations above will shorten the time it takes to make improvements.
An additional tool is the white paper “7 Steps to ICS and SCADA Security,” available below, which summarizes best practices for ensuring good cybersecurity.
Related Links
- Securityinfowatch.com
- Blog: OT Cybersecurity in Three Steps
- Blog: Configuring & Security Time Sensitive Networks
- Webpage: Security Capabilities
- Webpage: RSP Series Managed Switches