5 Steps to Implementing a Defense-In-Depth Security Solution

As seen in The Journal 2014 Trends in Technology

October 1, 2014

Cyber attacks on industrial automation and control system (IACS) network infrastructures are on the rise. These five steps can help you ensure that your security system stays current and effective.

Cyber attacks aren?t just for retailers anymore. With the increasing integration of information technology (IT) in the plant, manufacturers are more vulnerable to a IACS network security breach. Cyber warfare targeting IACS systems isn?t a new concept, but one that?s becoming more prevalent as hackers find new ways to devastate a manufacturer through costly downtime. Such attacks can be especially dangerous for companies impacting the food supply chain, such as food manufacturers and copackers.

A firewall is key to protecting an IACS network against a cyber attack. Governing bodies such as the International Society of Automation (ISA, see ISA99 Standards) and the National Institute of Standards and Technology (NIST, see Special Publication 800-82) provide recommendations and best practices for industrial security policies and procedures. Here?s a five-step plan for implementing a firewall for a control network to help ensure its long-term success.

Step 1: Establish a IDMZ
An industrial demilitarization zone (IDMZ) provides a protective layer between an organization?s enterprise network and the IACS network. This is a landing point between the systems that allows data to be housed on a local area network (LAN) so that both the enterprise and IACS can access information and communicate without exposing either network to direct access.

An adaptive security appliance from Rockwell Automation Strategic Alliance Partner Cisco is commonly used for IDMZ implementations.

Step 2: Establish Communication Rules
Rules set the organization-wide standards for communicating in the IDMZ. Before setting communication rules, conduct a thorough audit of the manufacturing execution systems (MES) currently in place, such as software used for reporting (e.g. FactoryTalkViewPoint and FactoryTalkVantagePoint) and data collection (e.g. FactoryTalk Historian), as well as devices and objects on the network, such as human-machine interfaces (HMIs) and programmable automation controllers (PACs).

Conducting a complete audit requires bringing together the knowledge of IACS engineers and IT professionals who understand the network environments and can locate all systems and devices in use. An experienced system integrator can analyze networks, track down devices and scan for security risks. Further analysis will evaluate the necessary interaction between these networks and devices. Ultimately, this audit will both provide insight into what?s on the network and identify vulnerabilities.

Next, it?s important to know what information is required from the enterprise, such as individual line productivity. This data can help a company quickly identify problems to prevent costly downtime. Any networks and devices that provide such data must be accessible to the enterprise via the IDMZ. Other information not related to productivity might not be necessary for enterprise access.

Using information from the audit, communication rules are established to determine what data should be accessible and the best communication paths to share that data. The communication rules cover paths for all devices and objects, right down to specific ports and applications.

Step 3: Evaluate Access Needs
Security problems aren?t always done maliciously. In some cases, a well-meaning employee can inadvertently cause a problem simply by accessing the network and making unapproved changes. Therefore, it?s a best practice to provide unique access for each individual user. By providing employees with customized logins with built-in permissions that prevent unnecessary access points, a manufacturer can more tightly secure its information on the network.

Historically, manufacturers have allowed operators and other employees total access to networks and device software with the idea that it?s easier for anyone to operate the production line or review data on the system. For security reasons, that mentality is changing to ensure employees can view and make changes only when it?s necessary to perform their specific job functions.

Step 4: Segment the Networks
In addition to segmenting the enterprise network from the IACS network, it?s important to segment networks within the plant itself. With the growing use of EtherNet/IP, it?s common for PACs, HMIs, I/Os and safety devices to utilize a single network technology. Segmenting the communication of these devices to discrete virtual networks prevents a catastrophic, plant-wide problem if one device or line goes down.

In addition, the segmentation of plant networks allows for faster troubleshooting to resolve issues in the event of a failure because the problem is isolated to a specific virtual network.

Step 5: Monitor and Maintain
Cyber security is constantly changing because hackers continue to find new ways to gain access. These changes can affect everything from a facility?s physical security to the individual application layer.

Monitoring and maintenance are key to anticipating and addressing security problems before they happen. The best way to stay on top of the changing cyber-security environment is to involve IT staff in your control network management. IT professionals already are skilled at identifying and mitigating security for the enterprise network. With some additional training, they can help find and prevent threats to the IACS too. A system integrator with network and security experience can help train an internal IT professional or other resource about monitoring IACS security.

When an internal resource is not available, a system integrator with network and security knowledge can provide support after the installation of a firewall to ensure that the security system stays current and effective.