Editor’s Note: The original “Hacking the Industrial Network” (Part I) was first published by IndustryWeek in the Spring of 2009. This article, Part II, is the summary of what has happened since the original publication, and the outcome of predictions which first appeared in Part I.
Industry Recommendations
The existing SCADA vulnerabilities and some precautionary measures are well described in whitepapers by Idaho and Lawrence Livermore National Labs. A simple solution involves implementing layers of defense referred to as “defense in depth.”
Leading commercial antivirus software can work well to create layers of protection in the front office of an organization, an area not adversely affected by the continuous updating of virus signatures needed to keep up with new virus variants created every few seconds. Some IT routers and switches can also provide Virtual Private Network (VPN) protection in clean, air-conditioned rooms within production areas. In harsh environments, however, with heat, dirt, moisture and vibration, standard telecommunications equipment fails rapidly. And at the lower echelons of production, the very basic PLCs and legacy industrial controls do not have the chip sets and processing capability to authenticate commands or identify malware. In a 24/7 production environment, it is risky to allow third-party software to constantly introduce updates that have not been vetted in isolation before being implemented, as these may produce other unintended consequences.
 Idaho National Laboratory: Complete Defense in Depth |
As identified in “Hacking the Industrial Network” (Part I), four years ago there were listed a handful of companies offering potential solutions applicable to the factory floor. Most of these have not updated their products or advanced technically and have not succeeded in significant market penetration. I consider only two of the listed products to be the most viable as they offer the kind of security features that would be required. These are the Innnominate mGuard® system, now also available from Phoenix Contact and the Tofino device, now available from Hirschmann/Belden.
Let’s run down the checklist of desired security features quickly. The following table contains a summary. Other technical reasons for selecting security equipment for industrial applications are explained in greater detail in Part I.
 List of Required Industrial Network Security Equipment Capabilities |
