Dan McGrath, Industrial Automation Solutions Manager, Panduit. This article was originally published on industrial-ip.org.
Fort Knox didn’t become one of the most secure places in the world by hiding blocks of gold outside its walls. No, the fortress protects its assets behind four-foot-thick granite walls that can withstand a direct hit from an atomic bomb, leveraging 27-inch thick steel and concrete vaults and teams of armed guards to cover every corner of the building.
Many industrial operations, meanwhile, are struggling to find the right approach to protect their assets. While they aren’t securing gold bullion, oftentimes their data, processes, and industrial equipment are much more costly. Unfortunately, many opt for a technique referred to as “security through obscurity” – which mistakes subterfuge for security. Instead of designing protections into the system, these manufacturers rely on the system’s complexity to keep assets hidden and from getting into the wrong hands.
Here are three ways industrial operations can fortify their network architectures:
1. Choose open versus Proprietary
Many of the plants that embrace security through obscurity use proprietary networks – closed systems whose security relies entirely on the hardware and software the vendor initially supplied them with, or updates developed by that same vendor.
They effectively ignore the plethora of IT tools, security features and innovations coming from all other organizations. This prevents them from accessing any outside insights, which often cause their solutions to be a step behind the threats they are trying to thwart.
But there is a better way, one that allows them to leverage the best practices, tools and expertise of others outside their organization – open networks.
Unlike isolated proprietary networks, open networks embrace commercially available antivirus software, patches for known vulnerabilities, intrusion detection tools, and many other security provisions. Their architecture allows them to employ solutions from just about any vendor. Hardware and software can be purchased from third-party vendors who tailor their products to the latest batch of security threats. This creates an active, dynamic network – one that constantly evolves to stay ahead of threats. Plus, these open architectures based on the TCP/IP suite of protocols facilitate interoperability with corporate networks and applications.
2. Divide and Conquer
In these open networks, different areas of the plant should be split into their own separate VLANs based on functionality or location. These zones establish domains of trust for security access and smaller local area networks (LANs) to shape and manage network traffic. For example, establish an Automation DMZ between the Enterprise Zone and the Manufacturing Zone, which creates a barrier between the Industrial and Enterprise Zones that still allows data and services to be shared securely. All network traffic from either Enterprise or Manufacturing Zones terminates in the Automation DMZ.
This heightens efficiency, as employees only deal with applications that are relevant to their jobs instead of sifting through an entire network’s worth of data to find what they’re looking for. But perhaps more important are the implications this has on security.
For one, network segmentation limits accessibility. Workers in packaging can only access packaging-related applications. Accountants can only access enterprise-related applications. The two can’t mix, which means that an accountant can’t – accidentally or otherwise – affect the machines and processes in packaging or any other part of the plant floor.
This segmentation also provides the benefit of isolation. Since access is limited to one area, a security breach in one location can’t wreak havoc on others parts of the plant.
Like quarantine for smallpox and other diseases, VLAN segmentation prevents small, local problems from becoming plant-wide pandemics that can cause downtime and hurt your bottom line.
3. Get Physical
You can use the most advanced security software on the market, segment your network as a precisely as possible, but if you neglect the physical aspect of network security, you’ll never be fully protected.
While we often pay much attention to outside threats like hackers, internal threats are frequently ignored. But these threats are much more common, as numerous risks arise every day that are created within your plant.
An engineer plugging a flash drive into the system could unknowingly load a virus. A disgruntled (or sleepy) night-shift employee could unplug a few cables and cripple the system. A curious janitor could wander into a sterile room and contaminate it.
Physical protections can thwart these and other internal threats. USB Ports should be blocked like child-proof electrical outlets to prevent someone from installing a virus or removing intellectual property. Cables and cable ports should be locked and color-coded to prevent unwanted plugging and unplugging. Key cards and pass codes should be used to prevent unauthorized access to rooms and machines. Intrusion detection and prevention systems (IDS/IPS) and general networking equipment such as switches and routers -- configured with their security features enabled – are essential hardware elements.
Like the walls of Fort Knox, these physical barriers are a network’s first line of defense against threats, and they need to be taken as seriously as virtual protections to maximize security.
