An open network, segregated areas and physical protections will maximize security and provide a first line of defense against internal and external threats.
By Dan McGrath, Industrial Automation Solutions Manager, Panduit, on behalf of Industrial IP Advantage.
This article was originally published on www.industrial-ip.org.
Fort Knox didn't become one of the most secure places in the world by hiding blocks of gold outside its walls. No, the fortress protects its assets behind four-foot-thick granite walls that can withstand a direct hit from an atomic bomb, leveraging 27-in. thick steel and concrete vaults and teams of armed guards to cover every corner of the building.
Many industrial operations, meanwhile, are struggling to find the right approach to protect their assets. While they aren't securing gold bullion, oftentimes their data, processes and industrial equipment are much more valuable. Unfortunately, many opt for a technique referred to as “security through obscurity” — which mistakes subterfuge for security. Instead of designing protections into the system, these manufacturers rely on the system's complexity to keep assets hidden and prevent them from getting into the wrong hands.
Here are three ways industrial firms can fortify their network architectures:
Choose Open Versus Proprietary
Many of the plants that embrace security through obscurity use proprietary networks — closed systems with security that relies entirely on the hardware and software the vendor initially supplied, or updates developed by that same vendor.
The industrial firms ignore the plethora of IT tools, security features and innovations coming from all other organizations. This prevents them from accessing any outside insights, which often cause their solutions to be a step behind the threats they're trying to thwart. However, there is a better way, one that allows them to leverage the best practices, tools and expertise of others outside their organization — open networks.
Unlike isolated proprietary networks, open networks embrace commercially available antivirus software, patches for known vulnerabilities, intrusion detection tools, and many other security provisions. Their architecture allows them to employ solutions from just about any vendor. Hardware and software can be purchased from third-party vendors who tailor their products to the latest batch of security threats. This creates an active, dynamic network — one that constantly evolves to stay ahead of threats. Plus, these open architectures based on the TCP/IP suite of protocols facilitate interoperability with corporate networks and applications.
Divide and Conquer
In these open networks, different areas of the plant should be split into their own separate VLANs based on functionality or location. These zones establish domains of trust for security access and smaller local area networks (LANs) to shape and manage network traffic. For example, establish an Automation DMZ between the Enterprise Zone and the Manufacturing Zone, which creates a barrier between the Industrial and Enterprise Zones that still allows data and services to be shared securely. All network traffic from either Enterprise or Manufacturing Zones terminates in the Automation DMZ.
This heightens efficiency, because employees only deal with applications relevant to their jobs instead of sifting through an entire network's worth of data to find what they need. Perhaps more important are the implications this has on security.
For one, network segmentation limits accessibility. Workers in packaging can only access packaging-related applications. Accountants can only access enterprise-related applications. The two can't mix, which means that an accountant can't — accidentally or otherwise — affect the machines and processes in packaging or any other part of the plant floor. This segmentation also provides the benefit of isolation. Since access is limited to one area, a security breach in one location can't wreak havoc on other parts of the plant.
Like quarantine for smallpox and other diseases, VLAN segmentation prevents small, local problems from becoming plant-wide pandemics that can cause downtime and hurt your bottom line.
You can use the most advanced security software on the market and segment your network as precisely as possible, but if you neglect the physical aspect of network security, you'll never be fully protected.
While we often pay much attention to outside threats such as hackers, internal threats frequently are ignored. However, these threats are much more common, because numerous risks arise every day that are created within your plant. For example, an engineer plugging a flash drive into the system could unknowingly load a virus. A disgruntled or sleepy night-shift employee could unplug a few cables and cripple the system. A curious janitor could wander into a sterile room and contaminate it.
Physical protections can thwart these and other internal threats. USB ports should be blocked like child-proof electrical outlets to prevent someone from installing a virus or removing intellectual property. Cables and cable ports should be locked and color-coded to prevent unwanted plugging and unplugging. Key cards and pass codes should be used to prevent unauthorized access to rooms and machines. Intrusion detection and prevention systems (IDS/IPS) and general networking equipment such as switches and routers — configured with their security features enabled — are essential hardware elements.
Like the walls of Fort Knox, these physical barriers are a network's first line of defense against threats, and they need to be taken as seriously as virtual protections to maximize security.
For more on physical protections, see “4 Steps to Secure the Physical Layer."
Based in Tinley Park, Illinois, Panduit is a Rockwell Automation Strategic Alliance Partner. The company provides solutions that help customers optimize the physical infrastructure through simplification, increased agility and operational efficiency. Panduit's Unified Physical Infrastructure℠ (UPI)-based solutions give enterprises the capabilities to connect, manage and automate communications, computing, power, control and security systems for a smarter, unified business foundation.