Tips to help protect industrial networks
OT/IT convergence introduces new attack surfaces in industrial control systems
As the Operational Technology (OT) and Information Technology (IT) convergence trend continues to gather speed, there are several attack surfaces emerging in industrial control systems. Although some of these are known vulnerabilities, there are also some that are unknown. Therefore, everyone from the C-Suite to the plant floor needs to join forces to enhance industrial cybersecurity from the edge to the cloud.
It has been noted that cybersecurity is like a puzzle composed of hundreds of different pieces that need to be individually identified, analyzed and understood. Moxa offers these practical tips to help organizations begin to put the pieces together.
Tip 1: Deploy Secure-by-design Networking Devices and Set Up Devices Securely
Typically, industrial operations include a variety of legacy devices that are increasingly vulnerable, as field networks are no longer always air gapped. In an ideal world, legacy equipment could be upgraded quickly with advanced solutions that have security features embedded into them. However, budget restraints and the requirement that industrial operations do not experience downtime frequently leads to a mixture of old and new equipment operating together. When this scenario arises, it’s important to have a security-hardened networking device to enable connectivity for legacy devices. In order to ensure that the devices use a secure-by-design methodology, it is advisable to check that the embedded security functions of any networking devices adhere to security standards such as those detailed in the IEC 62443 standard. After confirming this, devices can be set up securely. For instance, we recommend disabling any unused ports and services to minimize available entry points for intruders.
Tip 2: Divide Networks Into Multiple Segments
Once the network nodes are configured securely, the next step is to segment the networks following a zone and conduit policy. Dividing the connected networks into segments to enhance network security helps avoid the scenario where the entire network experiences downtime due to a single network node being compromised. It is recommended to have a secured network architecture design, such as network segmentation or a Demilitarized Zone (DMZ) to reduce the risk of threats emerging from the IT network.
However, it’s also important to choose the right solutions to divide industrial networks into segments. It is not sufficient to protect an OT environment by simply placing an IT firewall in front of the OT network. However, this advice is frequently ignored. An IT firewall does not have the capability to recognize industrial protocols that allows cyberattacks to take place at the supervisory or process level. It is a high-risk decision as it leaves the system open to vulnerabilities and intruders. Firewalls that are used as solutions in industrial control systems not only segment networks into separated network zones to achieve vertical protection, but should also include the deep packet inspection engine function to filter unauthorized packets without affecting performance of operations and providing horizontal protection.
Tip 3: Adopt a Secure Communication Solution for Your Critical Data and Assets
The purpose of OT/IT network convergence is to collect data and transform it into valuable information. One good option is to utilize cloud technologies that are convenient to use and have powerful data analysis capabilities to simplify network convergence. A topic that has grown in importance recently is how to secure data access from OT to IT and from field sites to the cloud. OPC Unified Architecture (UA) brings a huge amount of security principles along with it. This communication protocol not only features application authentication and user authentication, but also offers a security mechanism that meets the three pillars of security: confidentiality, integrity, and availability (CIA). When you are considering how to streamline communication from edge devices to cloud servers, OPC UA offers a reliable communication solution to ensure data integration is easy and secure.
However, when using cloud technologies, remote access poses a significant security concern. Increasingly, machine builders are leveraging cloud platforms to streamline machine maintenance. Before you are able to reap the benefits, make sure your remote access is secure by using features such as data encryption and a VPN, as this will help keep your critical assets secure.
Outsourced vendors, system integrators, and even remote service engineers are essential for daily operations, maintenance, and troubleshooting. They also play an important role to implement security policies. Any investment will become futile if these people lack cybersecurity awareness and do not know how to leverage these technologies. To avoid this undesirable scenario, it must be ensured that everyone involved in industrial processes have the same mindset and attitude to cybersecurity and only when this has been achieved will the results become apparent.
Tip 4: Enhance Industrial Cybersecurity Awareness From Management to Individual Levels
According to the security awareness pyramid, cybersecurity can be separated into different awareness stages. Commitment and support from management form the foundations, which is followed by security programs and policies being implemented during the awareness building process. Taking security policies as an example, it is fundamental to define who has Read and Write access based on the security configurations. However, when these policies are rolled out across an entire organization, it becomes a challenge to ensure everyone adheres to them properly. Facility managers often find implementing cybersecurity measures very cumbersome, and subsequently they do not ensure everyone follows the guidelines. Sometimes, they may end up doing things more akin to group level security, instead of ensuring each individual has their own unique log in credentials, and this subsequently opens up new cybersecurity risks.
Tip 5: Examine the Configurations and Settings to Follow the Security Policies
Once awareness has been established and policies have been defined, employees will pay more attention to their system settings. It can be a complex task to examine all the systems at one time. However, it is never too late to get started. Performing a risk assessment will help define security priorities. From this position it is easier to identify and protect critical assets. A good starting point is to examine configurations. If a large-scale network is being examined, it is recommended to leverage visualization software to check the security settings and adjust the configurations where necessary.
According to the Deloitte report “Cyber risk in advanced manufacturing,” four out of 10 manufacturers have experienced security incidents with 86% of these stating that their industrial operations were disrupted. Here is a quick summary of ideas to prevent your operation from becoming a cyber attack target.
It is highly recommended to begin with developing mindsets, formulating security policies, and systematically examining configurations.
· Once the groundwork has been performed, start to look at secure edge connectivity to protect the mixture of new and legacy systems.
· It is important to remember to secure the network backbone that helps deliver the data that is required to achieve OT/IT convergence.
· It is recommended to install industrial firewalls to consolidate vertical and horizontal protection.
· Last but not least, with the increasing demands on remote connections, a hassle-free secure remote access solution will save money and effort.
Moxa is a provider of edge connectivity, industrial computing and network infrastructure solutions for enabling connectivity for the Industrial Internet of Things.