Are you Using Dynamic Identification and Provisioning?
Smartphone or tablet users are accustomed to receiving a regular stream of update notifications on their devices. Most of us simply accept the updates without bothering to read the fine print.
But recent software application changes, such as new and faulty map applications, are driving technology users to examine their updates more closely before accepting them – and that can take time. Imagine the time you’d save if a setting on your phone could automatically accept certain types of updates while denying others.
That timesaving scenario is also playing out in the industrial plant environment thanks to dynamic identification, provisioning and authentication practices.
Advanced Persistent Threats (APTs) are a serious concern for plant managers. That’s especially true in the wake of recent high profile cyber attacks, where outsiders successfully infiltrated one part of a plant and used the weak entry point to embed malware aimed at other network points.
The Stuxnet APT is a prime example of the increasingly sophisticated attacks in the industrial sector. Today, cyber attackers can leverage many modalities and synchronize multiple components when infiltrating a network infrastructure – wreaking more havoc than ever.
How can plant managers ensure the security of their network against outside attacks without disrupting internal communications? After all, new devices must be accepted and information needs to travel from the manufacturing zone to the enterprise zone and back again.
We don’t want to accept all information and devices into the network, but we also don’t want to interrupt the manufacturing process to manually accept each device or allow all devices access to all control functions. The solution to this quandary is dynamic identification, provisioning and authentication on a network.
This proven enterprise approach to security protects the network’s weakest link while ensuring uninterrupted production on the plant floor.
It is critical to be able to identify all devices in the network so that the access can be controlled based on the type of device, the function it is assigned to play. It is important to identify devices so as to a minimum, prevent intruders from joining the network; but equally important, restrict the levels of access into the network. Access can then be controlled through network segmentation. By segmenting the network into virtual areas, we can understand how information travels throughout the network (within the plant and up/down to the enterprise). Not all devices or data traffic should be allowed entry into all network segments.
For example, an IT manager includes an Identity Management database that maintains all of the identities that have been configured for the Philadelphia plan; in addition, for each of the devices it also maintains the ISO code version. With this information, the devices must first identify and authenticate themselves into the network before they are allowed access. Furthermore, before access is granted, a further check to ensure they are running to a compliant ISO version is executed to further ensure that these devices are not infected with some vulnerability or malware.
Once all network segments are identified, we can automate the update process and network traffic within the plant, using dynamic provisioning. While most corporate offices rely on an IT team to configure software or new devices, dynamic provisioning is based on the premise that manufacturing plants don’t always have access to a dedicated IT team.
The corporate office can still dictate compliance and provisioning policy without directing the actual process. For example, if a programmable controller malfunctions and needs to be replaced, rather than enlisting the help of IT to specify network credentials, the manufacturing side can recognize the affected device and provision it appropriately with the right set of credentials and software.
Identifying the outsider
Dynamic identification and provisioning are great strategies to simplify day-to-day plant operations, but how do they aid in network security?
Today we use barcode technology to track each product to its specific source or device, as defined by policy. We can group these devices and policies into two categories: the allowed actions list and the disallowed actions list.
Here’s how it works. Let’s say Company A bought 10,000 Programmable Controllers and associated automation devices (PLC/PAC/DCS etc.) units for their Chicago plant, and those controllers have sequential addresses from 00 to C0. Those addresses are on the allowed actions list. If an outside hacker then purchases a controller and accesses the plant network through wireless connectivity, as he may sit in the parking lot and, with the right level of spoofing, pose as a controller and may try to gain access in the network.
A dynamically identified and provisioned network can identify that this new controller isn’t on the allowed actions list. The network can stop all communication with the controller and put it on the disallowed list. The intruder using an outside access point may persistently attempt entry into the network, but he won’t be successful while on the disallowed list. Furthermore, with the identification of the continued denied access can further lead to shutting down the access point being attacked.
Strong authentication on the network
We also need to ensure that all devices provisioned into the network maintain their integrity. Strong authentication in a network can provide better asset tracking visibility than allowed by proprietary networks, and layers of encryption can secure the network. The standardized network allows visibility into all parts of the manufacturing plant, while giving plant managers more precise control over assets and security.
Not only is it possible to maintain network security while running a highly productive plant – with dynamic network identification and provisioning, it has never been simpler.
To learn more about network security, sign up for the Industrial IP Advantage industrial network design training here.