Engineers and IT professionals can protect intellectual property and operational integrity by following these design and product-selection best practices.
A constant drumbeat is driving the connectivity of everything worth being connected into an ever growing, interwoven fabric. With each new connection, cyber risks expand, and an available threat surface grows to affect not just the device, but the system to which it connects.
The digital data moved within these complex systems may facilitate transactions that function as the financial life-blood of an organization, or the data might prove elemental to the operation of critical processes, machinery or infrastructures that serve both the company and those dependent on it. For these reasons, cyber security is not optional, but rather is an essential tenet of every networked system.
Doing Your Part
Collaboration is the first step towards a secure future. If policies are impractical or too restrictive, operators might override them and the technical controls. Collaborating in the organization’s security policy development makes employees much more likely to abide by it.
A number of procedural and technological steps also must be completed to create a secure environment. A good security program is 20% technology, 80% process and procedure. These processes and procedures, along with a company’s employee policies, fall under the non-technical side of security.
By reviewing their security operating protocol, manufacturers can identify and prioritize vulnerabilities and develop a comprehensive strategy to help minimize risks. While the security solutions will vary based on the type, severity and impact of the vulnerabilities, asset owners should apply a “defense-in-depth” strategy.
The “Defense-in-Depth” Strategy
Protecting industrial assets requires a defense-in-depth security approach that addresses both internal and external security threats. A defense-in-depth security architecture is based on the idea that any one point of protection may, and probably will, be defeated. This approach uses multiple layers of defense (physical, electronic and procedural) at separate instances by applying the appropriate controls that address different types of risks.
For example, multiple layers of network security can protect networked assets, data and end points, just as multiple layers of physical security can protect high-value physical assets. This provides the following outcomes:
- System security is designed into the infrastructure and becomes a set of layers within the overall network security.
- Attackers are faced with a difficult task to successfully break through or bypass each security layer without being detected.
- A weakness or flaw in one layer can be protected by strength, capabilities or new variables introduced through other security layers.
Defense-in-depth security is a five-layer approach focusing on physical, network, computer, application and device security.
Physical Security covers guards, gates and other physical security mechanisms.
Network Security is the infrastructure framework, and it should be equipped with various hardware elements, such as firewalls, intrusion detection and prevention systems (IDS/IPS), and general networking equipment such as managed switches and routers configured with their security features enabled. Zones establish domains of trust for security access and smaller local area networks (LANs) to shape and manage network traffic.
Rockwell Automation recommends establishing an Industrial Demilitarized Zone (IDMZ), which is a barrier between the Industrial and Enterprise Zones that still allows data and services to be shared securely (see illustration). All network traffic from either the Enterprise or Industrial Zones terminates in the IDMZ.
Within this layer, asset owners should follow the “Principle of Least Route.” Stemming from the IT Principle of Least Privilege, this concept was designed by Rockwell Automation to guide customers in giving access only to the information and resources necessary for each operator’s specific job. This limits the paths into a security system, making it harder to penetrate.
Well-known (and published) software vulnerabilities are the number one way that intruders gain access to automation systems. Examples of computer hardening include the use of:
- Antivirus software.
- Application whitelisting.
- Host intrusion-detection systems (HIDSs) and other endpoint security solutions.
- Removal of unused applications, protocols and services.
- Closing unnecessary ports.
Computers on the plant floor, such as a human-machine interface (HMI) or industrial computer, are susceptible to malware cyber risks including viruses and Trojans. Software patching practices can work in concert with these hardening techniques to help further address computer risks. Follow these guidelines to help reduce risk:
- Disable software automatic updating services on PCs.
- Inventory target computers for applications, and software versions and revisions.
- Subscribe to and monitor vendor patch qualification services for patch compatibility.
- Obtain product patches and software upgrades directly from the vendor.
- Pretest all patches on systems that are non-operational, and not mission-critical prior to application.
- Schedule the application of patches and upgrades and plan for contingencies.
Application security refers to the process of infusing industrial control system (ICS) applications with the concept of security. This includes following best practices such as using a Role-Based Access Control system to leverage the Principle of Least Use or Privilege to lock down access to critical process functions, force username/password logins and combinations. These more granular items for ICS applications enhance the overall security posture for an environment, allowing for complex variable reduction. The result is a more stable, more secure system.
Device hardening involves changing the default configuration of an embedded device out-of-the-box to make it more secure. These embedded devices include, among others: programmable automation controllers (PACs), routers, managed switches, firewalls and other embedded devices. Their default security will differ based on class and type of device, which subsequently changes the amount of work required to harden a particular device.
Defense-in-Depth Strategy for Hardware
When it comes to selecting the right products and services, some asset owners ask their automation supplier if a product is compliant with a particular standard. While security standards are important, most apply to a system, not products. Products may, or may not, need to comply with individual standards requirements, but rarely with the entire specification.
It’s important to focus on the system and apply the defense-in-depth strategy to the products you select. This starts by enabling anti-tamper capabilities often built into products. This includes setting the controller key switch for physical security, using CPU locks to help prevent unauthorized access, leveraging read/write tags, and making sure the main controller Function Blocks aren’t user accessible. In some controllers, the definition of an Add-On Instruction (AOI) can also be locked down.
It’s also important to validate firmware authenticity through firmware digital signatures. Additional controls can include enabling infrastructure and application security features; leveraging the Microsoft Active Directory; limiting computer access to software applications, networks, and configuration and data in automation devices by relying on the proper firewall settings; and intrusion detection protection. Layer 3 Access Control Lists (ACLs) and software solutions such as FactoryTalk® Security from Rockwell Automation can be used to control user access.
The stark reality in our contemporary digital, connected world is that there can be no absolute security. However, this by no means suggests the good guys can’t fight to win. Networks are designed by well-intentioned people with a goal of facilitating communications and protecting what needs to be protected. Although absolute security is not achievable; nonetheless, companies can utilize best practices and recommendations to actively manage security risks today and in the future.
For more practical security advice and information, download the Industrial Security Best Practices brochure or visit www.rockwellautomation.com/security.
Figure 1. Leverage a defense-in-depth security approach that creates a barrier between the Industrial and Enterprise Zones that still allows data and services to be shared securely.
To learn more about network security and threats, register for the Industrial IP Advantage network design eLearning courses here.