Gregory WilcoxMost of us are now well aware of the major data breaches affecting some of the nation’s largest retailers and financial-services institutions. But these high-profile attacks are only part of the picture.
Hackers and malicious individuals are after more than credit-card numbers and bank-account information — they’re also targeting manufacturers and industrial operators.
For example, Havex is a malware that has specifically targeted industrial control systems in the energy sector and elsewhere. In 2014, security firm F-Secure located a number of Havex-infected systems, most of which were in Europe, and identified two victims as “German industrial application or machine producers” and one victim as a “French industrial machine producer.”
The U.S. Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team has also reported that another malware, known as BlackEnergy, has been found on Internet-connected human-machine interfaces at multiple companies. Security firm CyberX examined BlackEnergy 3, the malware’s third generation, and reported that it “found clues that the attackers might be leveraging the initial infection in order to perform data exfiltration from the inner parts of these networks.”
These industrial network breaches may not be making the evening news, but they certainly should serve as convincing evidence for organizations to make industrial security a top priority as they move toward a model of enterprise-wide connectivity and increased information sharing.
Security in the Connected Enterprise
Manufacturers and industrial organizations are increasingly embracing the convergence of their information technology (IT) and operations technology (OT) systems as they seek to achieve greater visibility into their operations, deploy mobile technologies and leverage remote access. Rockwell Automation calls this vision The Connected Enterprise.
Yet as networks are connected from the plant floor up to the enterprise, and as more entry points are created on the network, these networks must be secured. Industrial networks are open by default to help achieve both technology coexistence and device interoperability. As a result, organizations must secure them through both configuration and architecture design.
ISA, NIST and DHS/Idaho National Laboratory standards all recommend a structured infrastructure using an industrial demilitarized zone (IDMZ) to defend a network at its edges. An IDMZ creates a barrier between the industrial and enterprise zones, allowing users to share data and services while helping prevent traffic from directly traveling between the two zones.
Those same standards also recommend a hardened infrastructure using defense-in-depth (DiD) security, a holistic and multilayered approach that addresses external attacks and more common internal threats. DiD security requires protection at all levels, from hardening devices and securing ports to segmenting networks and implementing policies and procedures to verify only authorized users and traffic can access networks.
Layered Security
Securing the physical layer of a network involves limiting the physical access to authorized personnel. This includes using security measures such as locks, gates and biometrics to limit entrance to areas such as machines, skids and control rooms, and to limit access to control panels, devices and cabling.
Computer hardening can include patch management and Anti-X software. It’s recommended to remove any unused applications, protocols and services to minimize the number of things that need to be patched and managed. Additionally, close any unnecessary logical ports and protect physical ports, such as with lock-in/block-out devices or keyed connectors, to better control port access. And add procedural network security by requiring workers to log in to enable different ports, such as maintenance ports for monitoring and diagnostics.
Network security can be a challenge because many plants have seen their networks organically grow over time to the point where they are now large, flat networks that are difficult to defend. A solution is to segment the network into virtual local area networks (VLAN) to create smaller domains of trust and to simplify enforcement of access control policies and procedures.
For example, some software includes a “trusted slot” feature that enables communications by slot and limits the allowed communications. Access-control lists and a zone-based policy firewall also allow or block communications by type, whether it is Web traffic, CIP data or pings. A good rule of thumb is to block most communications and permit a few by exception (communications not specifically permitted will be blocked). Specific users, sources, destinations and protocols also can be allowed or blocked.
The specific policies adopted and security mechanisms deployed will vary from organization to organization. But there are some guiding principles that every organization should follow:
- Establish a dialogue and promote collaboration between IT and OT groups
- Align efforts with industrial automation and control system (IACS) security standards
- Follow ISA, NIST and DHS standards, and use validated reference models and architectures available from applicable industries
- Establish an industrial security policy, unique from and in addition to an enterprise security policy
- Work with trusted partners that are knowledgeable in industrial automation and security
Security Resources
Cisco and Rockwell Automation have jointly developed Converged Plantwide Ethernet (CPwE) reference architectures to provide education, design guidance, recommendations and best practices for organizations seeking to converge their industrial and enterprise networks. The tested and validated architectures address key issues and challenges for both IT and OT professionals.
Training resources can also go a long way, especially as IT and OT roles increasingly blend together in The Connected Enterprise, and as the need for new skills emerge. In tomorrow’s plants, control engineers may take on the added responsibility of network manager, while IT personnel will require a deeper understanding of networked industrial systems and associated security risks.
Look for industrial training to help address these issues and gives IT and OT professionals the skills and knowledge they need to prepare for the INS and CCNA industrial certification.
Much remains to be determined in The Connected Enterprise, as we are only beginning to realize its transformative potential. But those that leverage the resources that are available to them today — including industry standards, validated CPwE reference architectures and blended IT/OT training solutions — will have a competitive advantage in harnessing the power of their information while keeping their networks secure.
Gregory Wilcox, global business development manager for networks at Rockwell Automation.
