Interested in linking to "Ten steps to secure control systems"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
Additionally, a method of auditing for compliance needs to exist. The methodology should not just rely on examining records in the change management system, but also should detect changes in the environment and ensure that the change management process was used to effect the change.
Typically, a robust change management process/software system will:
In order to function securely, the infrastructure devices used to accomplish the functions of the control system must be isolated from outside negative influences. A negative influence can be anything from an engineer requesting a massive amount of data to the high volume of traffic generated by a hacker’s worm or virus.
To accomplish this isolation, all of the machines associated with the primary function of the control system must be grouped together on a common network and protected from other networks. Before this can be done, the perimeter of the control system environment must be clearly defined and all connections to the outside documented. The appropriate method of securing these connections must be identified and implemented. For Internet Protocol (IP) connections, this requires a firewall.
Firewalls are built to regulate connections between machines inside the firewall and machines outside the firewall. Firewall rules can be written to allow any traffic or to restrict traffic to only specific devices and applications. In order to help secure the control system environment the firewall should be configured to reject all connection requests either inbound or outbound. Then, as functionality is added to the control system environment, new rules can specifically allow the connections required by that functionality. In general, connection requests from the outside should never be allowed.
Implementation of a firewall between the corporate and control systems telecom network will also allow a Demilitarized Zone (DMZ) to be established between the two. This DMZ can then be used for placement of database and application servers that can bridge the two networks in a secure architecture. This will be explored further when we discuss remote access.
Getting data in and out
The types of systems that need to get data to and from the control system environment will vary depending on the application. To remain secure, applications within the control system environment should push data needed by applications external to the control system environment out to those external applications. Also, when external data is needed within the control system environment, applications within the secured environment should pull the data in.
Again, when data residing on the control systems environment is needed by employees or applications on the outside, the data should be pushed to a data repository on the outside. The employees and applications that need the data then should query the outside data repository, not the control system environment.
This discussion will be limited to 802.11 type WIFI implementations. It will be assumed that you want to encrypt and secure these types of connections. Specific technologies discussed will be WEP, WPA and WPA2/802.11i encryption.
WEP offers very little protection and should not be used in a business environment. It takes only about an hour or two for a high school hacker to collect enough information to break the encryption key and connect to your network.
WPA is a good alternative for installed bases of 802.11 that have only WEP as an option because the technology is available with only a firmware upgrade. Besides good encryption device authentication is available, but the technology is susceptible to Denial of Service attacks. Just a few packets sent with the wrong encryption key can cause the device to reboot. This was intended as a precaution against hack attempts, but in a control environment the results are damaging.
ControlGlobal.com is exclusively dedicated to the global process automation market. We report on developing industry trends, illustrate successful industry applications, and update the basic skills and knowledge base that provide the profession's foundation.