Practical methods for protecting industrial networks

At the next level up, initial switch access can be restricted by passwords or assigned IP addresses. More security is possible by enabling 128-bit encryption between switches. Virtual private networks (VPNs) and tunnels can be used between switches or devices at this level. Also, users can access switches via simple network management protocol (SNMP), and shut down communications between managed switches and the network interface. Finally, the last security level regulates network access via virtual local area networks (VLANs) that isolate traffic and only allow access to certain parts of a network.

In addition, with help from their IT colleagues, control engineers also can turn on IP Sec, which is the secure protocol for Ethernet TCP/IP. Clark says it’s been available for years, but has been mostly unused. IT staffers also can help create VPN tunnels to smart devices and PLCs.

Layers, Tools, and Training
Though there are many different network security methods, most gather around a few basic principles. Perhaps the most significant of these is adopting a network segregation strategy. While suppliers might refer to it as adding layers, rings, or shells, it involves taking devices responsible for controlling a process and parking them behind a second or third firewall, router, or other barrier device, so users can better determine what outside information can reach them (See Figure 2 below).

FIGURE 2: THE SECURITY ONION

Concentric rings or layers of defense make it harder for intruders to penetrate industrial networks.

“This is basically a single point where all the communication paths are controlled, so rules can be imposed about what goes across,” says Tom Good, project engineer at DuPont’s Engineering Group. “You just have to look at all the points of entry, and if you have a firewall at that access point, then you can say there are no dial-in modems or wireless connections allowed beyond it. However, you also have to be careful. Users always are looking for a definitive, prescriptive solution, but they really need to determine security practices that fit the risks and their tolerance policy for their particular process control system. For example, if you’re making some kind of hazardous product, then your security needs will be much different than if you were making distilled water.”

While many security measures are implemented via software, hardware solutions are increasing as well. These can include mechanical locks, dedicated cables and connectors, and even inexpensive biometric devices.

Good adds, however, it’s still most important to train users in safe computing practices, such as making sure that any laptop PCs used outside a facility follow the same security procedures as those used inside it. “Our DCSs have dedicated engineering stations on our process control network, and they usually never connect to our general-purpose LAN,” adds Good. “Even wireless can be nearly as secure as hardwiring. Again, you need a positive authentication of who’s connecting, and you should only allow them access to the devices they need to do their job.”

Despite all the initial confusion, Teumim says he’s optimistic about the future of network security. “People worry that we’ve got 40 committees that haven’t agreed on a standard yet,” he says. “However, what’s happening now is a lot better than having no network security committees and no one caring. We may have too many cooks now, but it’s better than having no cooks, no pot, and no soup.”

TO HELP their clients, members, and constituents, many government departments and trade associations have been simultaneously developing guidance and standards for improving network security. Several industry observers say there are presently about 40 government, trade, and corporate organizations developing network security standards, and that 38 of these groups had been unaware of similar projects by the others. Many of them now are trying to coordinate and consolidate their standards work.

Perhaps the largest standards effort is being carried out by the U.S. Dept. of Homeland Security and the National Institute of Standards and Technology with help from Idaho National Laboratories and Sandia National Laboratories, which jointly offer the National SCADA Test Bed to check products for vulnerabilities.

DHS and NIST also have established the Process Control Systems Forum and the Process Control Security Requirements Forum (PCSRF) to gather input on security needs and best practices, which could be included in future security standards.

Other guidelines and standards are being drafted by ISA’s SP99 committee, the North American Electric Reliability Council, the SANS Institute, and the Chemical Sector Cyber Security Program.

DHS and NIST also are affiliated with the U.S. Computer Emergency Readiness Team and its Control System Security Program (CSSP), which lists control systems incidents, and helps users work with suppliers to resolve disputes involving control system vulnerabilities. 

To help all the standards efforts join forces, NIST is compiling all available network security guidelines from the 40 bodies, and reportedly plans to publish them as its 800-53 draft standard in 2007. This coordination is expected to help these organizations decide the security needs they have in common and the methods they can share, and also which aspects of security might be unique to their users and organizations.

For example, NERC’s newly adopted Critical Infrastructure Protection (CIP) standards, CIP-002-1 to 009-1, reportedly can be adopted, altered if needed, and adhered to by users in applications outside NERC’s jurisdiction because they both use computer systems and software in the same way. These commonalities are expected to direct efforts on creating a unified set of network security standards. NERC’s standards cover critical cyber asset identification, security management controls, personnel and training, electronic security perimeters, physical security of critical cyber assets, system security management, incident reporting and response planning, and recovery plans for critical cyber assets.