“We’re able to do this because we have a good working relationship and a common vision with out IT department, “ says Hardison. “Our IT people participate on the plant-floor, learn about our controls, and even go to control conferences. Meanwhile, they’ve educated us about Ethernet, switches, routers, and firewalls. We usually meet twice each month to talk about security and how to marry different plant and business-level applications. If we had an adversarial relationship with IT, we’d never have been able to do what we’ve done.”
Integrated Security Must-Haves
Primary methods for ensuring effective integrated network security should include:
- Implementing well-tested and maintained firewalls.
- Deploying Microsoft Windows security patches as soon as they’re available, but also checking that they won’t have adverse effects.
- Installing up-to-date anti-virus software.
- Making sure Windows PCs are configured with high-security models, and locking down PCs when not in use.
- Settling on security policies and training staff to practice them, such as not bringing in software programs from outside the facility on ripstops or datasticks, and then running them on internal PCs.
Source: Honeywell Process Solutions
Network Security in Multiple Zones and Sub-Zones
In its “Process Control Network—Reference Architecture” whitepaper, Invensys Process Systems recommends segmenting process control networks into four major security zones, including Internet, data center, plant network, and control network, as well as several supplementary sub-zones as needed. Each zone is separated by a firewall. Secure network design dictates that the perimeter firewall comes from a different manufacturer to provide maximum resistance to penetration. This one firewall might be a pair of high availability units in a fail-over mode. For networks that require real-time or near real-time communications to the process control network, it’s recommended that at a minimum this device be a high-availability or redundant unit.
The network is divided into the following major zones and sub-zones:
Field I/O—Communications in this zone typically are direct hardwired communications between the I/O devices and their controllers. Security is accomplished by physical security means.
Controls Network—This zone has the highest level of security and carries process control device communications. Traffic on this network segment must be limited to only the process control network traffic as it is very sensitive to the volume of traffic and protocols used.
Plant Network—Carries general business network traffic such as messaging, ERP, file and print sharing, and Internet browsing, etc. This zone might span multiple locations across a wide area network. Traffic from this zone may not directly access the Control Network Zone.
Data Center—This could be one or multiple zones that exist at the corporate data center.
Internet—This zone consists of the unprotected public Internet.
Sub-Zones—Added sub-zones may be implemented to provide an extra level of control. These commonly are implemented as DMZs on the firewall. Typical uses of these sub-zones are:
- Data Acquisition and Interface—This sub-zone marks the interface for all communications in or out of the process control network. It contains servers or workstations that gather data from the controls network devices, and makes it available to the plant network.
- Service and Support—This sub-zone is used by support agencies when servicing the controls network. This connection point should be treated no differently than any other connections to the outside world, using strong authentication, encryption or secure VPN access. Modems used should incorporate encryption and dial-back capability. Devices introduced to the network should be using updated anti-virus software. It’s also common for the perimeter firewall to have several DMZs defined.