By Dan Hebert, Senior Technical Editor
Process plants have been connecting automation systems to enterprise level computing systems for years now, but cybersecurity for these connections and their associated networks has often been haphazard at best. Divided responsibilities between automation professionals and IT are one issue. IT security is often focused on quick recovery from service interruptions, while the priority of process automation system security is avoiding any interruptions to operations.
IT professionals want to automatically install security patches as they become available, but installing these patches on automation systems without first performing thorough testing can result in system crashes and costly downtime.
Another roadblock has been a lack of return on investment (ROI) for security. Security doesn't save money or improve performance, and it's virtually impossible to quantify the costs of a security breach. Even though there's no quantifiable ROI for security, it has become a cost of doing business due to the need to comply with regulations and, more importantly, for prevention of cyber attacks.
There are many aspects to designing and maintaining a secure system. This article will focus on cybersecurity of network hardware, such as switches and routers.
Process plants have been using Ethernet-based networks for years. These use a number of management devices, including managed and unmanaged switches, routers and other related components. Many of these devices are installed and working well, but don't have the needed security features.
Unlike their older counterparts, modern managed switches can provide access security via a number of features. "A managed switch can be configured to turn off all unused ports and activate an alarm when any device is plugged into an unused port," says Bill Wotruba, the director of networking and connectivity products at Belden (www.belden.com).
"For security control of active ports, an access control list can be created and stored in the switch, controlling access based on either a MAC or an IP address. If access is attempted via an active port by a device not on the access control list, then an alarm can be activated," adds Wotruba.
The path to a more secure system can take two main routes. You can upgrade network devices to newer versions that possess the needed security features. Or you can keep existing devices and to add security appliances throughout the network.
In many cases, the second approach will be cheaper and less disruptive. "Security appliances are installed between existing communication channels and outside networks. One security appliance can protect a number of communication-enabled components," explains Wotruba. "Installing a few security appliances instead of replacing or upgrading a large number of devices can save time and money. It can also greatly simplify operations and maintenance because personnel only need to become familiar with a few security appliances, as opposed to a host of new or modified components," he explains.
"A security appliance can provide zones of security for components with common safety requirements. It combines modern switch technology with cybersecurity software to provide reliable security and firewall protection," says Wotruba.
Small, self-contained networks with just a few switches and other devices may benefit from upgrades rather than security appliances. Poorly performing older networks may require upgrades to switches and other devices to improve performance, and these upgraded devices can be purchased with required security features.
However, for well-performing and larger older networks with non-secure devices, the addition of relatively few strategically placed security appliances can be the best solution to creating a secure system safe from cyber attack.