As IT and operational technology (OT) increasingly converge to support visibility, mobility, remote access and more, industrial automation systems must be hardened to limit the consequences of security threats from both inside and outside the organization. Industrial networks—the data highways bringing information into, out of and often throughout the automation systems—are the key place to make your defense. Plants need to harden devices, secure ports, segment networks and put in place policies and firewalls to ensure those networks carry only authorized communications.
"Security is important because of the control and information convergence of The Connected Enterprise," said Gregory Wilcox, global business development manager, networks, Rockwell Automation, in his presentation and demonstration with Rick Antholine, commercial project engineer, Rockwell Automation, at Rockwell Automation TechED in San Diego. "The people, processes and data of the Internet of Everything require a scalable, robust, secure, future-ready infrastructure."
Technology is readily available to provide a holistic, multi-layered defense in depth (DiD) for industrial networking. Wilcox explained how it's done, where to get knowledge and training, and how to get started. Antholine walked the audience through eye-opening examples of a demo system of controllers and network hardware. It looks complex, but no more so than configuring a control system. The demo was done using RSLinx Classic, Rockwell Software Studio 5000, Stratix Device Manager, Stratix Command-Line Interface and Stratix Configurator, along with free applications Wireshark and Netflow, but the configurations can be done with a variety of packages. Wireshark is a free network protocol analyzer, and NetFlow (developed by Cisco) with a SolarWinds client allows you to look at every communication broken down by server, client or protocol.
An overview of ISA, NIST and Department of Homeland Security (DHS)/Idaho National Laboratory standards shows that they all call for DiD and Industrial Demilitarized Zone (IDMZ) protections. DiD addresses both external attacks and the far more common internal threats. IDMZ is about protecting the edges of the network.
"By default, networks are open for good reasons," says Wilcox. "We must secure them by architecture and configuration."
The basic security layer is physical. Limit physical access to cells, areas, panels and cabling with security measures such as locks, keys, gates and biometrics. "Next, harden the computers with patch management, anti-x software and removal of unused apps, protocols and services. That leaves fewer things to patch and manage," said Wilcox. "Close unnecessary logical ports and protect physical ports. And remember Stuxnet—you don't want people using server USB ports to charge their smart phones." Companies should also use keyed cables to control access to ports and add procedural network security by requiring log-in to enable ports, such as maintenance ports for monitoring, diagnostics and other activities.
In many plants, networks have grown organically over time. "The result is large, flat networks that are hard to defend," said Wilcox.
Antholine's demo showed how to segment a flat network into virtual LANs with limited functionality and access, and to provide overall access only for those who need it. The demo broke a large network down into separate VLANs for groups of programmable automation controllers (PACs), I/O and servers. In Logix Designer, "you can use the ‘trusted slot' feature to enable communications by slot, and limit the allowed communications," Antholine said. "Using access control lists and a zone-based policy firewall you can allow or prohibit communications by type—ping, Web traffic, SNMP, and CIP. If you don't specifically permit it, it will be blocked." Managers can allow or disallow specific users, sources, destinations and protocols.
"Deny most communications and permit a few by exception," he said.
With a little time and training, any control engineer can learn enough to become an effective network manager. Training available through Cisco can prepare for Cisco Certified Network Associate credentials in areas including security. But network security is also an IT issue. "Know where your responsibilities end and theirs begin and work together," said Wilcox.
Above all, it's important to get started. "Good enough security now is better than perfect security never," said Wilcox, quoting Tim West at Data General. Though no two plants are the same, they should all follow the essential steps:
- Have a good, cross-functional group develop your security policies and procedures.
- Raise awareness and educate the people inside your plant and, where applicable, your customers and partners.
- Take a holistic approach: software plus hardware plus procedures.
- Reference ISA, NIST and DHS standards, reference models and architectures.
- Work with trusted partners who are knowledgeable in industrial automation and security.
Rockwell Automation takes security very seriously, and an extensive array of vendor-neutral resources may be found in the Security section of the Rockwell Automation web site.