ISA shows how to segment networks for security

If it seems like every cybersecurity story endlessly repeats the same basic advice, it’s no accident. Many experts hammer home recommendations again and again—reset default passwords, segment networks with firewalls, and monitor data traffic for anomalies—because so many users and their organizations still don’t follow them.

“It’s surprising, but we still see users putting their industrial network environments on their corporate networks and active-directories,“ says Scott Reynolds, president of the International Society of Automation and senior security and network engineering manager at Johns Manville. “Network segmentation and updated patching policies are still needed, but whenever cybersecurity audits are done now, they’re all about addressing active directories, which are mainly concerned with identifying people and what they can access in Windows systems. However, if you’re allowing your corporate and industrial network trust each other by default, then you’re in trouble due to the holes that may be created.”

Reynolds reports these vulnerabilities can be addressed by not allowing active directories between plant-floors and corporate levels, segmenting or micro-segmenting networks, and establishing separate networks with zero-trust capabilities between them. As usual, segmentation should follow longtime recommendations for setting up zones and conduits separated by firewalls as defined by the ISA/IEC 62443 standard, along with zero-trust rules governing their communications.

Beyond implementing modern, secure, networking protocols, Reynolds adds it’s essential to work intentionally on cybersecurity by making it part of site acceptance and factory acceptance tests (FAT). This includes taking positive actions like setting up and validating security functions to make sure authorized users can communicate, while also conducting negative tests to make sure unauthorized entities can’t gain access or communicate.

“For instance, earlier OPC DA communication strategies are still running everywhere, but more modern OPC UA is more secure because it can be set up with sufficient authorizations, avoid man-in-the-middle attacks, and use firewall rules and connections,“ explains Reynolds. “These can be made as tight as possible by only opening ports to allow authorized devices to talk to each other, employ short and understandable messages, and use straightforward rules, such as requiring a single port, one transfer control protocol (TCP), one communication direction, and a clear description.”

Get your subscription to Control's tri-weekly newsletter.

Similarly, remote access can be more secure by predefining a policy and procedure for it, adopting a single cybersecurity solution, and making it simple enough to be used and monitored by regular personnel. These can include cloud-based, remote access solutions like Cyclo+ and virtual desktop infrastructures (VDM) for securely hosting users’ remote desktop applications as virtual machines on centralized servers, and further securing hardware such as keyboards, video and mouse (KVM) via Ethernet links using services such as VMWare Cloud (VMC) or Citrix.

“Just like a remote desktop, users, and devices only interact with one box, and no file transfers are allowed,“ adds Reynolds. “Whatever cybersecurity policy they select, companies and organizations must provide a way for remote users and contractors to access their systems and provide support, or they’ll may find another way in that could create more vulnerabilities. Cybersecurity requires effort and can make some tasks difficult, so it must be balanced against ease of use.”

To resolve these dilemmas, and reach the most suitable and useful decisions, Reynolds advises developing risk registers based on the severity, frequency and consequences of potential cyber-intrusions and -attacks. For example, gauging severity and weighing consequences can be based on:

• Criticality of different processes and industries affected,
• Likelihood of a process or facility being a target,
• How quickly users can detect and respond to probes in intrusions,
• Whether processes and applications can shut down safely if they’re compromised,
• Checking if they could still operate following a breach, and
• Investigating how difficult it would be for them to recover.

“Once a cybersecurity policy and procedure is in place, they can be tested using tabletop exercises, which can also help train staffers to respond appropriately and reflexively,” adds Reynolds. “In fact, ISA is rolling out its Asset Owner Conformity Assessment program to validate that users’ cybersecurity processes are in line with ISA/IEC 62443, and it’s presently training assessors.”