The shift to Ethernet, wireless technologies and remote access has brought many benefits, but this connectivity has also eliminated the system protection strategy of years past: security through obscurity. Automation system managers must now focus on protecting networks from attacks that come from inside or outside the corporate boundaries.
When Profibus, DeviceNet and other industrial networks were largely segregated from the outside world, most companies didn’t have to worry much about the possibility that hackers, extortionists, competitors and others could cause problems or steal proprietary information. But in today’s environment, those who don’t install security patches, set up firewalls and use passwords are setting themselves up for trouble.
“If this doesn’t scare you, you’re not aware of the potential problems. The consequences of an attack are serious, including loss of production, the potential for physical damage or personal injury and the theft of proprietary information,” Murray McKay of Siemens says in a recorded Webinar entitled “Best Practices for Increasing the Security of an Automation System.”
McKay’s solutions address the broad range of threats and vulnerabilities, hackers, nation states and extortionists who will demand payment for not shutting down a facility are only a few of them. Denial of service attacks, viruses, high school hackers and disgruntled employees are equally dangerous. The latter is often overlooked by companies that feel their employees are all happy. But McKay noted that
if only 99.99 are moral and upright, the person who’s mad about something poses a challenge because he or she attacks from within.
There are many threats, so managers must deploy multiple solutions. McKay describes many of them, noting that the best defense is to combine many of them into a multi-layered strategy.
“The best strategy is defense in depth, you want to use every procedure possible to make it as difficult as possible for someone to get in. You want to make it difficult enough so an attacker will give up or that if they get in, it will take time so you can detect the attack before they gain critical access,” McKay said.
Virus scanners are one of the simplest protections, providing protection against known attacks. Firewalls are also a solid mainstay, stopping many attacks that come from the outside. Whitelisting is another solid strategy, since it only lets specified programs run on specific systems or sub-networks.
However, no defense is foolproof. While McKay recommends these technologies, he underscored their weaknesses in his call for deploying an array of products that have different strengths and weaknesses. For example, firewalls won’t help if employees fall for phishing scams, while whitelisting is often vulnerable to memory intrusion attacks.
Employee training is not only important for phishing attacks. The Stuxnet virus dramatically demonstrated that employees shouldn’t randomly insert USB sticks into networked computers. As part of their protection strategy, companies must teach employees about media access control and enforce rules when personnel use devices that aren’t approved.
Role-based authentication is another personnel-based approach. This concept limits what each employee can do on a system. If their authorization is limited to running programs, they can’t install any software or hook up a potentially-infected laptop with the intention to run diagnostics, for example. This approach can also limit the damage done if employees do something problematic, since they can’t access all machines on the network.
While much of a company’s security strategy should focus on networks within the corporate walls, those boundaries are no longer an effective barrier. Employees have many reasons to enter from homes or trade show sites, and equipment suppliers are often allowed access so they can run diagnostics and upgrade software.
One technique for allowing remote access is the virtual public network. VPN links provide secure communications between two or more computers, making this a popular strategy. However, it’s got pitfalls, as do all protection schemes.
“If one of the computers on the VPN is compromised, all the computers can be compromised. A VPN is useful but it’s brittle,” McKay says.
McKay also describes a new strategy called the data diode. This approach introduces an artificial air gap, which effectively inserts a gap that prevents data from going beyond this gap. Data diodes then introduce proxies that make information on one network available on another network. Only pre-configured data can go between proxies.
“It’s a good approach, but it violates some of the protocols of the Internet, so you have to make sure it works in your environment with the ports you use. It won’t work if you use remote access,” McKay says.
While these strategies all play a role in the overall scheme, users who deploy them along with other techniques won’t be able to forget about security. “Nothing is static,” McKay says. “You always have to make sure that what you designed at the beginning is still adequate.”
One way to ensure that everything is kept up to date is to set up a centralized administration system. This approach helps managers ensure that complex systems are handled correctly since there’s one central point instead of many disparate sections that have their own idiosyncrasies. Though this centralized computer is a weak spot, McKay contends that the benefits outweigh the downsides.
There’s plenty of help out there for companies that want to beef up their security or start adding protection. The National Institute of Standards and Technology has many documents and guidelines, and standards such as ISA 99 and IEC 62443 are the bedrock of many security systems, he explains. Suppliers like Siemens are also very interested in helping companies ensure that their networks don’t fall prey to the many vulnerabilities of the connected world.Have an Inquiry for Siemens about this article? Click Here >>