Industrial network security has become a hot topic, and rightfully so, in the wake of the Stuxnet virus and concerns about attacks on all types of Internet sites that could create major damage for industrial networks and machinery. Concerns about the security of machine control networks specifically are a key issue in the convergence of industrial automation technology with information technology.
A new whitepaper co-authored by Rockwell Automation and Cisco provides some good in-depth reading on this topic, along with suggestions on how to manage this difficult problem. The two companies have collaborated to develop converged plantwide Ethernet (CPwE) reference architectures "to help design and deploy a holistic defense-in-depth industrial security policies to help secure networked IACS assets," according to the whitepaper. "This comes in the form of design considerations, guidance, recommendations, best practices, solutions and services."
Two concepts jump out as very important for developing an industrial security strategy. The first is an industrial security policy, which includes risk assessment and "a roadmap for applying security technologies and best practices to protect IACS assets, while avoiding unnecessary expenses and excessive restrictive access." The second is development of a perimeter network, which the paper calls an "Industrial Demilitarized Zone" (IDMZ). It adds a buffer layer of security when a trusted network is exposed to an untrusted one.
This buffer zone provides a barrier between the Industrial and Enterprise Zones, but allows for data and services to be shared securely," the paper says. "All network traffic from either side of the IDMZ terminates in the IDMZ. No traffic directly traverses the IDMZ," which provides "the only path between Industrial and Enterprise Zones." Another key design aspect from a security standpoint: "EtherNet/IP traffic does not enter the IDMZ, it remains in the Industrial Zone."
Even though very few of us understand the details of network security, it's interesting to see how reference network architectures like this can provide a conceptual approach to implementing sound security practices. The other obvious conclusion is that this problem demands a holistic view and a series of "defense-in-depth layers," including these.
Policies, Procedures, and Awareness – Plan of action around procedures and education to protect company assets (risk management) and provide rules for controlling human interactions in IACS systems.
Physical Security – Operational and procedural controls to manage physical access to cells/areas, control panels, devices, cabling, the control room, and other locations...
Network Security – Industrial network security framework... is made up of network infrastructure hardware and software designed to block communication paths and services that are not explicitly authorized...
Application Security – Implement change management and accounting... as well as authentication and authorization... to track both access and changes by users.
Device Hardening – Restrict physical access to authorized personnel only, disable remote programming capabilities, encrypt communications,... restrict network connectivity through authentication, restrict access to internal resources... using authentication and authorization.
The whitepaper concludes:
No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Securing an IACS network infrastructure requires a defense-in-depth industrial network security framework to address both internal and external security threats. A balanced industrial network security framework must address both technical (electronic technology) and non-technical (e.g. physical, policy, procedural) elements. This industrial network security framework should be based on a well-defined set of security policies and procedures, leveraging established IT processes, while balancing the functional requirements of the IACS application itself.
I recommend reading the complete whitepaper. It's definitely a good read and worth the time of engineers concerned about designing secure machine control networks.
A tied-together approach does have its advantages but nothing is ever secure as it sounds. It would seem an attack, whether done by a hacker or a virus, could bring anything tied to that network down instead of being compartmentalized in a single area like those of node-based networks.
Tool_Maker, You make a lot of good points. In most network designs, my understanding is that network traffic is not mixed and is completely separate from external traffic. When there is a need for exposing the network to the "outside", the security needs obviously grow dramatically. It's interesting that policies, procedures and physical security become as big of issues as the fancy technology protection measures. Thanks for your comments.
The buffer zone/perimeter network is an interesting concept, and at least at first glance looks like a good idea. But Tool_maker's comment makes me wonder about all those connections, too. Sequestering different networks--internal comms versus the manufacturing network where profit-center work is done, like the battalion--seems like a much more secure topology, as well as less crowded. Yet it's been a common topic in DN and elsewhere about all the efforts to bring IT together with manufacturing. Perhaps that needs a rethink.
I understand the need to tie stuff together internally for inventory control, tracking orders, and a million other reasons. I undrestand the desire to go outside for banking, order placement and a host of other reasons. I do not understand why they ever have to be tied together.
A million years ago when I was in the military, I was in a mechanized unit. The company commander's vehicle had two radios. One on the company network and one for the battalion. that way neither was cluttered with nonessential chatter. Does that not seem like at least a partial solution to this threat? When everything is linked that brings to mind a person using a megaphone to carry on a conversation and then trying to figure out how to soundproof the room so the conversation remains private.
Just because we can link everything, does not mean itis the best method.