Multiple forms of protection
Just as there are multiple vulnerabilities along the plant network, we're seeing multiple protection strategies. An exterior firewall is no longer sufficient. This is where the control engineer is beginning to surpass IT in understanding what needs to be protected. We're seeing the emergence of internal firewalls and demilitarized zones (DMZs) placed strategically around particularly sensitive data such as IP and pharmaceutical recipes -- often called the crown jewels of the company. "Companies use a variety of networking technologies to deal with these threats," Snitkin said. "Everyone has firewalls at the plant perimeters, and many have DMZ zones to isolate control systems from enterprise systems."
Security is now getting deployed internally to wall off particular areas, he said. "Some companies also use internal firewalls to protect specific assets, like PLCs and robots. These often understand ICS-specific protocols like Modbus. This is a particularly sensitive issue as control protocols have essentially no security. Use of deep packet inspection is also growing in popularity and is primarily being used for intrusion detection."
Interestingly, there is some backlash against buttoning up everything, since it can interfere with necessary communication on the network. "Intrusion prevention is less popular as companies are afraid of inadvertently blocking valid messages. Use of encryption is also growing in popularity, but generally only for those connections that are external to the plant," Snitkin said. "Interest in unidirectional firewalls [data diodes] is also growing in industries and regions where security threats are high."
This diagram shows integrated safety and control.
Passwords by function
Another protection strategy is to divide the network into portions that are accessible to particular job functions. Thus, maintenance doesn't need access to certain areas of the network. "We do a lot permissioning or password protection, which limits the user's ability to make changes without letting someone know they've made a change. We have multi-level passwording, so you can't just hack away at light curtains," Derrick Stacey, solutions engineer at B&R Industrial Automation, told us. "Maintenance and control each require a different password. So you can't make changes you"re not authorized to without involving the person who is the expert in the area. So a maintenance change can't affect a light curtain."
Safety preceded security
For many years, the safety network was far more sophisticated than the security layer. Light curtains and controlled stops or localized shutdowns were masterful. Now security is catching up to safety in its complexity. Yet safety is also becoming more complex as it helps facilitate plant uptime while also becoming more -- well, safe.
"Safety has been at this a long time," Williams said. "It was a precursor to cyber security," which modeled its protections on safety systems. "Most firms recognize that safety is a paramount issue, and the return on investment is measured in the ability to reduce insurance premiums."
Safety on the same network
Yes, you can run safety on the same network as control. In many cases, that's the solution that makes the most sense. It can be done without compromising safety.
"Safety and control can be the same network. The decision is mostly based on personal preference or corporate policy," said Mark Sen Gupta, a senior analyst at ARC Advisory Group. "Having the communications on the same network is a recent thing. Most installations have them separated. The biggest reason given for avoiding the use of the same network is to avoid common mode failures."
When safety is on the same network, protocols are used to keep them separate. "There is a concept of white channel versus black channel, which permits the same Ethernet to carry both safety and process-related communications," Gupta said. "Communications over the black channel is for common data, while the white channel is reserved for safety. Most of the integrated safety systems can share the network."