Designing Secure Machine Control Networks

Al Presher

August 27, 2013

3 Min Read
Designing Secure Machine Control Networks

Industrial network security has become a hot topic, and rightfully so, in the wake of the Stuxnet virus and concerns about attacks on all types of Internet sites that could create major damage for industrial networks and machinery. Concerns about the security of machine control networks specifically are a key issue in the convergence of industrial automation technology with information technology.

A new whitepaper co-authored by Rockwell Automation and Cisco provides some good in-depth reading on this topic, along with suggestions on how to manage this difficult problem. The two companies have collaborated to develop converged plantwide Ethernet (CPwE) reference architectures "to help design and deploy a holistic defense-in-depth industrial security policies to help secure networked IACS assets," according to the whitepaper. "This comes in the form of design considerations, guidance, recommendations, best practices, solutions and services."

Two concepts jump out as very important for developing an industrial security strategy. The first is an industrial security policy, which includes risk assessment and "a roadmap for applying security technologies and best practices to protect IACS assets, while avoiding unnecessary expenses and excessive restrictive access." The second is development of a perimeter network, which the paper calls an "Industrial Demilitarized Zone" (IDMZ). It adds a buffer layer of security when a trusted network is exposed to an untrusted one.

This buffer zone provides a barrier between the Industrial and Enterprise Zones, but allows for data and services to be shared securely," the paper says. "All network traffic from either side of the IDMZ terminates in the IDMZ. No traffic directly traverses the IDMZ," which provides "the only path between Industrial and Enterprise Zones." Another key design aspect from a security standpoint: "EtherNet/IP traffic does not enter the IDMZ, it remains in the Industrial Zone."

Even though very few of us understand the details of network security, it's interesting to see how reference network architectures like this can provide a conceptual approach to implementing sound security practices. The other obvious conclusion is that this problem demands a holistic view and a series of "defense-in-depth layers," including these.

  • Policies, Procedures, and Awareness - Plan of action around procedures and education to protect company assets (risk management) and provide rules for controlling human interactions in IACS systems.

  • Physical Security - Operational and procedural controls to manage physical access to cells/areas, control panels, devices, cabling, the control room, and other locations...

  • Network Security - Industrial network security framework... is made up of network infrastructure hardware and software designed to block communication paths and services that are not explicitly authorized...

  • Computer Hardening - Patch management policy,... Anti-X (e.g. virus, spyware, malware) detection software,

[etc.]...

  • Application Security - Implement change management and accounting... as well as authentication and authorization... to track both access and changes by users.

  • Device Hardening - Restrict physical access to authorized personnel only, disable remote programming capabilities, encrypt communications,... restrict network connectivity through authentication, restrict access to internal resources... using authentication and authorization.

The whitepaper concludes:

No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Securing an IACS network infrastructure requires a defense-in-depth industrial network security framework to address both internal and external security threats. A balanced industrial network security framework must address both technical (electronic technology) and non-technical (e.g. physical, policy, procedural) elements. This industrial network security framework should be based on a well-defined set of security policies and procedures, leveraging established IT processes, while balancing the functional requirements of the IACS application itself.

I recommend reading the complete whitepaper. It's definitely a good read and worth the time of engineers concerned about designing secure machine control networks.

Related posts:

About the Author(s)

Al Presher

Al Presher

Al Presher is a contributing editor for Design News, specializing in automation and control and writing on automation topics, machine control, robotics, fluid power, and power transmission since 2002. Previously he worked in the electronic motion control field for 18 years, most recently as VP of Marketing for ORMEC Systems Corp (manufacturer of PC-based servo control systems).  Previously, he worked as Editor for Plant Systems and Equipment and Appliance magazines.  He holds an MA in magazine journalism from the S.I. Newhouse School of Public Communications at Syracuse University.

See more from Al Presher
Sign up for the Design News Daily newsletter.

You May Also Like

Editors' Choice

The 2025 Aston Martin Vantage is comfortable on the road and the track.
Automotive Engineering
Testing the 656-Horsepower, 202-mph 2025 Aston Martin Vantage
Testing the 656-Horsepower, 202-mph 2025 Aston Martin Vantage

May 13, 2024

data-signal hybrid connectors
Industry
Green Energy Buffering Is Cleaning up in Supplier News
Green Energy Buffering Is Cleaning up in Supplier News

May 10, 2024

Technology continues to make gardening more pleasurable.
Electronics
Tech That Makes A Green Thumb A Smart Thumb
Tech That Makes A Green Thumb A Smart Thumb

May 6, 2024

Recent
Jun 4 - Jun 6, 2024
Innovation in automation starts here. Discover and collaborate on automation solutions that are revolutionizing the entire production lifecycle — from design to production to market — and sharpen your competitive edge. ATX South is part of IME South, a six-in-one expo offering the latest insights & solutions spanning medtech, packaging, automation, plastics, design, & processing.
Register Now