An Industrial Control System survey held by Kaspersky revealed that 90 percent of companies make use of wireless connectivity in their ICS environments, with the assumption that all functions would be performed internally. But wireless or ethernet connectivity, doesn’t translate into isolation even though no connection is made to the internet. In fact, it puts all systems at risks as such networks have a higher risk of getting attacked by malware compared to conventional hard-wired ones, which at this point have become outdated.
Surely, industrial IT systems always follows modern protection practices, but what happens when attackers completely by-pass these mechanisms, and attack the seemingly isolated OT system. The most common type of threat is that of ransomware, where attackers shut-down or damage assets, while encrypting vital information. And there’s no guarantee that the attackers will stay true to their word once their demands are met.
When ethernet was introduced to the plant floor, it promised endless benefits, majorly in the form of an open architecture that allows plant devices and management tools to connect with each other at remote distances. But with this openness also came a big risk, underlined earlier: security.
Establishing communication between automation systems and ethernet networks is not so different from connecting a PC with an internet. In today’s industrial setting it is highly unlikely that an enterprise network doesn’t have internet connection, even though it doesn’t have a direct connection with the ICS. The most notable example of such an attack was that on Iranian nuclear centrifuges, when in 2010 the infamous malware “Stuxnet” penetrated into the local network. The virus took control of the centrifuges, spinning them above the rated speed, and destroying them in the process.
Traditionally, IT networks have maintained a high degree of security compared to their Industrial Control Systems, keeping up with modern threats, driven largely by their connectivity to the internet. Ideally, plant administrators should guarantee the same level of security for their OT. The security tools in place should allow authenticated access to take place within the plant environment, or from remote locations. This will allow remote administrators to manage multiple sites and look after their configuration, diagnostics, initialization and other settings.
The toolkit mentioned above will have both hardware and software components, as well as work practices that will maintain specified security levels. All of this will ultimately add up to the automation environment that will then be open to seamless communication between remote sites, without any security risks.
Firewalls are one of the most well-established security tools, forming a critical piece of the infrastructure. The purpose of a firewall is to act as a gateway between networks, controlling the type of traffic that flows, based on the desired settings. In an industrial environment, firewalls can be used to protect certain cells that have several ethernet-connected automation devices such as PLCs or PCs. Companies can make use of security modules, which are devices with one Ethernet connection coming in, and another going out to the main network. Any traffic that passes between the two is filtered based on the firewall rules.
Stateful packet inspection technology is becoming common in industrial environments, as it enables devices to assess the traffic in context. It will allow traffic to flow in if it gives a legitimate response to a request from the internet network. If the external source is sending data that wasn’t requested, it is blocked, and the administrators are notified. Also, if an internal node sends data to an external device, then the firewall allows the response packet to make its way through for a limited period of time, after which the request would have to be initiated again.
Network Address Translation is a mature network technique that helps abstract private, static IPs with public user-defined ones. The idea is to hide the actual IP address of the device, which in most cases, static, and replace it with an internal IP scheme. This means that a public IP address is presented to external-facing nodes, which is then translated into a different IP address.
The concept is taken one step further through Port Translation (NAPT), which also addresses the specific ports that will allow access to the device. A NAPT table can be defined within a router, mapping private IP address ports to public ones.
If a device outside the network wants to communicate with an internal asset, it will use the public IP address and a specific port to do so. This will then be translated into a private IP address and the designated port addressed by the router. This makes sure that the internet device is kept abstracted from the public eye.
One way to provide secure connection on top of an unsecure network such as the internet is by using Virtual Private Network (VPN). This can be thought of as an encrypted tunnel established by security devices at end points, generating digital certificates for authentication. The certificates may be thought of as digital IDs so that the communications are encrypted and understandable only by each device, even though transmission occurs over the internet. There are two configuration modes in which the VPNs be used:
VPNs are already being used in industrial environments where communications need to take place between remote locations. Their popularity will only rise as the role of cloud computing increases in industrial environments, making them a precursor for secure communications.
These were the essential tools necessary to protect industrial networks and assets. Your network security manager can build the infrastructure based on these tools, and then incorporate more advanced ones as the strictness of the requirements increase.
Interested in learning more? Visit our website www.premierautomation.com, or talk to one of our specialists today.