Premier Automation Blog

Protecting Your Industrial Network from Malware

Written by Premier Automation | May 29, 2019 1:23:00 PM

There is a common misconception among industrial circles regarding network security, that since their OT networks are isolated from the internet. They are never exposed to the same types of malware, which otherwise wreak havoc through IT systems. This may have been true decades ago, when plant floors were truly isolated in all aspects, but with increased digitization and onset of IoT technologies, companies can’t rely on “isolation” alone as a protection mechanism.

An Industrial Control System survey held by Kaspersky revealed that 90 percent of companies make use of wireless connectivity in their ICS environments, with the assumption that all functions would be performed internally. But wireless or ethernet connectivity, doesn’t translate into isolation even though no connection is made to the internet. In fact, it puts all systems at risks as such networks have a higher risk of getting attacked by malware compared to conventional hard-wired ones, which at this point have become outdated.

Surely, industrial IT systems always follows modern protection practices, but what happens when attackers completely by-pass these mechanisms, and attack the seemingly isolated OT system. The most common type of threat is that of ransomware, where attackers shut-down or damage assets, while encrypting vital information. And there’s no guarantee that the attackers will stay true to their word once their demands are met.

Advent of Ethernet

When ethernet was introduced to the plant floor, it promised endless benefits, majorly in the form of an open architecture that allows plant devices and management tools to connect with each other at remote distances. But with this openness also came a big risk, underlined earlier: security.

Establishing communication between automation systems and ethernet networks is not so different from connecting a PC with an internet. In today’s industrial setting it is highly unlikely that an enterprise network doesn’t have internet connection, even though it doesn’t have a direct connection with the ICS. The most notable example of such an attack was that on Iranian nuclear centrifuges, when in 2010 the infamous malware “Stuxnet” penetrated into the local network. The virus took control of the centrifuges, spinning them above the rated speed, and destroying them in the process.

Traditionally, IT networks have maintained a high degree of security compared to their Industrial Control Systems, keeping up with modern threats, driven largely by their connectivity to the internet. Ideally, plant administrators should guarantee the same level of security for their OT. The security tools in place should allow authenticated access to take place within the plant environment, or from remote locations. This will allow remote administrators to manage multiple sites and look after their configuration, diagnostics, initialization and other settings.

The toolkit mentioned above will have both hardware and software components, as well as work practices that will maintain specified security levels. All of this will ultimately add up to the automation environment that will then be open to seamless communication between remote sites, without any security risks.

Firewalls

Firewalls are one of the most well-established security tools, forming a critical piece of the infrastructure. The purpose of a firewall is to act as a gateway between networks, controlling the type of traffic that flows, based on the desired settings. In an industrial environment, firewalls can be used to protect certain cells that have several ethernet-connected automation devices such as PLCs or PCs. Companies can make use of security modules, which are devices with one Ethernet connection coming in, and another going out to the main network. Any traffic that passes between the two is filtered based on the firewall rules.

Stateful packet inspection technology is becoming common in industrial environments, as it enables devices to assess the traffic in context. It will allow traffic to flow in if it gives a legitimate response to a request from the internet network. If the external source is sending data that wasn’t requested, it is blocked, and the administrators are notified. Also, if an internal node sends data to an external device, then the firewall allows the response packet to make its way through for a limited period of time, after which the request would have to be initiated again.

NAT and NAPT

Network Address Translation is a mature network technique that helps abstract private, static IPs with public user-defined ones. The idea is to hide the actual IP address of the device, which in most cases, static, and replace it with an internal IP scheme. This means that a public IP address is presented to external-facing nodes, which is then translated into a different IP address.

The concept is taken one step further through Port Translation (NAPT), which also addresses the specific ports that will allow access to the device. A NAPT table can be defined within a router, mapping private IP address ports to public ones.

If a device outside the network wants to communicate with an internal asset, it will use the public IP address and a specific port to do so. This will then be translated into a private IP address and the designated port addressed by the router. This makes sure that the internet device is kept abstracted from the public eye.

Secure tunnels with VPNs

One way to provide secure connection on top of an unsecure network such as the internet is by using Virtual Private Network (VPN). This can be thought of as an encrypted tunnel established by security devices at end points, generating digital certificates for authentication. The certificates may be thought of as digital IDs so that the communications are encrypted and understandable only by each device, even though transmission occurs over the internet. There are two configuration modes in which the VPNs be used:

  • Bridging mode: in a virtually flat network, bridging mode can be used to allow devices to securely communicate over unsecure sectors of the network. The mode is used for communication types that can’t be routed or be in the same subnet.
  • Routing mode: this can be used to create a VPN between devices that are configured on separate subnets. The router, which operates at Layer 3 of the OSI model, is aware of the surrounding networks and can route packets correctly. The packet travels though a secure VPN tunnel, making the communications secure over public networks.

VPNs are already being used in industrial environments where communications need to take place between remote locations. Their popularity will only rise as the role of cloud computing increases in industrial environments, making them a precursor for secure communications.

Examples

  • User-specific Firewall: if a contractor is working on your industrial assets, he/she may need access after-hours to carry out monitoring/troubleshooting. In order for him to gain access, user-specific rules must be created within the firewall that enable remote access to take place. Specific rules can be created for devices so that the user only has access to specific features of the system.
  • Site-to-Site VPN: a site-to-site VPN is an effective option when a company operates from a central site and has multiple remote facilities. A site-to-site VPN enables secure encrypted communications to take place between two sites, depending on the configurations. It could allow users at different sites to gain access to resources, as long as authorization protocols are fulfilled. In order to create the encrypted VPN tunnel, a module must be located at each end, while a firewall can be used to provide fine access control and restrict unwanted traffic.
  • Point-to-Point VPN: this type of VPN allows users to gain access to devices at any of the remote sites from any location over the internet. This is suitable for administrators who may need to work from different locations if there are frequent troubleshooting needs. A hardware module must be placed at the target location, along with appropriate client software that runs from the administrator’s computer. The software establishes an encrypted VPN connection with the site, from where he/she can log-in based on the credentials assigned.
  • Multipoint VPN connections: what happens when the administrator requires access to the multiple sites from a remote location? Rather than having to establish individual connections, it would be more suited if access is granted to a central module where the necessary tunnels have already been created. Such an arrangement is of help to service engineers who have to maintain multiple sites, and thus, work remotely. With a single connection, secure access can be provided, while in the process, precious time can be saved.

These were the essential tools necessary to protect industrial networks and assets. Your network security manager can build the infrastructure based on these tools, and then incorporate more advanced ones as the strictness of the requirements increase.

 

Interested in learning more? Visit our website www.premierautomation.com, or talk to one of our specialists today.