NOV-DEC 2017

Issue link:

Contents of this Issue


Page 36 of 61

INTECH NOVEMBER/DECEMBER 2017 37 AUTOMATION IT I n today's connected world, securing indus- trial control systems (ICSs) is more impor- tant than ever. Industrial control system cybersecurity standards like NERC CIP, ISA-99 (IEC-62443), and NIST 800-82 have been draft- ed to assist in identifying and implementing ICS security best practices. There are three common aspects that these standards and many cyberse- curity experts agree are fundamental to deploy- ing secure industrial networks. Network architecture: From a network archi- tecture standpoint, deploying a defense-in- depth approach that incorporates secure zones and conduits is the foundation of secure indus- trial network design. From a practical stand- point, it is rapidly becoming a requirement to design for reliable secure remote access. Secure device configuration: With today's converged networks, proper configuration of industrial network devices is becoming more complex, and security features are often left dis- abled for convenience. This leaves ICS networks vulnerable to not only malicious attacks, but also inadvertent breaches. Network security management: A good net- work security management system will not only help you deploy and enforce security policies throughout your ICS network, it will also allow you to monitor and log network events while providing real-time notification of security events. Security-minded network infrastructure When designing an ICS network, today's best practice is to deploy a defense-in-depth security architecture (figure 2), which segments network traffic into defined zones, and then limits com- munications between these zones to only pre - defined traffic. This architecture allows reliable, timely communications within these zones and limits the potential scope of a breach in any par- ticular zone. There are three steps to designing a defense-in-depth architecture. Step 1: Network segmentation Network segmentation involves breaking down the network into physical or logical zones with similar security requirements. The benefit of seg - menting the network is that each section can focus specifically on the security threats that are posed to that section of the ICS. Deploying the segmen - tation approach is advantageous, because each device is responsible for a particular segment of the network, as opposed to being responsible for the security of the entire ICS. Step 2: Define zone-to-zone interactions Once you define the specific traffic that needs to pass between secure zones, unauthorized traffic can then be filtered using industrial firewalls. A general best practice is to whitelist the traffic that needs to flow between each zone and block all other traffic. Industrial firewalls typically have deep packet inspec - tion to filter industrial protocols at a more granular level than traditional firewalls. Many industrial firewalls also have a transparent mode that allows you to install them into ex - isting networks without having to reconfigure the network IP scheme. When connecting ICS networks to enterprise information technology networks or the Inter - net, another best practice is to create a demili- tarized zone (DMZ) with an industrial firewall. FAST FORWARD l Threats posed to industrial networks are constantly changing and evolving, requiring life-cycle strategies. l System operators should thoroughly understand the threats facing their network and have detailed knowledge of the best practices for designing and maintaining networks. l Constant network monitoring throughout the network life cycle will mitigate any security risks as the network evolves. Figure 1. Security layers

Articles in this issue

Archives of this issue

view archives of InTech - NOV-DEC 2017