InTech

NOV-DEC 2017

Issue link: http://intechdigitalxp.isa.org/i/910561

Contents of this Issue

Navigation

Page 37 of 61

With a DMZ, there is no direct connec- tion between the secure ICS network and the enterprise network, but the data sever is still accessible by both. Eliminating a direct connection be - tween the ICS and enterprise networks significantly reduces the possibility of unauthorized traffic passing to differ - ent zones, which could jeopardize the security of the entire network. Step 3: Support secure remote access on industrial networks Finally, within the industrial automa- tion and control system industry there is a growing need for access to remote sites for monitoring or maintenance. This significantly increases the risk of someone with malicious intent ac cess- ing the network. Networks that require the remote site to be constantly con- nected to the ICS should use a virtual private network ( VPN) that supports a secure encryption method, such as IPsec or OpenVPN, which does not al- low unauthorized users to access the network. There are three main advan- tages of using a VPN. The first is that the data is encrypted when it is trans- mitted. The second is that it forces the sender and recipient to authenti- cate who they are, so that data is only passed between verified devices. The third is that by enforcing encryption and authentication, you can ensure the integrity of the data. Secure device configuration Once you have a well-designed net- work architecture, you need to make sure that the switches and other net- work devices are configured to match your security requirements. This can be daunting for a control engineer who does not have deep network- ing expertise. Luckily, the IEC 62443 standard provides guidance by defin- ing some of the key features you will want on your switches and other de- vices. Below are the seven functional requirements defined by the standard, along with a brief explanation of their relevance. 1. Identification and authentication control: Public key authentication should be used to secure server- AUTOMATION IT 38 INTECH NOVEMBER/DECEMBER 2017 WWW.ISA.ORG must support the features needed to alert system operators if a prob- lem occurs and also keep a record of any abnormalities that happen on the network. All network events should be processed in real time or at least fast enough for system operators to respond in time to prevent further damage to the ICS network. 7. Network resource availability: Devices on ICS networks must be able to withstand denial-of- service attacks from people with only a basic understanding of ICS networks or who are presented with an opportunity due to op - erator error. Devices must also be able to withstand attacks from entities that have high motivation and high levels of ICS-specific skills. The important point is that the network must not experience downtime regardless of who is at tacking the network. Now that the security configuration requirements have been outlined, we will discuss three common vulnerabil - ities and how properly configured net- work devices helps protect your ICS. Vulnerability #1: Use of default device passwords: Strong password-based au - thentication is a fundamental require- ment for network security, yet many devices on industrial networks still use default passwords shipped from the manufacturers. Although this may be convenient for maintenance, it leaves your network extremely vulnerable. To address this security issue, the devices located on industrial networks must enforce strong password policies that include a minimum password length and a variety of character types. As they are much harder to guess, pass - words that adhere to a strong password policy will help protect against brute force attacks. Vulnerability #2: Plain text trans - mission of user and passwords: Many devices on ICS networks still use non - secure plain text communications when users log in to configure them. This makes it easy for someone "sniff - ing" the connection to obtain the user to-device and device-to-device connections. To ensure identifica- tion and authentication control, each network device must be able to validate security certificates by checking the authentication of the signature, as well as the revocation status of a certificate. 2. Use control: Every device that ap- pears on a network must support login authentication. To restrict unauthorized users from gaining access to devices or the network, the application or device must limit the number of times a user can enter the password incorrectly before being locked out. 3. Data integrity: Across all ICS net- works, the integrity of the data is very important for ensuring that data is accurate and that it can be processed and retrieved reliably. There are several security mea- sures you can use to protect the data, including SSL, which sup- ports encryption between a Web browser and a server. 4. Data confidentiality: When data is stored or transmitted across networks, it has to be safe and secure. The data should be pro- tected from all types of threats ranging from very basic ones to highly sophisticated attacks. Data must be secured at all times from those who wish to eavesdrop on communications, alter settings, or steal data. 5. Restrict data flow: One of the most effective methods of restricting the flow of data is to split the network into different zones. Each zone uses specific security features so that only those with authoriza - tion can access and send data from a specific zone. Another ben- efit is that if a zone is infiltrated, the threat cannot easily spread to other parts of the network, which helps limit the damage caused by the security breach. 6. Timely response to events: It is es- sential that system operators are able to respond quickly to security incidents that occur on the net- work. To facilitate this, the network

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - NOV-DEC 2017