InTech

NOV-DEC 2017

Issue link: http://intechdigitalxp.isa.org/i/910561

Contents of this Issue

Navigation

Page 38 of 61

AUTOMATION IT ly monitored to ensure that the de- signed security policies are enforced over time. It is also good practice to deploy the security patches that network device manufacturers make available to ad- dress new vulnerabilities as they are discovered. Organizations like ICS- CERT track known vulnerabilities for industrial control devices and work with manufacturers to develop and communicate these patches. When selecting ICS components, see how quickly the manufacturer typically re- sponds to vulnerabilities when they are discovered. Ongoing attentiveness Securing a network and the devices installed on it is not easy. The threats posed to industrial networks con- stantly change and evolve. To pro- tect the network as well as possible, system operators should adopt the defense-in-depth network architec- ture. Aside from a good overall net- work design, system operators should select hardened devices that support more advanced security features, such as those mentioned in the IEC 62443 standard. Overall, system oper- ators should have a thorough under- standing of the possible threats fac- ing their network, as well as detailed knowledge of the best practices for designing and maintaining networks. Finally, ensuring that the network is constantly monitored throughout the network life cycle will mitigate any security risks that arise as the net- work evolves. n ABOUT THE AUTHOR Richard Wood (Richard.wood@moxa. com), networking infrastructure man - ager for Moxa Americas in Brea, Calif., has worked in the trenches with plant engineers and original equipment manu - facturers for more than two decades to implement industrial networking and automation technologies. Wood is an author and frequent speaker on imple- menting practical strategies for industrial control systems. View the online version at www.isa.org/intech/20171205. essential to help- ing you establish and maintain such a network. Network deployment Many network management sys - tems (NMSs) have mass configuration tools, which not only speed deploy - ment, but can also help you consis - tently configure and deploy network devices. Using wiz - ards or scripting tools is an easy way to make sure your network devices are deployed accord - ing to your security policy. Network operation Once your network is deployed, a good NMS will help you visualize the health and security of your network, making it easier to monitor and enforce secu- rity policies. It also monitors network events in real time to inform you im- mediately of security concerns. It logs security events, such as successful/ unsuccessful login attempts and fire- wall rule violations, to inform you of attempted or successful breaches and where they are from. Network maintenance Throughout the automation system life cycle, local engineers or system integrators often need to perform maintenance. This maintenance typ- ically includes changing, replacing, or updating devices in the network. It is important to note that whenever a device configuration is modified, there is a possibility that it will no longer be secure, and it will become vulnerable to cyberattacks. As ICS networks continuously evolve and change, the network and all the de- vices located on it must be constant- INTECH NOVEMBER/DECEMBER 2017 39 ID and password information to fur- ther access and exploit the network. The best way to avoid this is by ensur - ing the system supports secure com- munication protocols, such as SSL and SSH, or, alternatively, password protection for device configuration through HTTPS. Vulnerability #3: Unencrypted back- up files: It is common practice to back up network configuration files in case of a failure. Often these files are stored as plain text files on shared or contrac - tor laptops. In the wrong hands, these files can be easily accessed and used to exploit the network. The best prac - tice is to encrypt these configuration files to protect the information they contain. Network security management Ensuring a secure network does not end with deployment. A good network security management policy needs to ensure that the network remains secure throughout the entire network life cy cle. A good network management tool is Level 4 business network Level 3 business information network Industrial network 1 Level 2 supervisory control Industrial network 2 etc. Level 1 controller/RT cell Fieldbus PLC HMI Enterprise/ industrial DMZ Figure 2. Security zones

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - NOV-DEC 2017