Date: Jan 31, 2013
Learn the five key points to a well-planned security strategy.
The openness of Ethernet and the availability of industrial software that runs on notebooks, tablets and even smart phones all make it easier to manage automation systems. But these tools have inherent vulnerabilities that should be acknowledged and addressed. In the words of Ben Franklin, “an ounce of prevention is worth a pound of cure.”
All network managers must be aware of these threats, which constantly evolve. While malware and attacks by hackers get most of the attention, other threats can potentially cause more disruption.
Network managers must also guard against espionage and those intent on data manipulation while also devising techniques that prevent disgruntled employees from causing problems. Loss of life, financial loss, intellectual property security and decreased productivity are just some of the negative impacts that can occur when security is compromised.
Protecting networks can’t be a one-time implementation of items on a checklist, it has to be more of an ongoing lifestyle to be successful. The best industrial security solution is the right mix of products, processes and services. These security products should be based on best processes and standards to protect against security threats both intentional and accidental.
Companies that have expertise may opt to buy products designed with security in mind, while those without expert internal resources may want to turn to suppliers. Siemens offers both approaches, serving as a trusted advisor for industrial cyber security.
Experts agree that protecting networks requires defense in depth, since no one solution will prevent all of the security problems that can arise. Many security professionals also say that building a security system that’s integrated into the equipment is a good starting point.
Integrated security strategies can take many forms. At Siemens, security is segmented into five key points.
The first is the implementation of a security management plan. This plan must take an overall strategy on security, including physical protection as well as Cyber security. Personnel training is a critical part of this plan.
The integrated security program should also establish regulations for interfaces within the network. There are many approaches to these regulations, such as limiting which devices can communicate with each other. Once these restrictions are established, they must be monitored to ensure compliance.
Two other key points are the protection of PC-based systems and the control level. PC-based systems, which are seeing broader use in most facilities, need to be protected with antivirus and/or whitelisting applications. Additional protections are provided for control level products. Both PC-based gear and control functions need special attention because they often control critical elements of the various processes within the plant.
The fifth aspect of this program is to segment communications and constantly monitor network activity. Segmenting a facility’s networks into subsections is critical. Equipment with a segment can communicate freely, and authorized connections outside the sub network are easier to monitor. Segmentation also limits the damage that can be done if a network is compromised, since it’s easier to limit the problem within the sub network.
Implementing this multilayered protection strategy begins with picking components that are designed with security in mind. Siemens offers a range of equipment such as CP 343-1 Advanced/ CP 443-1 Advanced as part of an integrated security concept. The range of offerings makes it easy for plant managers to build systems that provide protection without significantly impacting cost and complexity.
Firewalls are a critical element for protecting networks and sub network segments. The Scalance S Security Modules provide a global and user specific set of firewall rules while also offering VPN connectivity. The module also provides router functionality and secure diagnostics using SNMPv3.
The UMTS Scalance M875 offers secure IPsec VPN tunnels over a 3G cellular network. This provides secure access to remote production sites.
Those with larger networks will often need more flexibility in the security topology. The CP 343-1 Advanced and CP 443-1 Advanced module provides enhanced integrated security with a stateful inspection firewall, filter function for layer 2 packages, bandwidth limitation and global firewall rules that can run simultaneously for several devices.
Its VPN function provides tap-proof access to control points while providing up to 32 VPN tunnels. The CP 343-1 and CP 443-1 also offer HTTPS, encrypted HTML pages via SSL and NTPv3 secure transfers with time of day stamps and authentication.
The CP 1628 is a PC interface card that includes a firewall, filter functions for layer 2 packages and tap-proof VPN. SNMPv3 transfers for network analysis information is also a standard capability for the card.
These tools can be augmented by a protection plan that includes a number of different standards. ISA-99 is one of the more widely used offerings, providing a framework for security measures. The U.S. Dept. of Homeland Security has created a Cyber Security Evaluation Tool that guides users through steps that will help to establish and improve cybersecurity programs.
Creating and maintaining a secure environment is not a simple task. But the ongoing effort is well worth the time. Customers can gain many benefits when they take an integrated approach to security. Increased protection for products and processes is foremost among them, along with reduced risk.
At the same time, continuous monitoring of network traffic usually increases plant availability by reducing network outages. Often overlooked is the enhanced protection of intellectual property that could be stolen by intruders. When all these benefits are totaled and compared to the potential losses of lackluster security, the choice is usually pretty clear for most management teams.