In the era of the Industrial Internet of Things, where manufacturers worldwide strive to reduce costs and increase efficiency, every single device in a modern facility is connected to a network. While the benefits of this are plentiful each new connection may potentially open a door – and increase the risk of a cybersecurity breach.
In its essence, the main goal of any industrial company, whether on land or at sea, is to increase and maximize its profits. The key to achieving this is to reduce operational costs and increase production efficiency. This requires informed decisions to be made, which in turn relies on a wealth of data being transmitted from and between smart devices and machines communicating effectively within a network.
This connectivity is the driving principle of the Industrial Internet of Things (IIoT) – a concept that continues to revolutionize industrial automation by allowing business owners to take advantage of an increasingly globalized and digitized world
As more and more manufacturers and maritime industries are embracing and incorporating IIoT strategies into their business plan – predictions state that tens of billions of devices will be connected to a network by the year 2020 – securing your network to prevent potential cyber attacks is imperative
In this article, we take a closer look at what is needed to secure your industrial network and the devices that connect to it.
Increased vulnerability for cyber attacks
Connecting devices in an automated network controlled by programmable logic controllers (PLC), a distributed control system (DCS) or a supervisory control and data acquisition (SCADA) system is nothing new within the world of industry.
However, these operational technology systems have traditionally been isolated from the more vulnerable enterprise networks. Due to this isolation, industrial networks have had a low risk of cyber attacks and cybersecurity has not been a primary concern for system operators.
Times are changing, however with IIoT practices connecting industrial and enterprise networks in order to secure a seamless and continuous flow of data between all devices, implementing cybersecurity measures to secure your entire network is now of paramount importance
Each connected device increases your network’s vulnerability to cyber attacks and a single hole in the fence, such as an outdated legacy device or an unprotected switch, is all a hacker with malicious intent needs in order to penetrate your network and start siphoning your valuable data – or even take control of the entire process.
No longer isolated at sea
This transition is also apparent in the marine industries. Whereas factories and manufacturers have had isolated industrial networks, ships and other vessels have been isolated in a more literal sense – with an entire ocean between them and the potential risks of a breach.
Cybersecurity has only recently become a point of focus for the marine industries. Technological advances has significantly increased the availability of data at sea, allowing for real time processing and remote diagnostics. But this also means most vessels today can have a permanent connection to shore, opening them up for potential cyber attacks.
Integral parts of the system, such as a monitoring PC with access to all devices on poses an ideal entry point for a malicious hacker, if not properly secured.
Due to this increased vulnerability, the DNV GL has released a set of guidelines for cybersecurity of maritime assets.
Three important cybersecurity factors
Designing, implementing and increasing the security of your network can be a challenging task, as there are several aspects to consider.
At its core, there are three important factors that must be addressed when building your cybersecurity infrastructure:
- Network Security
- Device Security
- Secure Monitoring and Management
While monitoring and managing your network and establishing policies and guidelines to ensure its security throughout its lifecycle is equally important, this article focuses on network and device security.
Secure your network with defense-in-depth
When designing a secure network one of the most effective approaches is to use a defense-in-depth security architecture. This system is designed to protect individual zones and cells and re-establishes the barrier between your industrial network and your enterprise network.
Established in separate layers, any and all communication across zones or cells should be done through a firewall or VPN. This reduces the risk of your entire network failing as a result of a security breach, as each layer is able to address a different security threat and the problem may be contained within that specific layer.
To ensure a reliable defense-in-depth cybersecurity architecture three steps must be taken:
- Segment your network
Segmenting your network into physical or logical zones with similar security requirements.
By doing this you allow each zone to focus on specific security threats to that section. In addition, each device will be responsible for a particular segment rather than the entire network.
- Define zone-to-zone interactions
To enhance your network security, all data transmitted between zones must be scrutinized and filtered. This can be done by establishing a demilitarized zone (DMZ). This DMZ ensures there is no direct connection between your industrial network and your enterprise network, but the data server is still accessible for both networks.
Eliminating this direct connection significantly reduces the risk of a threat jeopardizing your entire network.
- Support secure remote access
Despite significantly increasing the risk of security breaches, chances are you need to allow remote sites access to your industrial network in order to monitor devices, perform maintenance and ensure that everything is running smoothly.
For networks requiring a constant connection to a remote site, we advise using hardware that supports the required level of security and with options for secure connections through a firewall or VPN. This will help to prevent unauthorized users from accessing the network.
Seven requirements your devices must fulfill
Once the network is secure, your next step is to secure all devices connected to the network to ensure that no user may intentionally or accidentally change your settings in a way that puts the devices on your network at risk.
The IEC 62443 standard, regarded the most relevant publication on how to secure your network devices, contains seven foundational requirements your network should fulfill:
- Identification and Authentication Control
Ensure server-to-device and device-to-device connections are secure by using public key authentication.
- Use Control
Every device on the network must support login authentication and must limit the number of times passwords can be entered incorrectly before the user is locked out.
- Data Integrity
Implement security measures such as SSL to encrypt and protect the integrity of your data.
- Data Confidentiality
Ensure that data stored or transmitted between devices across your networks are secure at all times.
- Restrict Data Flow
Restrict data flow by splitting your network into zones (as mentioned in the previous section) and ensure that all unused ports are disabled.
- Timely Response to Events
Your network must support features to alert your system operators when a problem or breach occurs in order to facilitate a quick and timely response to unpredicted events.
- Network Resource Availability
Devices on your network must be able to withstand denial of service attacks in order to safeguard from downtime regardless of who is attacking the network.
Hardware support is imperative
While implementing all the necessary applications and safety features to ensure that your network is secure can be both challenging and cumbersome in itself, there is one more important question you must answer when implementing your cybersecurity measures:
Does the hardware and devices that connects to your network support all the necessary safety features?
Guidelines and features do little good if the hardware they are applied to is incapable of supporting them. It is imperative to ensure that every single device connected to your network support the safety measures you are implementing.
Protect your legacy
Lastly, you have to consider how your modern network is affected by your legacy devices. Industrial equipment is built to last, and while many business owners prefer to incorporate their legacy devices within their secure network, precautions need to be taken.
Legacy devices lack security protocols and are reliant on media converters and adapters in order to connect to the rest of your network. These devices may create a weakness in your otherwise secure infrastructure, if not properly secured.
Identifying your optimum solution
In the era of the Industrial Internet of Things cybersecurity is more important than ever. In order to reap the benefits of connectivity, you must first reduce your vulnerability.
Though there are many important steps you must take in order to secure your network and all your devices, your first step should be ensuring that you have the right equipment and hardware to handle the tasks at hand.
At Elektronix we specialize in identifying the optimum hardware solutions for your cybersecurity needs. We can help you benchmark existing equipment and find new hardware that supports all your needed safety futures.