Four cybersecurity approaches and strategies for industrial networks

Learning Objectives

• Companies need to have a strong and coherent cybersecurity agenda as more devices become vulnerable to attack.
• Assessing the current state of the cybersecurity program and looking ahead are critical.
• Segmentation, intrusion detection systems (IDS), firewalls and software-defined networks (SDNs) can help companies improve their cybersecurity postures.

Cybersecurity Insights

• Cybersecurity is more than slapping a program together and calling it a day. For manufacturers and other industrial organizations, it requires a comprehensive plan and understanding from the top-down to be successful.
• Segmenting devices, firewalls and intrusion detection systems (IDS) can help improve a company’s cybersecurity posture and give companies insights into where they’re strong and where they’re vulnerable.
• At the end of the day, the cybersecurity program is only as strong as the people behind the scenes running the program.

Those in charge of cybersecurity for industrial networks are seemingly pulled in opposite directions. Every month, multiple operational technology (OT)-related cybersecurity vulnerabilities are posted to places like the Cybersecurity and Infrastructure Security Agency (CISA), which asks professionals to secure their networks from threats.

Every month, there are new requests or initiatives driven by the company to enable these networks for Industry 4.0, Smart Manufacturing, or installing Industrial Internet of Things (IIoT) solutions. How can those tasked with cybersecurity meet the needs of businesses while still working to mitigate these new and existing risks within their environments? Below are several cybersecurity approaches and considerations that companies should implement.

1. Understand or make the rules

It is important to understand who has accountability and responsibility for the industrial network within an organization. Is it corporate IT, site engineering, or dedicated OT staff? How does this reporting structure tie into the larger set of corporate cybersecurity risks owned by a CIO or CISO? Who are the other stakeholders with interest in a functional and capable network, and how are they providing input or staying informed of changes? What controls, standards, or requirements does the industrial network have to adhere to?

As industrial networks become more than a means for devices to communicate to each other for process controls, the number of groups who each have their own priorities and needs increases. All of these must be considered when developing a cybersecurity strategy due to the potential impacts change brings with it. If these questions do not have immediate and documented answers, it’s important the organization spends time resolving these questions before moving forward.

2. Assess the current cybersecurity state

Many cybersecurity solutions such as an intrusion detection system (IDS) require the network infrastructure to have capabilities or functionality only present in switches that can be configured or managed. Initiatives related to network isolation or segmentation also require switch hardware, which can do more than allowing device A to communicate to device B. Before beginning any project to introduce new cybersecurity solutions or change in network architecture, take stock of the network switches and firewalls installed within the industrial networks. Do not forget to look at skid or machine networks because they may be targets of future projects related to Industry 4.0 or IIoT.

When assessing, consider how many physical ports are available, if it is under an active warranty or support contract, the capabilities it has, and how it is currently managed or administered. If a location finds a switch that is completely full and does not support features such as remote management or virtual local area network (VLAN), knowing upcoming projects from both the engineers and plans by the cybersecurity team may drive the type of switch that will need to be installed as a replacement. Without knowing what is present and what will be needed in the future, a lot of time and capital can be wasted on improper upgrades or replacements.

3. Look forward at network infrastructure

Implementing cybersecurity solutions based on today’s environment is not the best approach. Organizations need to spend time looking ahead and understanding how the new technologies and solutions being added to control systems in the next one, three, or five years will impact the networks and infrastructure required to operate them. Industrial networks are also more than ethernet and IEEE 802.11 wireless as well. It is critical that all networks involved in operations including cellular, LoRaWAN, Bluetooth low energy (BLE), and any vendor-specific protocols, are included in the cybersecurity plans and considerations.

The number of inbound and outbound connections will increase due to the use of cloud-based services, analysis packages running in the IT networks, and third-party services that connect directly to a vendor’s systems or platforms. Designing a cybersecurity strategy today without accounting for interaction with Internet-based services will certainly cause future headaches. Therefore, it is essential to identify and involve all the industrial network stakeholders.

4. Consider cybersecurity capabilities

Even the most advanced and capable cybersecurity solutions are worthless without proper implementation, support, and maintenance.

As part of any solution evaluation process, the organization must consider the who and how of operating it. Is the organization willing to send individuals out for training or hire new personnel with the experience and ability to manage and maintain the newly implemented cybersecurity tools? Have they budgeted for ongoing support contracts? What is the expectation for response at 2 a.m. when the solution detects a critical event? What new responsibilities and expectations will be placed upon the staff working in the controls environment when a cybersecurity solution is implemented?

Aligning on these points before beginning the evaluation of cybersecurity products or solutions may help the organization quickly filter out those which do not align with the organizational plan.

Four potential devices for improving network security

Beyond basic strategies, specific can help companies improve their cybersecurity posture in the short- and long-term. Four should be near the top of the list.

1. Segmenting devices

If the industrial network in operation today has limited separation between machines, areas, or functions, a good beginning to enhancing cybersecurity may be creating more segmentation within the network to limit unwanted communications. In addition to lowering the amount of broadcast messages sent to all devices, segmentation may be a prerequisite to a firewall solution and is also a consideration in security approaches such as ISA/IEC 62443. If switches are used that do not support features such as VLANs, upgrading switch hardware may be required.

2. Firewalls

Placing a firewall between the industrial and office networks is a good first step in limiting the communication paths into devices and equipment. When considering firewalls look for those which have an understanding of industrial protocols built in and size them for the amount of bandwidth and number of connections needed in the future. Placing a firewall inline between the connection(s) of the industrial and office networks should be planned to minimize disruption, and care must be given when beginning to enforce rules and block undefined communications. Firewalls also can serve as a means of providing secure access to industrial networks from the outside via the use of virtual private network (VPN) features. This could allow for existing remote access technologies to be removed and consolidated into one central and manageable approach.

3. Intrusion detection/preventing systems

There are many different approaches to implementing an intrusion detection or intrusion prevention system (IDS/IPS). Generally, these solutions will analyze network communications and alert on activities that are unknown, unexpected, or pre-defined to be notified on. For human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems, a host-based approach also may be incorporated into the solution, provided the software does not conflict with the ability of the system to operate. Some new products include more advanced learning features that allow them to develop an understanding of normal communications within an environment, resulting in alerts that are more likely to be suspicious behavior. Depending on how the IDS/IPS is provided, network communication data, network switch changes or the addition of network taps may be required and should be discussed with the solution vendor.

4. Software-defined networks (SDNs)

For organizations looking to enforce a much more granular level of control over device-to-device communications, software-defined networks may be the answer. Each device or grouping of devices will only be allowed to communicate over the specific ports or protocols defined by the configuration. Implementation of this solution may require all new switches and a switch controller but the benefits from a security perspective may outweigh the issues related to implementation and setup.

Finding the right balance between security and necessary and acceptable risk is different for every business. Navigating that fine line has never been more critical or challenging as attacks on industrial networks increase in number and sophistication. The approaches and considerations listed here can be a guide, a way to find gaps, a conversation starter, and more. There will always be a conflict between these two priorities, the organizations that manage this well will never stop evaluating and innovating their cybersecurity solutions.

Alan Raveling is OT architect at Interstates and a 2021 Engineering Leader Under 40, recognized in the Control Engineering September 2021 issue. Interstates is a Control Engineering content partner.

CONSIDER THIS
What have you done to improve your cybersecurity posture?

View the original article and related content on Control Engineering