Industrial Security Trends & Best Practices
By Paul Didier of Cisco
Industrial Automation & Control Systems, Smart Grids, SCADA, Plant-wide Ethernet and smart transportation systems are all driving the Internet of things. More and more machines, controllers, sensors, meters, motors, drives, actuators, I/O, remote cameras, the stuff that makes up production and operations infrastructure is being connected via standard networking technologies. The productivity gains, sustainability improvements, optimized energy consumption and other benefits are dependent on this trend being securely deployed.
Issues and Trends
Stuxnet, son-of-Stuxnet (a.k.a. Duqu), Illinois Water district attacks, all these events have manufacturers, utilities and owners of industrial networks on edge. The key in these attacks is that they are deliberate, external and damaging. This goes well beyond the very real and damaging impacts of the un-intentional, internal incidents where a virus or inadvertent action causes a plant outage. The current malware attacks may not be “widespread”, but they are distributed and sophisticated leaving many feeling un-easy and concerned about the security of their industrial networks.
There is also no turning back. If there is one lesson from the above, disconnecting or “air-gapping” the industrial networks as they used to be is not a solution. These attacks found ways around such mechanisms. The point is that the need to share, exchange data and bring in remote expertise will drive most users of industrial networks to integrate in some way. And, if this is true, then best prepare for this integration by developing a security approach to do that.
A clear trend is that Enterprises with industrial networks are taking action. They are performing reviews of their security stance:
- What are the policies and standards we currently have?
- How well are they implemented?
- What issues/problems do we have?
- What requirements apply to our industry?
- Where do we need to be from a security perspective?
- How will we change/improve the situation?
Priorities, Policies and Governance
The first consideration in regards to Security for production environments is to recognize the financial considerations and priorities in terms of key objectives. Typically, downtime for production facilities is counted in hundreds of thousands to millions of dollars per hour. It is driven by lost production, unused capital assets, personnel costs, energy costs, cost to repair and other penalties or issues due to production failures. It can include loss of Intellectual Property and corruption of critical data. If the event is made public, the cost to a company’s value and reputation drastically increase the impact.
Typically, the security priorities are summarized in 3 terms:
- Availability: The ability to preserve operational continuity. Information, data, services, networks, applications, and resources should be accessible in a timely manner when needed.
- Integrity: The ability to preserve the authenticity of information, data, service, and configurations and to help ensure no unauthorized clients unexpectedly or covertly modifies any of these aspects.
- Confidentiality: The ability to maintain the privacy and confidential nature of potentially private or sensitive information, and to help ensure that only authorized entities have access to it. This applies both to data at rest and data in transit during communication.
In production environments, typically the order of priority of these is first Availability, second Integrity and then Confidentiality. The opposite of the priority in typical IT Security, where Confidentiality is first, Integrity second and last is Availability. That makes a big difference in the way security is approached
Interesting though is that even given this significant difference in security priorities between production and IT environments, most enterprises have an IT Security policy, but nothing specific to production. The key source of guidance, rules and policy on security lacks a perspective on the most critical part of many enterprises: their production facilities, SCADA networks and other industrial networks. The result is that most enterprises have widely different levels of security for production facilities and a variety of solutions inconsistently implemented and maintained. This also leads them into situations that make it difficult to take full advantage of the standard industrial network’s value. Who is going to allow enterprise-level remote access to either appropriate employees or partners if you cannot be sure that their access will be secure?
This is beginning to change and probably the first, or at least one of the initial steps an Enterprise can take to improve the Industrial Security situation: establishment of a Product Security Policy. This policy should be established and governed by a combination of existing IT Security governance with strong influence from the Production organization.
Architectures and Best Practices
As an enterprise begins this process of examining the Security stance of its industrial networks and establishing the Production Security Policy for those networks, they often look for frameworks or architectures to give context to the policies. Additionally, an understanding of the best practices is important to give guidance as to what is achievable and what may require extra effort to achieve.
For a framework, there are two key models that help structure a production environment. First, the Purdue Model for Control Hierarchy is a common and well-understood model in the manufacturing industry that segments devices and equipment into hierarchical functions. It has been incorporated into many other models and standards in the industry. Based on this segmentation of the plant technology, the International Society of Automation ISA-99 Committee for Manufacturing and Control Systems Security has identified the levels and logical framework that identifies zones to which Security concepts and policies can be applied. These are represented in the figure below.
The key security best practices that apply to the Manufacturing and Cell/Area zone include:
- Manufacturing/Production Security Policy - A policy focused on Production facilities that reflects the different operational priorities vs. the Enterprise network is a basis for best practice organizations. A multi-discipline team of operations, engineering, IT and safety should develop this Production security policy. The policy should cover topics such as DMZ, segmentation, access (remote and local), physical security, update frequency and operational responsibilities.
- Demilitarized Zone (DMZ) - This buffer zone provides a barrier between the Manufacturing and Enterprise zones, while allowing users to securely share data and services. All network traffic from either side of the DMZ terminates in the DMZ. No traffic traverses the DMZ, which means that traffic does not directly travel between the Enterprise and Manufacturing zones. For the DMZ to be most effective, it needs to be the only point of access into and out of the Manufacturing zone. Remote access via a modem located behind the firewall is essentially an unmanaged back door that may represent a threat.
- Defending the manufacturing edge - Users should deploy stateful packet inspection (SPI) firewalls (barriers) with intrusion detection/prevention systems (IDS/IPS) around and within the IACS network.
- Authentication, Authorization and Auditing (AAA) - A process should be established that production users (remote and local) are authenticated and new devices on the network are approved. For production users, they are authorized (and validated) to access applications and devices in the production zone and that this access and authorization is tracked and auditable if issues arise. For many production environments, log-ins and authorization are not in place and putting them in place will represent significant work and production process changes. A host of authorization technologies may ease the challenges (e.g. appropriate bio-metric technologies), but require research and testing.
- Protecting the Interior - Users should implement access control lists (ACLs) and port security on network infrastructure devices such as switches and routers. As well, key Automation and Control applications should have authorization and role-based security, and preferably use the AAA services used to manage network access as well.
- Identity Services - Enterprises use 802.1x, the IEEE standard for media-level access control. 802.1x offers capability to permit or deny network connectivity, control VLAN access and apply traffic policy, based on user or machine identity. This includes the ability to verify the devices (usually computers) accessing the network has appropriate versions of applications, up-to-date virus protection and other prescribed characteristics. This is a valuable capability for production environments.
These identify technologies are advancing to the point where they can also identify and validate non-user devices, such as a sensor, drive or controller are connecting at the right location, are communication like an Automation and Control device and maintaining expected behaviors e.g. requesting an IP address via DHCP and NOT acting like a DHCP server. This is not yet a common best practice, but does offer some advanced security capabilities.
- Endpoint Hardening - This includes applying anti-virus and anti-malware tools on devices with common operating systems (e.g. Windows and Linux), eliminating un-needed features and functions on those computers. As well, a means to update the anti-virus SW is required, but should be done in such a way as not to interfere with operations, such as during downtimes after updates have been tested.
- Network Hardening - This restricts physical access to the network by preventing “walk up, plug in” access and uses change management to track access and changes. Techniques such as blocking and shutting-off un-used ports and creating “laptop” ports with appropriate configurations (e.g. separate VLANs) all
- Segmentation and Domains of Trust - Users should segment the network into smaller areas based on function or access requirements. Typically, this is done via the implementation of VLANs and subnets. VLANs act as a basis for a security approach and also limit the impact of issues that may arise in one area of the network.
- Physical Security - This restricts physical access to manufacturing assets and network infrastructure devices. This usually represents a significant difference between IT environments and production – the tighter restrictions on physical presence.
- Security Management, Analysis and Response System - Establishing a process that monitors identifies, isolates, and counters network security threats is a common practice in the Enterprise that should be reflected for the Production environment.
- Remote Access Policy - For employee and partner remote access, implement policies, procedures and infrastructure. There are technologies available that allow remote engineers and partners secure access to the appropriate applications and devices in the plant. Additionally, local engineers can also securely share their desktop and applications via collaboration tools, such as WebEx or MeetingPlace.
This may seem like a long list, but for those developing or enhancing a Production Security policy, this represents a good list of the best practices to consider. It does represent a “Defense-in-depth” approach where any security attack or breach has a number of obstacles and there are means in place to identify and eliminate the threats that may arise. The value of standard networks for production environments is enormous, so to are the risks. A planned defense utilizing best practices will be more secure than the old “security-by-obscurity” models, as highlighted by current events.
- Industrial Internet Consortium: Another Industrial Internet of Things (IoT) Organization
- EtherNet/IP & DeviceNet Network Updates
- Security Cycle of Awareness
- Cyber Security - Protecting Automation Controllers
- Industry 4.0 - Only One-Tenth of Germany's High-Tech Strategy