The convergence of IT and OT has allowed for many advances in the world of industrial automation. For instance, the ability to control multiple disciplines (motion, safety, I/O) through one robust network (Ethernet/IP) is now a standard for most manufacturing companies. This convergence has also brought long-existing knowledge and best practices of the IT world to the automation space. Companies like Cisco can apply their resiliency and security protocols to industrial applications and therefore improve efficiencies and decrease downtime. However, a common issue from both the IT and OT disciplines lies within network security.
The Automation Engineer is often tasked with keeping the plant running and reducing downtime. So, legacy protocols have often been left open to allow for technological coexistence between devices, as well as for the ease of connectivity. This school of thought has prevailed for quite some time, and even after Ethernet/IP became more of a standard on the plant floor, this philosophy remained—leaving many manufacturing facilities insecure.
In a way, network security can be a lot like safety; too much security and your production may suffer a hit, too little security and you leave yourself exposed to cyber-attacks. There needs to be a balance between maintaining high overall equipment effectiveness (OEE) and mean time to repair (MTTR) levels with network protection.
The Converged Plantwide Ethernet Deployment guide (CPwE) recommends a defense-in-depth approach, meaning there is no single policy, software, nor firewall that will completely protect you. To achieve a more flexible secure industrial network, you must use a combination of the six security areas below.
You need a plan of action regarding human interaction with devices on an industrial network as well as ongoing risk management. Policies or procedures can sometimes be a quick fix for another area lacking security, but they are only as good as the actions and technology that enforces them.
You must document and implement operational and procedural controls to manage access to particular areas (control panels, data rooms, control room, etc.), locking out unused ports on switches (as well as software disabling them) using Panduit devices.
Use a combination of hardware and software designed to block communications paths and services that are not authorized. Think Firewalls, UTM devices (Stratix 5950), and integration protection in switches and routers. Tripwire is a network security software that will be able to assist in your network security needs.
Computer hardening includes patch management, anti-virus software, and eliminating insecure communications protocols (serial, DH+).
Use change management, authorization, and authentication software to track changes and user access. FactoryTalk® Security and FactoryTalk AssetCentre are great tools to utilize when looking into application security.
Device hardening involves restricting physical access to authorized personnel only, disabling remote programming, restricting access to routines, and encrypting communications. The new license-based source protection of CompactLogix™ and ControlLogix® controllers, as well as FactoryTalk Security, can assist in hardening your devices.
There are many ways to secure your network. While there is no perfect solution, a defense-in-depth approach is a reliable way to achieve both flexibility and security for your industrial network. Whether you have questions or would like an assessment of your network security, you can connect with one of our Automation Specialists for in-depth knowledge and expert advice. Contact us today.