Five Tips From Industry Experts to Help Protect Industrial Networks
It can no longer be denied that cybersecurity is a popular and important topic. It has been noted that cybersecurity is like a puzzle composed of different pieces that we need to understand, and it is not a subject that we should delay giving attention to.
According to a report, 4 out of 10 manufacturers that were surveyed have experienced security incidents, with 86% of these stating that their industrial operations were disrupted. As the OT/IT convergence trend continues to gather pace, there are several attack surfaces emerging in industrial control systems. Although some of these are known vulnerabilities, there are also some that are unknown. Therefore, everyone from management to each individual user needs to join forces to enhance industrial cybersecurity from the edge to the cloud. In this article, we will consider some practical tips recommended by different industry experts to help organizations start their cybersecurity journey.
Tip 1: Deploy Secure-by-design Networking Devices and Set Up Devices Securely
Typically, industrial operations include a variety of legacy devices that are becoming increasingly vulnerable, as field networks are no longer always air gapped. In an ideal world, legacy equipment can be upgraded quickly with advanced solutions that have security features embedded into them. However, budget restraints and the requirement that industrial operations do not experience downtime, frequently leads to a mixture of old and new equipment operating together. When this scenario arises, it’s important to have a security-hardened networking device to enable connectivity for legacy devices. In order to ensure that the devices use a secure-by-design methodology, it is advisable to check that the embedded security functions of any networking devices adhere to security standards such as those detailed in the IEC 62443 standard. After confirming this, devices can be set up securely. For instance, we recommend disabling any unused ports and services to minimize available entry points for intruders.
Tip 2: Divide Networks Into Multiple Segments
Once the network nodes are configured securely, the next step is to segment the networks following a zone and conduit policy. Dividing the connected networks into segments to enhance network security helps avoid the scenario where the entire network experiences downtime due to a single network node being compromised.
However, it’s also important to choose the right solutions to divide industrial networks into segments. ‘Our customers understand it is not sufficient to protect an OT environment by simply placing an IT firewall in front of the OT network. However, this advice is frequently ignored. Even though our customers are aware that an IT firewall does not have the capability to recognize industrial protocols, which allows cyberattacks to take place at the supervisory or process level. It is a very worrying and high-risk decision as it leaves the system open to vulnerabilities and intruders.’ Firewalls that are used as solutions in industrial control systems not only segment networks into separated network zones to achieve vertical protection, but should also include the deep packet inspection engine function to filter unauthorized packets without affecting performance of operations and providing horizontal protection.
Tip 3: Adopt a Secure Communication Solution for Your Critical Data and Assets
The purpose of OT/IT network convergence is to collect data and transform it into valuable information. One good option is to utilize cloud technologies, which are convenient to use and have powerful data analysis capabilities, to simplify network convergence. A topic that has grown in importance recently is ‘How to secure your data access from OT to IT and from field sites to the cloud.’ The OPC UA communication protocol not only features application authentication and user authentication, but also offers a security mechanism that meets the three pillars of security: confidentiality, integrity, and availability (CIA). It offers a reliable communication solution to ensure data integration is easy and secure.
However, when using cloud technologies, remote access poses a significant security concern. Increasingly, machine builders are leveraging cloud platforms to streamline machine maintenance. However, before you are able to reap the benefits, make sure your remote access is secure by using features such as data encryption and a VPN, as this will help keep your critical assets secure.
Now that we have considered how to reduce potential attack surfaces from the edge to the cloud for your connected industrial control systems, we will now focus on the people who operate these industrial systems and devices. Outsourced vendors, system integrators, and even remote service engineers are essential for daily operations, maintenance, and troubleshooting. They also play an important role to implement security policies. Any investment will become futile if these people lack cybersecurity awareness and do not know how to leverage these technologies. To avoid this undesirable scenario, it must be ensured that everyone involved in industrial processes have the same mindset and attitude to cybersecurity and only when this has been achieved will the results become apparent.
Tip 4: Enhance Industrial Cybersecurity Awareness From Management to Individual Levels
According to the security awareness pyramid, cybersecurity can be separated into different awareness stages. Commitment and support from management form the foundations, which is followed by security programs and policies being implemented during the awareness building process. Taking security policies as an example, it is fundamental to define who has Read and Write access based on the security configurations. However, when these policies are rolled out across an entire organization, it becomes a challenge to ensure everyone adheres to them properly. Facility managers often find implementing cybersecurity measures very cumbersome, and subsequently they do not ensure everyone follows the guidelines. Sometimes, they may end up doing things more akin to group level security, instead of ensuring each individual has their own unique log in credentials, and this subsequently opens up new cybersecurity risks.
Tip 5: Examine the Configurations and Settings to Follow the Security Policies
Once awareness has been established and policies have been defined, employees will pay more attention to their system settings. We understand it can be a complex task to examine all the systems at one time. However, it is never too late to get started. Performing a risk assessment will help define security priorities and from this position it is easier to identify and protect critical assets. A good starting point is to examine configurations. If a large-scale network is being examined, it is recommended to leverage visualization software to check the security settings and adjust the configurations where necessary.
Reflection and Moving Forward
- It is highly recommended to start with developing mindsets, formulating security policies, and systematically examining configurations.
- Once the groundwork has been performed, you can then start to look at secure edge connectivity to protect the mixture of new and legacy systems.
- It is important to remember to secure the network backbone that helps deliver the data that is required to achieve OT/IT convergence.
- It is also recommended to install industrial firewalls to consolidate vertical and horizontal protection.
- Last but not least, with the increasing demands on remote connections, a hassle-free secure remote access solution will save you money and effort.
If you wish to learn more, please visit Moxa’s microsite www.moxa.com/Security.