Protecting networks and facilities against a fast-changing threat landscape

Manufacturing and industrial facilities are operating in ways they scarcely could have imagined a few decades ago.

Greater connectivity and information sharing — enabled by technologies such as smart devices, inspired by concepts like the Internet of Things, and brought to life in The Connected Enterprise — are significantly transforming companies and their operations. They’re converging information technology (IT) and operations technology (OT) systems and using new technologies such as mobile, analytics, cloud and virtualisation to do more than ever before.

However, just as the nature of manufacturing and industrial operations has changed, so have the security risks. More connected operations can create more potential entrance points for industrial security threats.

These threats can come in many forms — physical or digital, internal or external, malicious or unintentional. Industrial security must address a wide range of concerns, including:

• Safeguarding intellectual property and other valuable information.
• Protecting operations from intrusions that could impact productivity, product quality, worker safety or the environment.
• Maintaining critical systems that populations depend on, such as wastewater treatment systems.
• Achieving network availability and avoiding network-related downtime.
• Enabling, but also properly controlling, remote access to industrial operations.

A holistic approach

The growing adoption of smart manufacturing and connected operations combined with today’s highly robust threat landscape requires a renewed commitment to industrial security. First, don’t succumb to paralysis from over analysis. It can be overwhelming to think of all the possible threats. Instead, focus on the probable threats. This can help you more quickly and easily begin implementing strong security practices.

Also, avoid approaches that limit security:

• No single security product, technology or methodology is sufficient for today’s abundance of threats.
• A security-through-obscurity approach lacks meaningful measures.
• Proprietary networks rely on a single vendor and fall short when they don’t take advantage of the plethora of other IT tools, security features and innovations available from the marketplace.

Industrial security must be holistic. It should extend from the enterprise through the plant level and even out to end devices, and address risks across your people, processes and technologies. It also should involve collaboration between IT and OT personnel. Both sides have vital roles to play in establishing a secure network architecture.

Three key considerations for undertaking a holistic approach include:

1. Security assessment: Understand your risk areas and potential threats.
2. Defense-in-depth security: Deploy a multi-layered security approach that establishes multiple fronts of defense.
3. Trusted vendors: Verify that your automation vendors follow core security principles when designing their products.

Security assessment

Developing and implementing an effective industrial security program requires that you first understand the risks and areas of vulnerability that exist within your organisation.

A security assessment will help you understand your current security posture regarding your software, networks, control system, policies and procedures, and even employee behaviors. It should be the starting point for any security policy.

A security assessment’s deliverables should include at a minimum:

• An inventory of authorised and unauthorised devices and software.
• Detailed observation and documentation of system performance.
• Identification of tolerance thresholds and risk/vulnerability indications.
• Prioritisation of each vulnerability, based on impact and exploitation potential.

The final outcome of any security assessment should include the mitigation techniques required to bring an operation to an acceptable risk state.

Defense-in-depth security

Industrial security is best implemented as a complete system across your operations. Defense-in-depth (DiD) security supports this approach. Based on the notion that any one point of protection can and likely will be defeated, DiD security establishes multiple layers of protection through a combination of physical, electronic and procedural safeguards. Just like a bank uses multiple security measures — such as video cameras, a security guard and a vault — this helps make sure threats encounter more than one line of defense.

A defense-in-depth security approach consists of six main components:

1. Policies and Procedures
2. Physical
3. Network
4. Computer
5. Application
6. Device

Trusted vendors

Your automation vendors are just as integral to helping you meet your security goals as they are your production, quality and safety goals. Before selecting vendors, request they disclose their security policies and practices.

Consider if they follow five core security principles — defined by Rockwell Automation — for designing products used in a control system:

• Secure network infrastructure

Vendors can help keep information in the automation layer secure and confidential. For example, embedded technology can validate and authenticate devices before they are granted access to a network.

• Authentication and policy management

Company policies dictate data access levels for employees. Automation products can support these policies using access control lists to manage user access to devices and applications.

• Content protection

Intellectual property is the lifeblood of your operations. Your automation solutions can help protect it by assigning passwords to routines and addon instructions, and by using digital rights management to limit users’ ability to view and edit device data.

• Tamper detection

Built-in tamper detection can detect any unauthorised system activity and alert the right personnel. It also can log key details, such as where the attempted intrusion took place, how it occurred and if anything was modified.

• Robustness

A robust vendor security approach includes providing security training to employees; using design-for-security development practices; testing products to global security standards; conducting final security reviews before products are released; verifying processes stay current with standards and technologies; and having a plan in place to address vulnerabilities.

Summary

The vastness of today’s security threats combined with not knowing how, when or where an attack will occur can be daunting. The approaches outlined here will put you in line with best industry practices for securing your intellectual property, while also helping you protect your facilities, assets, employees and competitive advantages.

For more information, click here.

Image credit: ©stock.adobe.com/ipopba