Build Security Boundary to Enhance Industrial Cybersecurity
The rise of interconnected OT and IT systems is often attributed to how business models have evolved with the purpose of enhancing operational efficiency. For example, SCADA networks deployed along oil pipelines now collect oil output data that is essential to billing and pricing systems. This increase in data collection allows companies to predict with higher levels of accuracy not only levels of oil production and output, but also expected revenue. However, it should be noted that these interconnected systems do not only bring benefits. A downside of these systems is that the likelihood of introducing cybersecurity threats to OT systems increases significantly. It is for this reason that newspaper headlines and articles often describe how the compromising of IT systems can have a hugely negative impact on OT systems. What is compounding this complex issue even further is that ransomware attacks are increasing in their severity, according to the General Manager of IDC Taiwan, as she explains in this educational video Security Talks Episode 3. This type of malware exploits Windows vulnerabilities and attacks insufficiently protected systems.
With more and more similar cybersecurity incidents occurring in OT systems, business owners and regulators are keen to seek solutions that enhance industrial cybersecurity and allow businesses to keep functioning normally. In this article, we will introduce the defense-in-depth concept that allows businesses to leverage their existing network infrastructure and investment to build the first line of their network defense. Later in the article, we will discuss the benefits and advantages of how industrial intrusion prevention systems can further protect OT systems.
Security Boundery
What Is the Security Boundary Concept?
When enhancing cybersecurity, it is important to understand how your industrial systems are exchanging data within different systems and how they connect to IT-level systems. In the most ideal scenario, when traffic crosses different systems, there should be boundaries in place between each system to ensure the traffic has good cyberhygiene, even if it is authenticated and authorized. However, it is challenging, and often unrealistic to build boundaries between every system, as it involves significant expenditure, and often has a detrimental effect to the efficiency of network communications. It is for these reasons that it is highly recommended to divide OT systems into different digital cells and zones and build up the boundaries to find the right balance between expenditure and acceptable levels of risk.
The defense-in-depth approach, which is recommended by the IEC 62443 cybersecurity standard committee, is widely used across industries and has a good track record of helping build up multiple layers of protection to fulfill operational requirements. In the picture below, the critical assets and operations are considered the most important. As they perform vital roles for businesses, it is wise to take additional security precautions, such as adding more layers of protection, to secure them further. To learn more about the different layers of cybersecurity, download the infographic Cybersecurity 101.
How to Build Security Boundaries
Network Segmentation
• Physical layer segmentation
This is known as air gapping, when two networks are physically isolated. When the operations and security of one system needs to be independently maintained, an air gap is a potential solution. However, as mentioned earlier, it is increasingly difficult to arrange networks this way due to business and operational requirements.
• Data link/network (Layer 2/Layer 3) segmentation
As industrial control systems may have been built decades ago, one of the key challenges, but also essential requirements for network administrators, is to leverage existing infrastructure while ensuring industrial control systems remain secure. One approach that is frequently deployed is to segregate traffic between different network segments using a VLAN (Virtual LAN), which is one of the functions of managed Ethernet switches. Some Ethernet switches feature Access Control Lists (ACL) at the port level, which can help improve VLAN security as data enters the switch. An alternative is to deploy firewalls to protect industrial applications and data especially when you need to deal with traffic on Layer 2 and Layer 3 networks.
• Layer 4-7 network segmentation
Further segmentation can be applied through Deep Packet Inspection (DPI). DPI offers granular control over network traffic and helps you filter industrial protocols based on the requirements of the application. When you have multiple devices on the same network, theoretically, they all have the ability to communicate with each other. However, there are certain scenarios, when for example, Controller A should only communicate with Robotic Arm A at a specific time, then DPI technology can help engineers to define which controllers can perform read/write commands or even the direction of traffic.
Micro-segmentation
In some situations, additional protection for critical assets is necessary, and a good way to achieve this is to use an intrusion prevention system to micro segment the network. What makes micro-segmentation particularly helpful for industrial networks is that it can be used to segregate the network into even smaller sub-networks. What is beneficial about this approach is that the virtual patch function of an IPS can help mitigate the risk of known vulnerabilities. For example, some systems might be operating on Windows XP, which Microsoft does not provide security updates for anymore. Under this scenario, even though there are known vulnerabilities, it may not be feasible to perform security updates. Watch the video to see how IPS virtual patch works.
Secure Remote Access
According to cybersecurity experts, remote desktop protocols are sometimes exploited to spread malware or conduct unauthorized activity. As remote connections have become more and more prevalent due to the necessity of increasing operational efficiency and the need to perform troubleshooting quickly, it is unsurprising that building security boundaries between two field sites is being talked about more frequently. Instead of using software to build the remote connections, which can easily lead to vulnerabilities in the long term, it is highly recommended to build VPN tunnels and ensure that access control mechanisms are maintained properly.
Typical Scenarios
Manufacturing
Interconnected factory networks need proper network segmentation to reinforce industrial network security. Furthermore, network redundancy is also required to ensure the availability of the industrial control system.
Sercure Substation Monitoring
A power grid that covers a vast area needs IEC 61850 certified VPN solutions to monitor the intelligent electronic devices (IEDs) at each remote substation.
As business owners are no longer able to enjoy the benefits and security of completely air-gapped networks, it is imperative for business owners and engineers to enhance security boundaries through different approaches including network segmentation, micro-segmentation, and secure remote access. Each of these approaches fulfills different network requirements and helps enhance cybersecurity not just forming the perimeter protection but also preventing lateral movement of unauthorized traffic. Our newly launched EDR-G9010 Series, which is an all-in-one firewall/NAT/VPN/switch/router, enhances cybersecurity while allowing business owners to leverage existing network infrastructure with some future-proof investments. You can learn more about our secure routers by visiting the microsite.
Nyheter från Cat AB
Cat AB stödjer BRIS även i jul
Vi vill att julen ska vara underbar för alla! BRIS är en magisk organisation som tar hand om de som behöver det mest! Därför går vår julgåva till BRIS. Vi önskar alla kunder en God Jul och ett Gott Nytt År!Tekniska problem med underkategorier
Tekniska problem med underkategorier på vår sajt. Efter ett serverbyte med uppdateringar så går det inte att nå vissa underkategorier,... Läs mer »Liten, pålitlig, snabb och ändå anpassad för industriers krav
Go Beyond the Limits With the EDS-2000/G2000-EL Series Industrial Unmanaged Switches, Minimal Size, Maximal Durability!Nästa Gen. USB till serieportar= Moxas UPort G2
UPort -G2 är Moxas nya USB till RS232/422/485 serieporthub och den är mindre, drar mindre ström och kan ändå hantera USB 3.2 om ni så behöver.Använd beprövad automationsutrustning i BESS
Moxa har beprövad utrustning för automationslösningar vilka med fördel kan användas för uppkoppling, drift och underhåll av batterilagersystem.- Läs merBättre nätverkskommunikation mellan sensorer och styrsystem
Moxas nya UC-2000A serier ger möjligheter att skapa bättre kommunikation i nätverken mellan sensorer och styrsystem. Datorerna har både LAN, WAN, ,serieportar och USB 2. Det går att montera in en modul för Wi-Fi och LTE uppkoppling.Pålitlig leverantör för transport av seriell data
Moxas fortsätter utveckla industrianpassade lösningar för att ansluta utrustning med seriell data. Behöver ni förbättra den operativa effektiviteten, säkerställa tillgängligheten eller matcha de framtida kraven på OT/IT-konvergens?35 års erfarenhet inom seriekommunikation!
Moxa är er pålitliga partner för anslutning av seriella enheter tillförlitlighet sedan 1987, det är en 35 årig meritlista som... Läs mer »Nya CANopen gateways perfekta för mikronät
Moxas CANopen Gateways är perfekta för systemintegratörer och nätägare som arbetar med att förbättra och bygga mikronät, de på engelska kallade "power microgrids". Låt oss presentera MGate 5123.Lilla biblioteket
I lilla biblioteket har vi börjat samla artiklar och publikationer som vi på Cat tycker är intressanta. Kom gärna med tips och idéer