Bringing together enterprise-level IT and plant-level operations technology into a common infrastructure creates more opportunities to improve operations, but without proper cyber security hygiene may also provide increased opportunities for cyber-attacks against industrial control system equipment.
Such attacks, if successful, can have severe impact on worker, environmental and product safety, intellectual property, reputation and productivity. Attacks on control systems have increased dramatically in recent years. Global cyber-attacks – like WannaCry and Petya – affected thousands of targets and networks around the world.
Leading industrial control system providers constantly test products and review applications to identify and remediate vulnerabilities in products. Disclosing remediated vulnerabilities through patch and version management helps protect against cyber-attacks.
At Rockwell Automation, this is part of an ethical and comprehensive cyber security strategy to help verify customers’ security and safety. While this is not actually new, the increased focus on security in recent years and the more frequent disclosures may seem surprising to some. To others that have worked closely with IT, it will seem natural and expected. To all, it should be welcomed as a clear focus on supporting the safety and security of industrial control systems.
Mitigating Security Threats with Network Segmentation
An open and unsegmented network is a gift to cyber attackers. Once an attacker finds and exploits the most vulnerable point of entry, it could turn into a potential ‘kid-in-a-candy-shop’ scenario. They may be able to pivot to more easily access a larger part of the network and potentially anything connected to it – from product designs or recipes, to machine controls, to company finances.
It’s important to note that it’s not only external threats that pose a danger on an unsegmented network. Internal threats, whether it’s a disgruntled employee or human error like an incorrect system change, also can wreak havoc when there are no network boundaries or access limitations.
This is why network segmentation should be part of every company’s industrial security strategy. Network segmentation separates your network into multiple smaller networks and allows you to establish zones of trust. This can help limit the access of outside security threats and contain any damage they cause. It can also help give employees and business partners access to only the data, assets or applications they need.
Virtual LANs (VLANs) are most commonly associated with network segmentation. These are broadcast domains that exist within a switched network. They allow you to segment your network logically – such as by function, application or organization – instead of physically.
VLANs can secure devices and data in two ways. First, you can block devices in certain VLANs from communicating with devices in other VLANs. Secondly, you can use a Layer-3 switch or router with security and filtering functionality to help to protect the communications of devices that do talk to each other across VLANs.
While VLANs are an important part of segmentation, they’re only one solution. You could also use other segmentation methods across different levels of your network architecture.
One example is the use of an industrial demilitarized zone (IDMZ). It creates a barrier between the enterprise and manufacturing or industrial zones. All traffic between the two zones terminates at this barrier while still allowing data to be securely shared.
Other segmentation methods to consider using include access control lists (ACLs), firewalls, virtual private networks (VPNs), one-way traffic restrictors and intrusion protection and detection services (IPS/IDS).
