Network security the key to enterprise protection

Business systems and industrial processes are becoming increasingly interdependent. As the convergence of manufacturing and IT relies on networks, these infrastructures are increasingly exposed to new security risks and active cyberthreats. Addressing these risks poses many challenges for business; overcoming them will help the company benefit from the many advantages that networked operations bring without leaving it exposed unnecessarily. Steve Lawlor, Business Manager, Customer Support & Maintenance, Rockwell Automation, discusses the challenges of security management in today’s complex and interconnected environments.

Industries are becoming increasingly reliant on advancing technology and the benefits it provides. The rapid development of long-distance communication technologies has created a global interconnected platform allowing for boundless information sharing that is not limited by proximity. Remote systems in isolated locations are able to rely on control centres in capital cities where diagnostic and operational data is relayed back and forth through a network, eliminating the need to have a large physical presence on site. In the manufacturing environment, facilitating operating uptime, efficiency and safety are crucial to productivity. Cybersecurity is a factor that can impact both these operational goals - remote operation relies on timely data transmission and the efficiency and safety of the manufacturing environment is reliant on networked system integration.

As internet connectivity expands to touch industrial control systems, new variables are introduced to automated systems. Left unchecked, these variables can lead to compromise of the integrity of information and control aspects of the system. Regardless of industry or application, attacks on networks are becoming increasingly more sophisticated and targeted. They often originate as a ‘simple’ email scam or virus that is spread like the common cold from computer to computer.

The advanced design of contemporary malware allows it to be skilfully cloaked from detection. Once a computer asset is successfully infected, what was merely a latent security risk can quickly evolve into a real and insidious threat and all-out attack that expands from one asset to an entire system. Many new cyberthreats first manifest their effects as simple information-gathering activities. As the malware continues to evade security countermeasures, espionage activities may be altered to target specific assets such as intellectual property or confidential information. In the extreme case, elaborate cyberattacks on critical assets may successfully disrupt safe and reliable control system operation. Targeted malware attacks validate previous fears that the frequency and impact of critical infrastructure incidents will increase in the future. As a result, it is essential that companies assess their risk of both physical and cyberattacks and execute measures to help address, and where possible, eliminate known cyber vulnerabilities.

Holistic view of security

Industrial network security is multifaceted; it is essential that all variables that introduce risk be proactively identified, tracked and addressed in order to help facilitate a safe and reliable industrial process. Security is an element that requires strong risk consideration. It too is a variable that can affect the safety of the system, integrity of the operation and productivity; however, unlike traditional activities to address risk, security mitigation actions must work to address a creative and, regrettably, sometimes malicious human element that may specifically seek to circumvent risk controls.

Intellectual property (IP) - patents, trademarks, employee knowledge or trade ‘secrets’ - are often more valuable to an organisation than its physical assets. For this reason, protecting IP is another very important aspect of network security. “A holistic view of security, control system and enterprise has been shown to be the most effective way to protect IP assets,” said Brad Hegrat, Senior Principal Security Consultant, Rockwell Automation. “It is essential because there is no single element that can fulfil the whole range of security needs. Security needs to encompass both technical and non-technical factors to address risk.”

Communication between people in an organisation on an ongoing basis is critical. If employees are informed about information that needs to be protected, they can be more aware of ways to protect it. Implementing a holistic approach to developing an effective security process involves adopting policies, strategies, guidelines and organisational instructions to create a framework for people to interact with a complex system.

Firewalls continue to be used as one of the first lines of defence to segregating company assets and protecting operations against potential security threats external to a particular system or subsystem. The firewall can isolate business, office and industrial networks from one another standing between subnets in various parts of a facility. Furthermore, these same firewalls can separate systems from open access to the internet, or other infrastructure means used to enable remote network access. The use of firewalls is often supplemented with other defence measures, utilising several layers of protection such as access control, antiviral software and intrusion detection.

Wireless security

More industries are connecting to wireless networks to access the benefits that the increased flexibility offers. For example, on a factory floor, wireless, remote, monitoring systems can lead to reduced installation and maintenance costs and an enabling of mobile workers, no longer tethered to a particular machine. In remote operations, such as mines and oil refineries, wireless networks remove the need for personnel to be in close proximity to hazardous environments. Although wireless networks provide substantial benefits for organisations, stability and uptime can be a concern for the application engineer and security remains the number one concern - to avoid unauthorised access to the networked environment.

In the absence of appropriate security measures, a wireless connection is easily accessible to potential threats. It is an air-based media, without the pathway limits of copper wires, that extends in many directions; often well beyond the physical envelope needed by the system. Technological advances continue to evolve, allowing advanced methods of restricting wireless network access to only authorised users. Modern encryption techniques can be used to avoid someone accessing data maliciously, while filtering and strong authentication allow only authorised devices on the network. It is advisable that organisations interested in deploying wireless networks consider a multifaceted approach to security that involves both procedural and physical components.

Asset management and maintenance - the final piece of the security puzzle

While it is well established that organisations such as government departments, defence contractors and financial institutions are likely targets of highly sophisticated, malicious attacks, industry should not be complacent. By far the biggest threat to industrial organisations is the non-direct effects of an unintentional security breach - such as an employee making a parameter change online that has far-reaching effects somewhere else in the plant: potentially creating a safety risk, damaging equipment or resulting in information contamination, exposure or loss. In addition to non-direct threats, critical systems are increasingly prone to the effects of many broadly focused, ill-targeted malware attacks.  Such malware, whether or not intended to affect mission-critical control systems, may still lead to operational disruption with potentially grave consequences.

By conducting an asset-based risk and vulnerability assessment, security procedures can be developed that will address potential risks and threats targeting control systems so that people, assets and key information are protected. Specialist consulting services can often help achieve a more thorough and complete evaluation of security posture. The Network & Security Services group of Rockwell Automation has the expertise to help address industrial security concerns in a balanced way.

Managing the security life cycle

Security throughout the automation life cycle of a control system requires ongoing investment in order to help protect the system from evolving threats. It is essential to proactively plan and implement a control system strategy that accounts for obsolescence and associated risks with ageing products and systems. Important focal areas of life cycle management include training and continuous improvement; monitoring of people, process and components; auditing and maintenance.

The awareness of industrial systems being targeted is likely to increase with more direct attacks being expected in the future. Indirect attacks will always exist; as more awareness comes out from our customers we will be increasingly addressing these needs. More systems will be designed from the ground up to be secure, changing the focus from physical security to auditing the system and continually monitoring compliance and up-to-date technology.

According to Doug Wylie, Program Manager, Security, Rockwell Automation, both industry and business continue to evolve and embrace the benefits of technology, but so too do those who would seek to maliciously damage and threaten an organisation. “By working collaboratively with our customers and the larger security community, we can collectively address risk and help our customers reduce variability in their control systems. Rockwell Automation will continue to make ongoing investments in product development and asset management to help our customers attain their goals in secure industrial control solutions.”  

The scope of a truly expansive industrial security solution not only includes the control system and its constituent products, but also the people, policies and procedures necessary to maintain a specific level of security. As security risks continue to develop and evolve, so too must the approach taken to mitigate these risks - by developing holistic security solutions, variability can be significantly reduced while protecting valuable assets.