Four cybersecurity technologies, concepts can reduce industrial network risk

Explore the qualities and benefits of zero trust, principle of least privilege and other methods of improving cybersecurity. Four key technologies and security concepts are highlighted.

By Kevin McClusky August 2, 2022
Courtesy: Inductive Automation

Learning Objectives

  • Operational technology (OT) systems are more vulnerable to cybersecurity attacks.
  • A zero-trust approach is very demanding, particularly for brownfield applications, but it is also the most secure.
  • Active and passive network monitoring, principle of least privilege and SIEM integration also can help keep OT networks secure.

Cybersecurity Insights

  • Companies need to ask how they can adapt to the cybersecurity landscapes and provide support without slowing down the company’s initiatives.
  • More operational technology (OT) networks are connected thanks to the Industrial Internet of Things (IIoT), which creates greater vulnerabilities from a cybersecurity standpoint.
  • The end goal is to reach a zero trust posture, which is considered the best program because it demands the most attention and awareness from everyone in a company. Getting there requires a lot of time and consistency from everyone involved.

Cybersecurity used to be something in the information technology (IT) realm. Those folks with computer science degrees would batten the hatches, lock down the precious goods and keep intruders out of the IT network. Since the IT network was seen as the only way into the operational technology (OT) network, this was deemed sufficient for a lot of companies.

潜伏的威胁仍然存在于OT网络的边缘。来自工程师的恶意软件,某人插入USB密钥的物理访问,或将设备插入网络,或偶尔的无线访问可能会让一个坏的行为者进入。虽然这些事件很严重,但很少发生,而且对许多公司来说,这种风险是可以接受的。

New OT network architectures: 4 technologies, concepts

In recent years, OT networks are more connected than ever. Some organizations are running a flat network topology (“Kansas” networks), while others are adding Internet of Things or Industrial Internet of Things (IoT/IIoT) devices and systems that communicate with the cloud. These newer OT setups have caused significant changes by bypassing network layering or Purdue models.

Companies need to ask how they can adapt to these changing landscapes and support these networks without slowing down the company’s digital transformation initiatives. They also need to ask how they can achieve desired business outcomes while remaining vigilant on the cybersecurity front.

Using the right technologies can reduce risk. There are four key technologies and security concepts companies and users should be familiar with today.

  1. Zero trust
  2. Principle of least privilege
  3. Passive and active network monitoring
  4. Security information and event management (SIEM) integration.

1. Zero trust.

One of the most important security philosophies to have emerged in the last decade, this is seen by many as the new gold standard of the security space. It’s been adopted by industrial companies and military networks around the world. The idea of zero trust is assuming an attacker could already be on the network, undetected. Because of this, companies should have no trust in any communication coming into devices, servers and software.

这个理念就像一个两难的问题:如果你不相信沟通,你怎么能沟通呢?在零信任网络中,所有的系统都必须证明其身份,作为通信的第一步。身份证明通常通过一些机制来完成,例如使用公认标准的加密通信、用户名和密码身份验证,有时还包括客户端证书或密钥形式的附加凭据。这个系统的关键部分是负责证明它是谁。看起来好像它在本地网络上不能用于安全决策,因为任何不良行为者也可能出现在本地网络上。

Zero trust is hard to implement for brownfield industrial networks. Many programmable logic controllers (PLCs) and remote terminal units (RTUs) have communication written in a way that leaves all their windows and doors open. Talking to a controls engineer, it becomes obvious which PLCs are insecure by design. If users can connect to a PLC or RTU from a supervisory control and data acquisition (SCADA) system with a native protocol, using just its IP address, chances are it’s insecure. It’s reasonable to assume many PLCs and RTUs are insecure by design, including most being produced today.

If companies are securing these networks and want to employ a zero-trust philosophy, there are two options. One is replacing the existing PLCs. The other is eliminating their insecure communication, normally by isolating them behind devices that can be secured. Many folks are using simple industrial PCs running edge software to keep these systems off the main controls network and to provide data and communication from them using secured protocols like MQTT Sparkplug and OPC UA.

这种情况对于新建网络来说要容易得多。一些以安全为重点的现代plc默认被锁定并支持零信任策略。MQTT Sparkplug和OPC UA等协议和Ignition等软件具有强大的内置认证和安全性。在配置安全设置时使用现代设备、协议和软件,可以简单地采用最佳实践并真正实现零信任体系结构。

FIGURE 1: With a zero-trust approach, everything on the network must prove its identity. Courtesy: Inductive Automation

Figure 1: With a zero-trust approach, everything on the network must prove its identity. Courtesy: Inductive Automation

2. Principle of least privilege.

This principle is simple in concept. The idea is a user’s account should only have access to the things the user needs to do. Many organizations have engineering teams who have admin access to all the systems. If a company is following this principle, then that won’t be the case. A junior engineer will only have access to a limited number of systems and a limited set of functionality. Managing this takes more work, but it also reduces risk if a user’s account is compromised or a disgruntled employee decides to take actions that might harm the business.

3. Passive and active network monitoring.

Many IT teams have monitoring tools for the IT network. It can be a good idea to employ these on OT networks as well. An intrusion detection system (IDS) provides passive monitoring, which means it watches network traffic without adding anything to the network itself. These systems are often backed by artificial intelligence and machine learning (AI/ML) to identify patterns and attempt to locate anomalies.

Sometimes an IDS also employs active network monitoring, which sends communication on the network and attempts to talk to devices as part of its monitoring. Active monitoring systems are sometimes pointed at PLCs or other devices to monitor when they change or what the contents of those changes look like.

If a zero-trust system is in place and working well, it’s likely a bad actor won’t be able to do anything once they’re on the network. However, these monitoring systems are intended to help IT identify those bad actors and kick them off the network to keep them from trying to find a vulnerable system. Some of the active monitoring can also identify unexpected changes and flag those, as well.

FIGURE 2: Security needs have changed in recent years. Technologies and techniques have changed with them. Courtesy: Inductive Automation

Figure 2: Security needs have changed in recent years. Technologies and techniques have changed with them. Courtesy: Inductive Automation

4. SIEM integration.

Most companies’ IT departments use a security information and event management system. It’s easy to overlook these tools on the OT network, but they can be valuable for several reasons. As a log analysis system, they can help identify hot spots and trace back problems that happen. These systems are focused on security, but they also are sometimes useful for general troubleshooting and IT support for live systems. If a company has a SIEM, and the OT systems aren’t sending a secure feed, it would probably be worth exploring adding the SCADA or other OT systems as contributors to the SIEM.

Security is a complex topic and moving toward zero trust and better security in general is needed for manufacturers today. The more familiar companies and users are with the concepts highlighted here, the better decisions we can all make together. Most companies have a long way to go, but better security is a marathon, not a sprint. In the end, better security on the industrial side helps everyone.

Kevin McCluskyis co-director of sales engineering atInductive Automation是CFE媒体与科技内容合作伙伴。Edited by Chris Vavra, web content manager,Control Engineering, CFE Media and Technology,cvavra@cfemedia.com.

MORE ANSWERS

Keywords: cybersecurity, zero-trust approach

LEARNING OBJECTIVES

CONSIDER THIS

Which of these你们在工厂实施了网络安全方法,结果如何?


Kevin McClusky



Author Bio:Kevin McClusky is co-director of sales engineering at Inductive Automation. Kevin is an expert in the field of industrial automation software integration. His work includes oversight, creation and support of numerous HMI, SCADA, and MES projects.