How to Strengthen Your Industrial PC

Strengthening industrial PCs can be achieved by methods such as fixing known vulnerabilities, locating systems, and logging system activities. Image source: Maverick Technologies

Author | Robert Henderson, Maverick Technologies

As cybersecurity attacks on industrial processes become more common, more companies are taking proactive measures to protect their critical control systems. Internal and external consultants often provide key personnel with lists of requirements and recommendations to improve overall security. Among these lists, there is always a suggestion to “harden” industrial computers.

Hardening is the process of making computers more resistant to network intrusions from malicious attacks and accidental infections. Hardening is accomplished by fixing known vulnerabilities, locating systems to deny certain types of attacks, and logging system activities.

Industrial computers will never be completely immune to intrusions, but the hardening process provides an additional layer of cybersecurity protection for industrial systems. Here are six different areas of hardening methods worth exploring.

Every attempt to protect systems from network attacks is imperfect. Every element of hardware and software may contain vulnerabilities. Manufacturers release updates and patches to fix potential and known vulnerabilities. Timely application of these patches and updates is one of the best ways to keep computers resilient against attacks. The longer existing vulnerabilities are not fixed, the greater the likelihood that machines will be attacked.

In the industrial sector, it is often impractical to stop production weekly to patch systems, but it is advisable to establish a patching schedule, perhaps quarterly. It is equally important to recognize that not every patch should be applied immediately. When it comes to original equipment manufacturer (OEM) control software, untested patches can cause industrial software to fail. Most OEMs have their own testing programs to validate operating system patches using their own equipment, and sometimes operating system patches drive corresponding updates to the OEM systems.

Like any computer, industrial PCs are susceptible to attacks containing infected data if personal devices are plugged in. Even without malicious intent, an operator wanting to show colleagues pictures of their children might insert a USB drive. Engineers needing to transfer data files might also use portable hard drives instead of following proper secure file transfer methods. Assessing whether files are dangerous can often become outdated, so it is simpler to completely block access to new file systems. If the operating system refuses to recognize files, it doesn’t matter whether the device is infected.

Connecting industrial PCs to untrusted networks is not uncommon. Whether connecting Wi-Fi to hotspots to watch network videos or plugging in an iPhone to charge, any network connection outside of authorized industrial control networks is high risk. Once a pre-designed network connection is established, all other network connections should be avoided.

Computer operations should be based on the programs running on them. Only programs intended for normal application planning should be allowed to run. Authorized users should be the only ones permitted to execute required programs. Unauthorized users must be prevented from executing untrusted or even trusted programs. Modifications to files on disks should also be limited to authorized processes and users.

Host firewalls are programs running on local computers to prevent unauthorized network communications. They can limit the types of data exchanged, the protocols used for exchange, and the endpoints of sessions. Network firewalls should prevent unnecessary traffic in areas where physical firewalls are installed, but installing firewalls near every computer is often impractical. Firewalls installed on each computer can prevent unnecessary communications between computers in the same physical network area.

System activity logging itself may not necessarily harden the computer, but it can help to comprehensively harden the system it is part of. All noteworthy activities, such as network events, user authentication failures and successes, file system updates, and many other activities, should be logged to a location outside the local computer. Centralized event management systems can assess events as they occur to detect potential negative activities and take protective measures in a timely manner. Historical records of events help assess attacks after the fact to identify and remediate specific vulnerabilities.

Most built-in tools and functions of operating systems can achieve, to some extent, the hardening of the six areas mentioned above. This task requires expertise in operating systems, security requirements, and how both interact with the industrial software running on each machine.

Security software can be purchased or licensed to perform tasks in a more user-friendly manner. Some industrial facilities have engineers with the skills needed to implement and maintain asset hardening programs, but many factories lack this talent. In resource-limited situations, third-party partners can assist in completing the preliminary work and ongoing maintenance needed to harden systems to the desired state.

When engaging third-party partners for implementation and maintenance, and when using commercial security software, it is important to recognize that local engineering personnel still need to be involved in the operation and monitoring of the systems. Hardening industrial computers is not a one-time activity; it is a continuous process that requires regular review and updates.