Abstract: Implementing a defense-in-depth cybersecurity strategy against internal and external threats is an effective measure to ensure the security of Industrial Control Systems (ICS).
By building a defense-in-depth cybersecurity plan and implementing the 8 recommendations proposed in this article, it will help reduce the cybersecurity risks of Industrial Control Systems (ICS).
In the era of smart manufacturing, the important competitive advantage provided by the Internet of Things (IoT) and Industry 4.0—connectivity—will be the only way to success in the future. Some companies are ahead in cybersecurity, while others only take cybersecurity issues seriously after being threatened or breached. Establishing a robust cybersecurity strategy to prevent cyberattacks requires a holistic and layered approach. The following important recommendations will help enterprises develop effective cybersecurity plans for Industrial Control Systems.
Defense-in-Depth Cybersecurity Plan
“Defense-in-depth” is a term used to describe the strategic planning of cybersecurity for Industrial Control Systems, referring to an ideal state with multiple layers of security protection systems and access controls. First, it is necessary to identify the internal, external, physical, and virtual threats to the control system. Assessing the risk posed by each threat should guide how to better allocate the budget for the cybersecurity plan.
Develop a comprehensive plan to reduce risks to an “acceptable” level (which varies for each enterprise). If an attack or breach occurs, there should be corresponding processes to follow up. Through system monitoring and alerts, users should be promptly notified of any violations that are occurring or have occurred.
01
Segmentation
Segmentation is a defense-in-depth strategy that uses the principle of network segmentation to limit the damage caused by a breach. Segmentation creates independent, self-supporting networks (zones) within a larger network to prevent unnecessary access to the system and limit potential vulnerabilities. Physical segmentation can be achieved using other hardware (such as cables and switches), which is a more time-consuming and costly method compared to virtual segmentation.
In larger systems, isolated networks can be created using Virtual Local Area Networks (VLANs). Segmentation can be as basic as separating the manufacturing network from the business network, or more complex, such as creating different segments for each manufacturing unit. For example, in the pharmaceutical industry, each manufacturing unit or packaging production line can be individually segmented. If network segments need to communicate, firewalls can provide additional protection. A firewall is a separate device that determines whether to allow or block network communication.
If the factory is regional, treating it as a single segment can protect the entire system from potentially catastrophic damage. If further segmentation is needed, partitions can be created for systems such as instrumentation, control, and visualization networks within each factory.
02
Demilitarized Zone (DMZ)
A special case of segmentation is setting up a Demilitarized Zone (DMZ) between the company’s industrial and manufacturing systems, business, and IT networks or the internet. Although not universally implemented in Industrial Control Systems, DMZs are still important for certain specific situations. A properly configured DMZ will not allow communication to pass directly from the business network or the internet to the industrial control system network. When communication across the DMZ occurs, internal servers or devices need to act as intermediaries for the transmission.
03
Regular Backups and Updates
Ensure that systems are regularly backed up. Create images for all hard drives, backup virtual machines, and storage configurations and programs on storage devices (such as Network Attached Storage). Backups should be copied to another off-site device for additional protection. No matter how secure the protective measures may seem, they are never 100% secure. Backups are key to quick and easy recovery.
Use the latest patches to update systems and upgrade any computers running unsupported operating systems. For these outdated platforms, even if the manufacturer no longer provides patches, vulnerabilities will be disclosed if found.
Contact automation equipment manufacturers to get on email distribution lists for security announcements. Additionally, it is recommended to obtain information from government or relevant organizations about Industrial Internet Security Emergency Response (ICS-CERT) as soon as possible.
04
Dedicated Security Devices
A few manufacturers specialize in providing cybersecurity products for Industrial Control Systems. Firewall security tools have hardware and software specifically tailored for Industrial Control Systems. These tools allow for defining rules, managing devices that communicate with the system, and the ports and protocols they can use. Firewalls lock down communication with existing devices to ensure proper communication flow. Firewalls can identify when communication is not functioning correctly and causing communication blocks. In addition to blocking communication, notifications or alerts can also be set up.
05
Establish a Strong Cybersecurity Culture
Cybersecurity requires a combination of common sense and education. Many threats and attacks originate from internal and accidental events, highlighting the need for everyone to participate and remain vigilant. Develop ongoing education programs and provide training for future employees, offering training on common social engineering tactics. Inform them about what constitutes confidential information and what behaviors can lead to security risks, such as clicking on seemingly legitimate phishing emails or receiving calls that attempt to induce people to disclose information. Provide detailed information and training to employees on what to watch out for, what not to click, and how to avoid other common traps.
06
Use Limited Access and Unique Passwords
Adopt a “least privilege” policy, allowing employees access only to what they need for their work, without access to unrelated content. Enforce users to set unique passwords that cannot be set to system default passwords. Additionally, users should not set passwords in public view, near devices, or elsewhere. Use technologies such as rolling codes and biometrics to increase two-factor authentication wherever possible. All devices providing remote access to internal systems should enforce two-factor authentication.
07
Physical Access Defenses
Proper physical security measures are often overlooked. For physical access defenses, first ensure the security of device entry points. Consider using security guards, access control systems, electronic fences, and locking critical infrastructure such as servers and SCADA control rooms. Remove keys from Programmable Logic Controllers (PLCs) to prevent tampering with programs, and lock control file cabinets to prevent unauthorized access.
USB ports on control systems can also be disabled or locked. These USB ports can spread viruses or steal data; employees may also inadvertently compromise security by charging their phones.
08
Maintain Good Relationships with System Integrators
If there are other experts who understand the company’s internal and external automation systems, they will undoubtedly be a valuable asset. For example, last year, a series of ransomware attacks targeted global companies. If system integrators have in-depth knowledge of the client’s industrial control system applications, processes, and detailed documentation of software programs including recent backups, trusted system integrators can assist clients in support and rapid recovery during or after a cyberattack.
Implementing a defense-in-depth cybersecurity strategy does not have to be a costly and time-consuming task. Adopting effective defensive measures will significantly enhance the security level of Industrial Control Systems. Control system integrators can work directly with the client’s IT department to design and install the necessary cybersecurity technologies and provide training. Integrators can collaborate with clients to provide quick support and consulting services when needed, helping clients mitigate cybersecurity risks.
This article is from the October 2018 issue of CONTROL ENGINEERING China, under the “Cover Story” section, originally titled: 8 Recommendations to Ensure the Cybersecurity of Industrial Control Systems.
Cover of this Issue
To read each issue of the magazine for free, please follow the CONTROL ENGINEERING China WeChat subscription account.
Previous Recommendations
– 【Revealed】 The world’s first smart restaurant by Haidilao opens, personalized customization becomes the highlight
– 【Special Report】 Extracting Wisdom from the Industry and Aggregating Cross-Industry Experience—2018 Industrial 4.0 Smart Manufacturing Development Application Conference
– Academician Tan Jianrong: Rationally view smart manufacturing, it cannot replace manufacturing technology itself; first, two other things must be done well
– Three recommendations for manufacturing enterprises—ensuring that product quality in the global supply chain will not become an issue
– 【Technical Progress】 IO-Link: A Booster for the Automotive Industry’s Move Towards Intelligence
– Continuous quotable phrases—Why Li Shufu’s speech at the Smart Manufacturing Conference received the warmest applause (with full text of the speech)
– Official announcement | The “National Smart Manufacturing Standard System Construction Guide (2018 Edition)” is officially released (with PDF download)
More
Wonderful
Please click the QR code on the right
Public account ID
cechinamag
