For some 20 years at least, organizations have been challenged to protect their enterprise networks from attack. Proprietary protocols once offered some level of protection, but their convergence into common IP platforms brought new network vulnerabilities to the fore. Now, as industrial field networks grow, and communications and shared information proliferate, industrial sites are finding themselves subject to the same kinds of vulnerabilities as the enterprise networks.
That is particularly true as industrial networks shift to IP systems, just as the enterprise systems did. With all the doomsday hubbub about cybersecurity prevalent today, many might be inclined to want to stick with proprietary networks or perhaps attempt to cut the flow of information off altogether. But the fact is that the use of IP systems in industrial networks is in itself just too valuable to disregard.
Speaking on the final day of ABB Automation & Power World this week in Orlando, Fla., Roman Arutyunov, vice president of global product management and R&D for ABB Tropos Wireless, not only strongly advocated the use of IP systems in large field networks, but explained that there are reliable ways to continue to protect your network from attack.
Tropos Networks, acquired by ABB last June, has focused its business on outdoor industrial markets, making wireless mesh routers, communications equipment and network management software for use in utilities, distribution area networking, mining, oil and gas, control of trains and railways, etc.
"We've seen the growing importance of cybersecurity across all of our markets," Arutyunov said, noting that the desire of industrial customers to optimize their operations by continuously connecting the fields to the back-end office is facilitating two-way communication exchange. "This connection of two elements that were previously very separated or connected with proprietary mechanisms, which gave operators a false sense of security, has given us the growing importance of cybersecurity."
IP architectures are needed if you're going to connect systems in the field, Arutyunov said, pointing to, for example, ease of operations and the ability to run multiple applications over networks. "IP is critical to accomplishing those goals," he said. "But it also increases the risk of cyber attacks. There is a wide array of attacks that can be conducted remotely and on a mass scale over IP networks."
But the good news is that there are ways to prevent those attacks, Arutyunov said. "I advocate an enterprise-style architecture extended all the way to the edge."
He pointed to a typical oil and gas network architecture as an example, including a data center connected to multiple tiers, all the way down to the field elements, which are miles, sometimes hundreds of miles, from the data center. Beyond the data center, the network could include the core IP network at tier 1; the field area network (FAN) at tier 2, including radios on wellheads that are connected back to gateways and then on back to the data center; and tier 3, which could have multiple applications connected throughout territory, such as SCADA endpoints, VoIP phones, safety and security systems, wellhead metering and logging, and laptops, tablets and smart phones.
"This is great power. It facilitates operations, facilitates availability, facilitates capital utilization for the industrial operator and safety," Arutyunov said. "But with this comes exposure."
There are several key elements needed for field network security, including network access control; network resource and remote endpoint protection, which is often ignored; user and device identification and authentication; secure end-to-end data transmission; traffic segmentation and prioritization across applications; secure network management; audit and accountability (another point that's been largely ignored by industrial operators); and availability and performance, which refers to built-in mechanisms to help the network heal itself in the case of attack.
Secure end-to-end data transmission is critical, Arutyunov insisted. "There are three layers of architecture, which means that there are multiple types of equipment in between, all communicating with each other, sometimes over public lines," he said. Most vendors protect the traffic over their own equipment, but the system often becomes vulnerable at junction points. VPN should take encryption all the way from the edge to the data center, he said.
To help with secure network management Tropos Control is a software package that can visualize, monitor and manage the network from just a few clicks. Besides monitoring the network, identifying and tracking security events such as authentication attempts and denial-of-service (DoS) attacks, the software makes it easy to roll out new security policies and change them in minutes across the entire network.
Some problems that networks often face is a lack of access control mechanisms, a lack of firewalls for endpoint and network protection at the edge, and a lack of user and device identification and authentication mechanisms, Arutyunov said. "They move IP to the edge and utilize the same radios, exposing themselves to attacks all the way to the edge," he said, noting that attackers can often get all the way back from the field devices to the data centers.
"This is a lot of stuff that we need to worry about," Arutyunov conceded. "The good news is that there are models in place that we can follow."
The way Tropos addresses the challenge is with end-to-end secure IPsec VPN tunnels; 802.1x for authentication and access control; traffic segmentation using VLANs; and firewalls throughout the network for endpoint security (in every single router, protecting the end elements as well as the data center).
"We have customers who've implemented this model — in fact, quite a few," Arutyunov said. "And security doesn't necessarily mean that it's more expensive, especially when those mechanisms are standards-based."