Locking the door is good. Being awake and aware is better.
Network access and security always has been about keeping out what you don't want to get in, but these days it's also about finding and eliminating what got in but shouldn't be there.
So, while passwords, encrypted data, segmented networks, and managed Ethernet switches as firewalls are all essential, they're just the start of what it takes to make industrial networks and control applications secure. In the past few years, some viruses, worms and other malicious software have been modified to circumvent the usual barriers, exploit patching schedules, while others like Stuxnet and similar copycats can conduct man-in-the-middle attacks in which they pose as authorized entities, while rewriting critical software behind the scenes.
SEE ALSO: How Much Network Access Should You Allow
"There's no such thing as security-by-obscurity or truly air-gapped systems," says Eric Cosman, engineering consultant at Dow Chemical and co-chair of the ISA-99 industrial cybersecurity committee. "Even in cases where a control system doesn't have a network connection, it's possible to compromise the system by simply inserting an infected USB drive. There's no substitute for understanding your systems, how they're configured, and what your vulnerabilities are."
Consequently, all data and communications from the plant floor to the business level must be monitored and inspected for unauthorized and unusual activity. Luckily, increasingly capable and inexpensive microprocessors, software and hardware components make these network protection and detection devices usable by everyone. These security tools include IT-based network sniffing tools, deep packet inspection software, and a variety of other devices and methods that evaluate whether data and communications on a network is really supposed to be there or not.
Secure Container Shifting
For instance, Europe Container Terminal runs 265 driverless container vehicles, 127 storage cranes and 36 container gantries 24/7/365 to move 7 million tons of goods per year through the Port of Rotterdam. However, all this automated loading and unloading of 20-foot, equivalent-unit containers requires a huge amount of logistical coordination and reliable hardwired, wireless and fiberoptic networking, especially between the cranes and AGVs and their network servers and redundant computing centers.
"The independent crane controls require protection from any type of network interference from human error to denial-of-service attacks," says Ingo Hilgenkamp, product marketing manager for I/O and networks at Phoenix Contact Electronics. "However, this security mechanism must not prevent ECT's operators from switching to backup radios if a malfunction occurs in the fiberoptic cables, which wind onto and off of large reels."
To safeguard communications and make sure the cranes and AGVs precisely execute only authorized commands from operators, ECT implemented Phoenix Contact's mGuard Ethernet switches/firewalls, security appliances and mechanical components, which are prewired, configured and DIN-rail mounted (Figure 1). Based on a hardened embedded Linux operating system, mGuard RS4000 switches have four complementary security components, including bidirectional, stateful inspection firewall; flexible network address translation (NAT) router; secure virtual private network (VPN) gateway; and optional protection against malware using common Internet file system (CIFS) integrity monitoring (CIM).
These managed switches also act as media converters, and pass signals from the fiberoptic network to the Ethernet network and enable connection to the radio system if the fiberoptic side malfunctions. Also, the switches and FL mGuard security devices connect over a cable protected by a special lock on the connector, providing a layer of physical security. The connector requires a special key to add or remove connections.