Don't Count on Network Security by Obscurity

July 31, 2013
Counterfeits and Courage: Carry Out a Proactive Risk Assortment to Ferret Out Unauthorized Traffic
About the Author

Jim Montague is the executive editor for Control. Email him at [email protected].

Whenever I get the chance to research and report on network security, I'm inexplicably reminded of a couple of old hardware stories. I think this is because they help me understand what's going on with all the digital data flying around on Ethernet cables or through the air, and perhaps how to help keep those networks and their information secure.

SEE ALSO: Network Security

The first is my cover article, "Do You Know Who Made Your Valves?" that appeared in Control in November 2007. The story was about the growing precision of counterfeit valves and other process control equipment, and how to identify these increasingly hard-to-recognize components. It was pretty amazing. I learned that false process-control components are accompanied by counterfeit plates, marks, documentation, certifications and other verification, but some counterfeiters even use phony sales representatives and set up fake companies to distract and deceive their victims. In fact, many fakes have become almost indistinguishable from genuine products, using RFID chips, laser etchings, holographic labels and even castings that mimic the originals.

In this story, Graham Ogden, R&D director of Rotork, stated, "End users shouldn't buy a device or components unless they're sure where it came from, and they need to understand the entire supply chain between where a device was built and their plant. If you can completely trace a product back to its manufacturers, then you can be as sure as possible that you have the genuine one you wanted."

To combat modern counterfeiting, most process control users buy products only from manufacturers and distributors that are well-known to them, though the lure of deals on eBay can be strong. As a result, some purchasers measure wall thicknesses of valves, retest device performance, and communicate often with their suppliers. They repeatedly confirm logistics details, and track and trace shipments to make sure no unauthorized disruptions or intrusions occur in their supply chains.

It was this slightly obsessive, FedEx-style of checking on shipments that I've long thought would be a useful model for checking data packets on industrial networks to help improve their security. Continual polling, data encryption, restricted routing, security certificates and other basic security methods always seemed very similar to the physical verifications used to prevent counterfeits. So, I've been glad to see many examples of this model coming to pass, and then going even further with added procedures for whitelisting authorized network participants, conducting deep-packet inspections, and performing several types of monitoring traffic for unusual activity. The main lesson is that it's important to maintain barriers, but it's just as crucial to examine internal communications, too.

Likewise, the second item that sticks in my memory when I research security is my "Don't Get Burned" cover article in the May 2009 issue of Control Design. It was about the usual machine safety precautions, but several sources also stressed the need to perform more proactive, task-based risk assessments (RAs), and comply with internationally harmonized safety standards at the design stage and onward, instead of seeking to protect operators and equipment after equipment is already built.

In that story, C. Fred Hayes, Packaging Machinery Manufacturers Institute's standards and safety coordinator, stated, "When the attorneys realized it would be a lot worse to ship a machine to Europe with safety functions that it didn't have in North America, they came to understand that RAs could be very useful."

So, the best defense for machine safety has shifted to having a good RA offense. Of course, it's no secret that safety principles are an excellent way for engineers to understand and implement security as well. This is because downtime, lost revenue and potential damage or injury caused by a network security breach can be assessed in the same way that frequency and severity are calculated for safety incidents. Their common goal is reducing the probabilities of adverse events.

So, don't sit on your hands and count on security or safety by obscurity. Carry out a proactive RA for network security as well as for process or machine safety. Segment your network with managed Ethernet switches serving as firewalls, but also implement some network and data evaluation tools to ferret out unauthorized traffic and those counterfeit data packages.

About the Author

Jim Montague | Executive Editor, Control

Jim Montague is executive editor of Control. He can be contacted at [email protected].