Cyber security for industrial assets

When it comes to securing industrial networks, policies from the enterprise (IT) and manufacturing sides can differ. Co-authors Gregory Wilcox and Dan Knight, from Rockwell Automation and Cisco Systems, respectively, give specific advice on "computer hardening" and "controller hardening" so the entire manufacturing enterprise can be protected.

Manufacturing Business Technology Staff -- Manufacturing Business Technology, 8/7/2009 3:33:00 PM

The convergence of manufacturing and enterprise networks is increasing access to manufacturing data, which allows manufacturers to make better business decisions. This business agility provides a competitive edge for manufacturers that embrace convergence. However, challenges come with these opportunities - network convergence exposes manufacturing assets to security threats traditionally found in the enterprise.

Holistic Security

Protecting manufacturing assets requires a "defense-in-depth" security approach that addresses internal and external security threats. This approach uses multiple layers of defense (physical and electronic) at separate manufacturing levels by applying policies and procedures that address different types of threats. For example, multiple layers of network security protect networked assets, data and end points, and multiple layers of physical security help protect high value assets. No single technology or methodology can fully secure industrial control systems. Defense-in-depth layers for securing manufacturing assets include physical, network and application security, as well as computer and device hardening.

In achieving a "defense-in-depth" approach, an operational process is required to establish and maintain the security capability. A security operational process includes identifying priorities, assets, potential internal and external threats and risks, establishing requirements, understanding required capabilities, as well as developing architecture and policies.

Designing and implementing a comprehensive manufacturing security model should serve as a natural extension to the manufacturing process. Users should not implement security as a bolt-on component to the manufacturing process

Manufacturing Security Policies

The key to a successful security strategy is understanding the potential problems that need to be solved, including what to protect and how. Establishing a security policy focused on manufacturing needs provides a roadmap for applying security technologies and best practices to protect manufacturing assets, while avoiding unnecessary expenses and excessive restrictive access. Security services should not inhibit nor compromise the manufacturing operation.
As defined by ISA-99, a security policy "enables an organization to follow a consistent program for maintaining an acceptable level of security." The security policy consists of physical and electronic procedures that define and constrain behaviors by personnel and components within the manufacturing system. A team consisting of IT, operations and engineering professionals should work together to define manufacturing security needs.

Security policy development starts with evaluating potential risks. Conducted by either an internal or external team, the risk assessment process identifies potential vulnerabilities and determines mitigation techniques through procedures and/or technology. For example, a procedure could restrict physical manufacturing systems access to authorized personnel. Technology mitigation techniques could involve changing management software to authorize and authenticate user credentials.

Developing a robust and secure network infrastructure requires protecting the integrity, availability and confidentiality of control and information data. Users should address the following when developing a network:
• Is the network infrastructure resilient enough to provide data availability?
• How consistent is the data? Is it reliable?
• How is data used? Is it secure from manipulation?

IT responsibilities include protecting company assets and intellectual property (IP). IT accomplishes this by implementing an enterprise security policy enforcement to protect data confidentiality, integrity and availability (CIA) - in that order. Although similarities exist for manufacturing security policy enforcement, it must place continuous manufacturing operation as top priority. Manufacturing security policy enforcement protects data availability, integrity and then confidentiality (AIC) - in that order.

Enterprise and manufacturing security policies differ in terms of how they handle upgrades. For enterprise applications like operating system and application software patching as well as antivirus definition updates, users conduct upgrades as soon as possible. Applying upgrades to a running manufacturing server could disrupt operations, resulting in a production loss. Manufacturing security policies should define upgrades as a scheduled activity during manufacturing downtime.

Computer Hardening

IT best practices applied to enterprise computers also should apply to manufacturing computers. Best practices and general recommendations include:
• Keep computers up-¬to-¬date on service packs and hot fixes, but disable automatic updates. Additionally, users should test patches before implementing them as well as schedule patching and regular network maintenance during manufacturing downtime.
• Deploy and maintain antivirus software, but disable automatic updates and automatic scanning.
• Deploy and maintain antispyware software, but disable automatic updates and automatic scanning. Automatic antivirus and antispyware scanning has caused data loss and downtime at some manufacturing facilities.
• Prohibit direct internet access. Implementing a Demilitarized Zone (DMZ) provides a barrier between the Manufacturing and Enterprise Zones, but allows users to securely share data and services. All network traffic from either side of the DMZ terminates in the DMZ. Traffic does not directly travel between the Enterprise and Manufacturing Zones.
• Implement a separate Active Directory domain/forest for the Manufacturing Zone. This helps ensure availability to manufacturing assets if connectivity to the Enterprise Zone is disrupted.
• Implement the following password policy settings:
   - Enforce password history
   - Maximum password age
   - Minimum password length
   - Complex password requirements
• Disable the guest account on clients and servers.
• Require that the built-¬in administrator account uses a complex password, has been renamed and has removed its default account description.
• Develop and then deploy backup and disaster recovery policies and procedures. Users should test backups on a regular schedule.
• Implement a change management system to archive network, controller and computer assets (e.g. clients, servers and applications).
• Using Control+Alt+Delete along with a unique username and password to login. Users should require domain credential to access networked computer assets and have unique, non¬shared passwords.
• Protect unnecessary or infrequently used USB ports, parallel and serial interfaces to prevent unauthorized hardware additions (modems, printers, USB devices, etc.).
• Develop and implement a policy for guest access within the Enterprise Zone.
• Develop and implement a policy for partner access within the Manufacturing Zone.
• Uninstall the unused Windows components, protocols and services not necessary to operate the manufacturing system.

Controller Hardening

Users can secure Rockwell Automation Logix programmable automation controllers (PAC) by physical procedure, electronic design, authentication and authorization software as well as change management with disaster recovery software. Best practices and general recommendations include:
• Physical procedure: This restricts control panel access only to authorized personnel. Users can accomplish this by implementing access procedures or locking the panels. Switching the PAC key to "RUN" prevents remote programming, including remote firmware flash that could corrupt the PAC. To allow program configuration changes, this requires a physical key change at the PAC. Unauthorized access (intentional or unintentional) could not alter the PAC until the key switch is changed from "RUN."
• Electronic design: Implementing the PAC CPU Lock feature denies front port access to the PAC, which prevents configuration changes.
• Authentication, authorization and audit by implementing FactoryTalk® Security: Authentication verifies a user's identity and that service requests originate with that user. Authorization verifies a user's request to access a feature or PAC against a set of defined access permissions.
• Change Management with disaster recovery: FactoryTalk® AssetCentre continuously monitors PAC assets with automatic version control, disaster recovery and backup, device configuration verification and real-¬time auditing of user actions.

About the Authors:
Gregory Wilcox, business development manager, Rockwell Automation and Dan Knight, industry solutions manager, Cisco Systems, work together to aid manufacturers with manufacturing-IT convergence. Together, Rockwell Automation and Cisco released reference architectures and embarked on a series of market education activities, reaching more than 8,000 stakeholders on four continents to date. Additionally, Rockwell Automation and Cisco delivered jointly collaborated on infrastructure products that directly address the widespread network convergence activities in manufacturing and IT organizations.

 

Related news:

Rockwell Automation/Cisco Systems: Customer needs pave Ethernet's way from factory floor to executive suite