Building a secure Ethernet environment

The trend toward using Ethernet as the sole communications network for business and industry has raised concerns about security. While proprietary networks for building or factory automation have major drawbacks in terms of limiting information flow and higher cost, the separation of these networks from other systems provides a measure of protection against unauthorized access.


Key Concepts
  • Enclosing devices in a lockable cabinet and limiting access to authorized persons can prevent tampering or accidental decoupling of a device link

  • A firewall provides security from potential intruders.

  • •Physical security and password protection are essential to any security program.

Logical and physical security
Routing and switching security
Virtual LANs
Firewall technologies
Authentication technologies
Secure remote access

The trend toward using Ethernet as the sole communications network for business and industry has raised concerns about security. While proprietary networks for building or factory automation have major drawbacks in terms of limiting information flow and higher cost, the separation of these networks from other systems provides a measure of protection against unauthorized access. So how do you take advantage of the benefits of Ethernet connectivity within a secure environment?

A comprehensive security plan must protect against unauthorized access from both internal and external sources. Methods of security can range from technologies based within the infrastructure itself, such as physical connection paths and virtual local area networks (VLANs), to hardware and software-based devices, such as firewalls and security management servers.

Logical and physical security

The most secure network, of course, is one that has no connections to other systems. But that defeats the major advantage of Ethernet in the plant — its easy connectivity to other Ethernet networks or the internet for information sharing.

A frequently overlooked security measure is physically securing switches and wiring closets. Enclosing devices in a lockable cabinet or closet and limiting access to authorized persons can prevent tampering or accidental decoupling of a device link. It also makes sense to secure a backup copy of switch configurations using trivial file transfer protocol (TFTP), a feature found in many switches, each time a change is made. This is not only a security measure, but also a recovery method in case a device fails and requires replacement.

Another method of easily securing infrastructure devices, such as switches, is password protection. Out of the box, most switches can be accessed using a serial DB-9 console connection. This management interface is used to assign an IP address for remote TCP/IP-based telnet management.

Default passwords for switches may be standardized across a manufacturer's entire product line and are published in product documentation and on the web. Many users, including IT organizations, fail to change the default passwords and permissions. If an unauthorized user reaches an unsecured switch, he or she could be in complete command of the switch, with the ability to change configurations or disable ports. Therefore, it is essential that even without an Ethernet connection to the corporate LAN or internet connection that physical security and password protection be part of any security program.

Web-enabled devices such as switches and modules for programmable logic controllers (PLCs) have extended functionality with graphical interfaces, web hosting, and Java/ActiveX controls (Fig. 1). Once installed on a network, the default password on each device should be changed and additional user IDs created as necessary to restrict services to authorized users only.

PLC programming tools and SCADA programs can also be configured to have varying levels of access to user logic and other components. CPUs in many PLCs are equipped with keys to allow the CPU to be started or stopped and to protect the internal memory. These keys should be removed and distributed to authorized personnel.

Particularly in large environments, documenting code changes, device and infrastructure changes, and cabling identification is the key to maintaining the security of devices and programs that may be serviced infrequently.

Routing and switching security

As the sophistication of an Ethernet network for building or factory automation grows, features once found only in enterprise-class devices are finding their way into daily use at the workgroup level. Access control features can be configured in some switches and routers to allow only specific workstations to access a device or pass through to a target. These features include "virtual LAN" implementation, port security, password implementation, and access control list filtering on supported switches and routers.

These special features may not be available on some manufacturers' products or models, so it is important to check each vendor's capabilities before specifying or purchasing a particular product. These features may also require specialized skills to configure, administer, and maintain.

Physical security

Physical security is crucial to a secure operating environment. Switches and routers must be held in place in a secure and sturdy fashion, preferably installed in a rack or enclosure in a secure area. Network equipment is usually equipped to be restored to factory defaults in case a password is forgotten. For this reason, all ports, including console and auxiliary ports, should be secured by a lock or located in a locked enclosure to prevent unauthorized access.

Port-based security

Port security on a switch can prevent unauthorized users from plugging in devices, such as workstations or printers. Devices like these could disrupt network operations by introducing excessive amounts of traffic and errors. Administratively disabling unused ports prevents traffic from entering the network if an unauthorized device is plugged in.

Port-based hardware address (MAC address) management may be used on a switch in order to deny access to a nonauthorized device. Service is not provided if a nonconfigured MAC address is sensed. This can also be used as a precaution against connecting more than the allotted number of workstations or devices to a port. If a device is replaced with one having a different MAC address, the port assignment must be appropriately reassigned by the network administrator.

Access lists can also be used on supported switches and routers to permit or deny users from gaining access to specific network devices or specific resources on network devices. This is known as packet and service filtering and is placed on certain interfaces. Using access lists ties up processor resources and must be locally administered on each interface within each routing device. As a result, access lists are not always the most optimal way to secure resources. Proper setup by a professional is crucial when using these filtering devices, since improper setup could render the network inoperable.

Access control lists

An example of access control list implementation is to allow a programmer to program a device but to restrict the programmer from accessing the device from a web browser. An access control list is used to accomplish this. The list would allow the programmer to access the device via his workstation, but would prevent the destination port from being port 80, the port a web browser would use to connect to any http host.

Virtual LANs

A virtual LAN (VLAN) is a grouping of Ethernet ports on an IEEE 802.1Q-compliant switch or a grouping of switches. A VLAN may be used to help isolate packet and broadcast traffic on a factory automation network, for example, from the IT network. Measures like this are generally reserved for isolating extraneous traffic, such as broadcasts, that may interfere with control communications, but can also be implemented as security tools.

Switches can be divided into VLANs that could render devices on separate VLANs unreachable. The downside to switch port-based VLANs as a security strategy is management, since a port can belong to multiple VLANs extending across multiple switches.

Multilayered VLANs can be challenging to administer. For multiple VLANs to span multiple switches, the spanning tree protocol (STP) may have to be disabled as well. For example, if two VLANs exist on each of two switches, each VLAN needs a connection to the corresponding VLAN on the other switch, requiring two links between each switch. STP will disallow multiple links between devices to prevent loops.

VLANs can also be used to segment broadcast domains within a network. Since VLANs are logically segmented LANs, physical areas do not restrict them. Using VLANs reclaims network bandwidth by breaking down broadcast domains and segments one network of devices from another within the same switch.

VLAN segmentation is accomplished by assigning the ports of a device into separate VLAN memberships. For example, ports 1 and 2 may be assigned to VLAN1. Ports 3 and 4 may be assigned to VLAN2. Ports 1 and 2 will not see broadcasts or traffic from ports 3 and 4, and vice versa. This separation is accomplished at OSI layer 2. If a third VLAN were created using ports 1, 2, 3, 4, and 5, then a device on port 5 would see all broadcast traffic from ports 1, 2, 3, and 4.

An example of this type of implementation is when the network administrator separates office computer traffic from PLC or SCADA devices. As these devices may not normally communicate with each other, separating them with a VLAN would allow the two networks to coexist on the same switch.

Other configurations can be implemented in order to conserve bandwidth for automation or other control devices. These settings include whether or not to pass or block multicasts and rate-limit broadcasts. Other technologies, such as quality of service (QoS) IEEE 802.3p, can prioritize packets on seven levels by setting three bits in the packet header. This allows traffic types or port assignments to have a higher priority if a bottleneck occurs, and can be very useful to prioritize automation traffic. Though not specifically a security measure, it does preserve the integrity of an automation network.

Firewall technologies

A firewall is a device that is implemented on a network to provide security from potential intruders. It has more granular control over what can and cannot be accessed from outside the secure network than an access list can provide. A firewall can be a network appliance; a piece of software on a stand-alone server; or router equipped with multiple network adapters or interfaces. A firewall provides this granular control by using its own protocol stack and, depending on the firewall, checks each level of the stack for erroneous information.

A network appliance firewall is a bundled, ready-to-run, single-purpose computer that provides an operating system and firewall application. The device is tuned for service as a firewall and is managed from a secure workstation "inside" the firewall. A network appliance firewall may be helpful to enterprises as a self-contained solution.

Other firewall manufacturers provide software that installs onto an existing PC or UNIX workstation with multiple network adapters dedicated to this task. In both cases, some providers offer add-on software and hardware modules for remote authentication and encryption/decryption accelerators for improved performance. These configurations may be helpful to enterprises that require scalability, more interfaces, or other features.

A firewall works by examining each packet that passes between the two adapters and comparing access rules at several different levels before allowing that packet to pass (Fig. 2). Once a packet has been validated by all of the requirements to pass through, the firewall applies network address translation (NAT). NAT is used to hide the internal network IP addresses by substituting the actual source address with the outside address of the firewall. This acts to hide the original internal addresses of the senders inside the firewall.

Firewalls allow filtering on MAC and IP addresses, port numbers, or even certain commands and services. Each firewall offers a different level of security depending on the vendor, features, and costs. Selecting and implementing a firewall into any infrastructure requires research, planning and feature/cost comparison.

Every vendor offers a different set of features, such as authentication support, logging, additional memory, and performance classes. The more security checks performed, for example, the slower transactions will take place. Some firewall management suites also allow rules to be downloaded and applied to other network devices such as routers that may be internal or external.

Authentication technologies

Password management for devices can also be an issue. Server platforms are available to centrally administer passwords. These services include remote authentication dial-in user service (RADIUS) and terminal access controller/access controller system (TACACS/TACACS+). These services allow the secure centralized maintenance of logins and passwords. Access to a device, network, or resource such as a server can be centrally administered on such a server. When users request access to a device, the user's credentials are checked against a database on the server for permission.

Authentication is the process where a network user establishes an identity. Verifying the identity of a user requires at least one of three authentication factors: a password, a smart card or token with hardware or software, and biometrics. Each of these approaches has different advantages and drawbacks.

Passwords can be forgotten or shared, compromising the original goal of security. In addition, passwords can be stolen by monitoring keyboard keystrokes or network traffic, by tricking individuals into revealing their password, or with brute force methods such as dictionary attack utilities.

Smart cards or tokens work in conjunction with hardware or software on the host, so each generated response is unique for every login. While providing strong security measures, smart cards and tokens can be lost or stolen or forgotten, and must be issued and tracked, so they are more expensive than passwords to implement and manage.

The strongest single approach is biometric authorization, such as fingerprint, retinal or iris scans, voice, or facial recognition. Although it achieves a higher level of security, users also face more inconvenience as a consequence.

Secure remote access

As more employees find themselves on assignment outside the office, the need for remote access continues to increase. Remote access servers (RAS) and virtual private network (VPN) are two technologies that offer remote access service.

With RAS, a remote access client uses the telecommunications infrastructure to create a temporary physical circuit with a port on a remote access server. With VPN, a VPN client uses the internet to create a virtual point-to-point connection with a remote VPN server.

Although RAS has proven popular, many businesses are looking at low-cost VPN to perform the same functions and reduce telecommunications costs. A VPN can be defined as a means for using the public network infrastructure, such as the internet, to provide private, secure access to applications and corporate network resources for remote employees, business partners, and customers. With a VPN deployed across the internet, virtual private connections can be established from almost anywhere in the world, providing secure access to a central network without having to dial directly into the corporate network.

VPNs reduce telecommunications costs since the remote user need only connect to a local internet access point rather than dial long distance. A VPN uses a secure tunneled connection, allowing only authenticated users access to the corporate intranet (Fig. 3). With tunneling, each message packet is encapsulated or "wrapped" within an IP packet for transmission across the public network via an encrypted "tunnel." Encapsulation is presented at the security server or firewall. Upon authentication, the packet is then decoded and unwrapped for forwarding to the destination host.

There are a number of widely used VPN protocols, including L2TP, IPSec, and SOCKS5. These protocols are the building blocks used to create VPN links. Some of the protocols overlap in functionality and offer similar but complementary capabilities.

Virtual private networking solutions may be a combination of many different technologies such as encryption, user, and data authentication and access control techniques working together to deliver a VPN solution that protects data privacy and ensures appropriate access control. The technologies that comprise the security component of a VPN are authentication, data encryption, user access control, and event logging.

The most important differences between VPN and RAS are the client/server software and the communications access. VPN is a much less costly approach in terms of telecommunications, equipment, and personnel costs. Administration can easily be handled by midlevel IT personnel. It is also a more secure approach since user and data authentication and encryption capabilities are inherent in the software.

More Info: The author is available to answer questions about this article. He can be reached at 978-975-9122, or at . For more information on this topic, visit our website at Article edited by Jack Smith, Senior Editor, 630-288-8783,

Top Plant
The Top Plant program honors outstanding manufacturing facilities in North America.
Product of the Year
The Product of the Year program recognizes products newly released in the manufacturing industries.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
June 2018
2018 Lubrication Guide, Motor and maintenance management, Control system migration
May 2018
Electrical standards, robots and Lean manufacturing, and how an aluminum packaging plant is helping community growth.
April 2018
2017 Product of the Year winners, retrofitting a press, IMTS and Hannover Messe preview, natural refrigerants, testing steam traps
June 2018
Machine learning, produced water benefits, programming cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
Spring 2018
Burners for heat-treating furnaces, CHP, dryers, gas humidification, and more
April 2018
Implementing a DCS, stepper motors, intelligent motion control, remote monitoring of irrigation systems
February 2018
Setting internal automation standards

Annual Salary Survey

After two years of economic concerns, manufacturing leaders once again have homed in on the single biggest issue facing their operations:

It's the workers—or more specifically, the lack of workers.

The 2017 Plant Engineering Salary Survey looks at not just what plant managers make, but what they think. As they look across their plants today, plant managers say they don’t have the operational depth to take on the new technologies and new challenges of global manufacturing.

Read more: 2017 Salary Survey

The Maintenance and Reliability Coach's blog
Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
One Voice for Manufacturing
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Maintenance and Reliability Professionals Blog
The Society for Maintenance and Reliability Professionals an organization devoted...
Machine Safety
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
Research Analyst Blog
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Marshall on Maintenance
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
Lachance on CMMS
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
Electrical Safety Update
This digital report explains how plant engineers need to take greater care when it comes to electrical safety incidents on the plant floor.
Maintenance & Safety
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Randy Steele
Maintenance Manager; California Oils Corp.
Matthew J. Woo, PE, RCDD, LEED AP BD+C
Associate, Electrical Engineering; Wood Harbinger
Randy Oliver
Control Systems Engineer; Robert Bosch Corp.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me