Seven steps to secure your industrial control network

Implementing an industrial firewall can strengthen plant reliability, safety for control networks.

05/06/2016


A traditional water-pumping station network becomes vulnerable when connected directly to the Internet. Images: Courtesy MoxaThe right industrial firewall can strengthen the safety and reliability of control systems. Industrial control networks help facilitate efficient and safe operations in vital sectors, such as utilities, oil and gas, water, transportation, and manufacturing. A resilient control network relies on a network that can effectively detect and filter unwanted traffic.

Traditionally, some industrial control networks are physically isolated or air-gapped to ensure network security. Currently, that may not be the best practice because control systems are increasingly more interconnected to exchange data and to enable smarter automation.

One major concern of converged networks is the emergence of a new class of threats that targets industrial automation systems. Legacy networks are particularly vulnerable to malicious network attacks or unintended operations due to not practicing the best security measures. Once compromised, these legacy networks can become back doors that allow attackers and unauthorized personnel to gain access to the plant network from enterprise networks or other industrial networks.

To address the issues of network security for industrial control systems, a clear understanding of the security challenges and effective defense measures are required. A "defense-in-depth" approach can be applied to industrial control systems for protection of critical equipment and expanding security coverage on automation networks at various locations, device cells, function zones and factory sites.

Seven steps to security

Choosing the right industrial network security equipment can be the key to success. There are seven things to keep in mind when embarking on this kind of project:

1. No network change required

Deploying a new firewall into industrial control networks can be a complicated process due to various issues, such as IP address reconfiguration, network topology changes and compatibility with existing networks. The first consideration is to determine the right firewall type for your network.

Generally, a firewall provides two filtering options, routed and transparent (or bridged), to cater to different network topologies. There are two connectivity options:

  • A routed firewall acts as an L3 node and protects networks connected to its two logical interfaces. A routed firewall participates in the IP process and can perform tasks such as network address translation (NAT) and port forwarding. Although a routed firewall provides the most capability and flexibility, substantial network configuration may be required.
  • A transparent firewall is suitable for protecting critical devices or equipment inside a control network where network traffic is exchanged within a single subnet. A transparent firewall does not participate in the routing process and can be installed in the network without having to reconfigure IP subnets.

2. Filtering performance and latency

In most industrial control applications, response time is a critical factor. When firewalls are deployed in a control network, the data-filtering processes that are performed create latency. Many vendors claim maximum performance for their firewalls based on the benchmark of filtering data using one firewall rule.

In the real world, hundreds of firewall rules may be activated to filter traffic in a control network, placing doubts on the actual firewall performance. An industrial firewall should minimize control data interruption and allow as much throughput as possible between controllers and input/output (I/O) devices. Additionally, the data-filtering performance must be consistent for various types and sizes of control traffic packets. In general automation applications, a response time in milliseconds is required to enable real-time applications, such as process control, distributed control systems (DCS) and data acquisition.

3. Industrial protocol filtering

Most industrial protocols use transmission control protocol/Internet protocol (TCP/IP) or user datagram protocol (UDP) as the communication base for data transmission. General firewalls can filter data at the IP or media access control (MAC) layer to prevent any unauthorized access to critical equipment. Traditionally, firewalls deny all inbound traffic and allow only one-way or round-trip traffic with firewall whitelists (a list of emails and Websites considered to be spam-free). However, whitelisting only blocks any unauthorized hosts, but grants access to all authorized hosts at the IP or MAC layer.

As network complexity increases, whitelisting of traffic control is inadequate to provide effective network security for industrial applications. While whitelisting protects unauthorized access to industrial devices, it is not effective for controlling data commands. Well-designed firewalls that can allow or deny traffic based on protocols are needed to enable checks on control data commands at the application layer.

4. Industrial-grade design for harsh environments

For industrial applications, firewalls are often located in cabinets under harsh conditions, such as high temperatures and vibration. In this case, the firewall's rugged design is as important as its performance. A firewall for industrial applications should comply with the specific industry's standards, which could include varying requirements depending on the industry, such as oil and gas, transportation, railway or factory automations.

5. Firewall event logging and notification

Regardless of the type of industrial firewalls being implemented, event logging is critical to ensure that the firewall rules are implemented and functioning properly.

In addition, logs allow administrators to monitor what is happening in the control network. Equally important, a good file maintenance plan for logs allows the review of any security events or issues days, weeks and even months after they occur. Administrators can also review these logs to evaluate the strength of current firewall policies, leading to continuous security enhancements.

According to an IT expert from a major oil company in the U.S., a firewall must be capable of sending simple network management protocol (SNMP) events with an emergency severity level that requires immediate attention. This means that an industrial firewall must provide the configuration flexibility that allows administrators to define a severity level for each firewall rule and create a log for each triggered event. To prevent your email's inbox from being flooded with notifications for all events, a firewall must offer the option to allow the network administrator to disable automatic notifications for noncritical events.

6. Easy mass deployment of firewall rules

In industrial applications, there can be up to hundreds or thousands of firewalls installed to control data traffic and protect field equipment from malicious attacks. As the most widely used method, a firewall whitelist only allows specific traffic on a network.

This raises the question of how easy it is to change the firewall rules for the many firewalls in the field once a new service is introduced into a control network. There are two ways to mass deploy firewall rules: batch command (through the command-line interface) and centralized firewall management software. Both are easy to use and are effective mass-deployment methods. The use of one or the other depends on the preference of the network administrator. An industrial firewall solution should include both options.

7. Intuitive configuration interface

Configuring and deploying firewalls in an industrial control network requires trained administrators who are capable of designing effective firewall rules. It is important for firewall vendors to provide intuitive and easy-to-use configuration interfaces to automate the configuration process. An industrial firewall should include a command-line interface, a graphical user interface and a firewall-setup wizard to allow administrators to get firewalls up and running in the field.

Today, there are many standards and regulations that define network security guidelines for industrial control systems, such as ISA/IEC 62443 for industrial automation applications. In addition, the National Institute of Standards and Technology (NIST) also published the SP800-82 standard to guide network professionals who oversee industrial control systems and are tasked with firewall deployment to protect critical industrial devices and equipment.

Implementing effective and reliable industrial firewalls to secure control networks will ensure maximum system uptime.

- Li Peng is a Moxa product manager.



Top Plant
The Top Plant program honors outstanding manufacturing facilities in North America.
Product of the Year
The Product of the Year program recognizes products newly released in the manufacturing industries.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
June 2018
2018 Lubrication Guide, Motor and maintenance management, Control system migration
May 2018
Electrical standards, robots and Lean manufacturing, and how an aluminum packaging plant is helping community growth.
April 2018
2017 Product of the Year winners, retrofitting a press, IMTS and Hannover Messe preview, natural refrigerants, testing steam traps
June 2018
Machine learning, produced water benefits, programming cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
Spring 2018
Burners for heat-treating furnaces, CHP, dryers, gas humidification, and more
April 2018
Implementing a DCS, stepper motors, intelligent motion control, remote monitoring of irrigation systems
February 2018
Setting internal automation standards

Annual Salary Survey

After two years of economic concerns, manufacturing leaders once again have homed in on the single biggest issue facing their operations:

It's the workers—or more specifically, the lack of workers.

The 2017 Plant Engineering Salary Survey looks at not just what plant managers make, but what they think. As they look across their plants today, plant managers say they don’t have the operational depth to take on the new technologies and new challenges of global manufacturing.

Read more: 2017 Salary Survey

The Maintenance and Reliability Coach's blog
Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
One Voice for Manufacturing
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Maintenance and Reliability Professionals Blog
The Society for Maintenance and Reliability Professionals an organization devoted...
Machine Safety
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
Research Analyst Blog
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Marshall on Maintenance
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
Lachance on CMMS
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
Electrical Safety Update
This digital report explains how plant engineers need to take greater care when it comes to electrical safety incidents on the plant floor.
Maintenance & Safety
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
IIoT: Machines, Equipment, & Asset Management
Articles in this digital report highlight technologies that enable Industrial Internet of Things, IIoT-related products and strategies.
Randy Steele
Maintenance Manager; California Oils Corp.
Matthew J. Woo, PE, RCDD, LEED AP BD+C
Associate, Electrical Engineering; Wood Harbinger
Randy Oliver
Control Systems Engineer; Robert Bosch Corp.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me