No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Protecting IACS assets requires a defense-indepth security approach, which addresses internal and external security threats. This approach utilises multiple layers of defense (physical, procedural and electronic) at separate IACS levels by applying policies and procedures that address different types of threats.
To achieve a defense-in-depth approach, an operational process is required to establish and maintain the security capability. A security operational process includes identifying IACS asset device types and locations within the plant-wide/site-wide network infrastructure, identifying potential internal and external vulnerabilities and threats to them and assess the associated risks, understand their application, functional requirements and the associated risks of balancing the application and functional requirements with the need to protect its availability, integrity and confidentiality data.
Designing and implementing a comprehensive IACS network security framework should serve as a natural extension to the IACS process. The industrial network security framework should be pervasive and core to the IACS process. Network security should not be implemented as a bolt-on component. A balanced security framework must address both technical (technology) and non-technical (policies and procedures) elements. Defense-in-depth layers for securing IACS assets include, but are not limited to policies, procedures and awareness, physical security, network security, computer hardening, application security and device hardening.
Industrial network security framework
Converged Plantwide Ethernet (CPwE) reference architectures use industry standards to establish an industrial network security framework. This industrial network security framework establishes a foundation for network segmentation for both traffic management and policy enforcement. The industrial network security framework utilises a defense-in-depth approach and is aligned to industrial security standards such as, ISA/IEC-62443 (formerly ISA-99) Industrial Automation and Control Systems (IACS) Security and NIST800-82 Industrial Control System (ICS) Security. The key tenets of industrial network security framework utilising defense-in-depth include industrial security policy, Industrial Demilitarised Zone (IDMZ), controller hardening, layer 2 access switch hardening, firewalls, network infrastructure access protection, domains of trust and secure remote access policy.
Three aspects of the CPwE Industrial Network Security Framework will be specifically expanded upon. These include layer 2 access switch hardening, Unified Threat Management (UTM) and controller hardening–encrypted communications.
Layer 2 Access Switch Hardening
Layer 2 access switches, such as, the Stratix 5700 and Stratix 8000, can be hardened to restrict access by several techniques.
a. Restrict access to the control panel or zone enclosure to authorised personnel only
b. Utilise Panduit’s block outs for the open access ports and lock-ins for the copper and fibre media
a. Layer 2 Media Access Control (MAC) address security on access ports
b. Layer 3 Access Control Lists (ACLs)
c. Virtual Local Area Networks (VLANs) to segment the Cell/Area Zone into smaller domains of trust
d. Disabling access ports from the Programmable Automation Controller (PAC) and operator interface utilising CIP communications (application layer protocol for EtherNet/IP)
e. Traffic threshold settings to monitor (via CIP communication) any potential denial of service (DOS) attacks
f. Enabling cryptographic version of switch Operating System (OS)
Unified threat management
Modern firewalls provide a range of security services. These Unified Threat Management (UTM) devices combine several security functions into a single appliance to protect your IACS network at the perimeter. The Stratix 5900 UTM security appliance is a ruggedised all-inclusive UTM with features such as firewall, secure routing, Virtual Private Network (VPN), intrusion prevention, Network Address Translation (NAT) and content filtering. There are 3 use cases specifically addressed for UTM within the CPwE Industrial Network Security Framework:
1. Site-to-Site Connection: Tunnels the industrial zone trusted network to a remote site over an untrusted network using a site-to-site VPN connection
2. Cell/Area Zone Firewall: Protects Cell/Area Zone from the greater industrial zone
3. OEM Integration: Provides seamless integration from a machine builder or process skid builder solution into their customer’s plant-wide/site-wide network infrastructure
Stratix 5900 site-to-site connection capabilities
A traditional Virtual Private Network (VPN) is a secured connection between two devices over an ‘untrusted’ (unsecured) network. Choice of VPN technology varies between each implementation and vendor; generally, the data to be transmitted over the untrusted network is either encrypted or encapsulated to protect the integrity of the data and to prevent any form of eavesdropping. Site-to-site VPN can help create a connection between remote IACS applications back to the central site (industrial zone) over an untrusted network (private, semi-private or public). Site-to-site VPNs use well established technologies that are widely deployed in enterprise networks and IT domains.
Since EtherNet/IP is built on standard IP, the site-to-site network can use any Layer 2 technology that supports IP. The Stratix 5900 has both Ethernet and Smart Serial Wide Area Network (WAN) ports, which help allow connectivity to a variety of WAN network technologies. Site-to-site VPN is a permanent, ‘always on’ technology. This allows for continual monitoring of the remote IACS application. Because the networking technology is standard, the IACS VPN connection can also be leveraged for other critical applications.
Stratix 5900 Site-to-Site Connection design considerations include installation of an untrusted network (private, semi-private, or a public) to all distributed remote sites (which is not required). Firewalls terminate the VPN tunnels and filter traffic on both sides of the connection and it is not an ad hoc, temporary, dial on-demand solution.
Controller hardening – Encrypted communications
Within the Converged Plantwide Ethernet (CPwE) Industrial Network Security Framework, securing controller communications over a ‘trusted’ network is about applying additional access control (authentication) and protecting the integrity (encryption) of the data. An example would be protecting the integrity and confidentiality of a batch profile or recipe that is being communicated from the Level 3 site operations to a controller in the Cell/Area Zone. The ControlLogix (PAC) 1756-EN2TSC secure communication module utilises either IP security (IPsec) or Layer 2 Tunneling Protocol (L2TP) to provide authentication and data encryption over a trusted CPwE network.
There are four use cases specifically addressed to harden controller communications within the trusted CPwE Industrial Network Security Framework:
1. ControlLogix to ControlLogix: Permanent connection for peer to peer ControlLogix communications, IPsec-encrypted tunnel between the two 1756-EN2TSC modules
2. ControlLogix to FactoryTalk Application: Permanent connection between ControlLogix and FactoryTalk application/data server
a. Smaller applications, IPsec-encrypted tunnel from 1756-EN2TSC module to Windows Server 2008
b. Larger applications, IPsec-encrypted tunnel from 1756-EN2TSC module to Cisco ASA firewall, and then IPsec-encrypted tunnel from ASA firewall to Windows Server 2008. This approach provides scalability through centralised management of security policies within the Cisco ASA firewall to simplify deployment and manageability on larger IACS applications.
3. Workstation to ControlLogix: Ad hoc temporary connection for ControlLogix configuration and management, L2TP-encrypted tunnel from Windows 7 client to 1756-EN2TSC module
Data encryption design considerations
This can be used in conjunction with other controller and device hardening features for additional granularity to access rules. It uses separate communication bridge module(s) for connectivity to networked IACS devices (e.g. I/O, drives, instrumentation). The 1756-EN2TSC does not currently support communication through NAT devices. It uses standard Microsoft Windows 7 VPN Client to connect transient, ad hoc devices, such as, engineering workstations, to the controller. Embedded standard VPN clients are also used to connect to permanent devices like other controllers and Windows Server 2008. This module is intended for use within the trusted CPwE industrial network security framework. This module in not intended for use on an untrusted (private, semi-private or a public) network.
Securing an IACS network infrastructure
No single product, technology or methodology can fully secure Industrial Automation and Control System (IACS) applications. Securing an IACS network infrastructure requires a defense-in-depth industrial network security framework to address both internal and external security threats. A balanced industrial network security framework must address both technical (electronic technology) and non-technical (e.g. physical, policy, procedural) elements. This industrial network security framework should be based on a well-defined set of security policies and procedures, leveraging established IT processes, while balancing the functional requirements of the IACS application itself.