As a reader of this blog you know that cybersecurity has been increasing in importance in industrial facilities since the discovery of Stuxnet in 2010. Now along comes the IIoT with its increased numbers of connected devices and links to the Internet and business systems.
More IIoT-related entry points to industrial communications infrastructure means more cyber risk, not only from intentional attacks but also from unintentional sources such as device failure, operator error and malware. In manufacturing and process control environments this means higher risk to physical devices and processes and the possibility of physical, not just digital, damage.
What does this imply for ICS security going forward? In today’s article we look at 3 trends that Belden sees: more advanced security-focused products, security as an attribute of all Ethernet devices and further adoption of the Defense in Depth best practice. Read on to find out more about these trends.
ICS security will improve in the future with the availability of advanced security-focused products and Ethernet networking devices with built-in security.
ICS Security Trend 1 – Advanced Industrial Security-Focused Products
One trend is that increased cybersecurity risk is leading vendors like Belden to develop advanced technologies that deal with the particular challenges of control system security. One aspect of these challenges is the widespread use of ICS communication protocols that were not designed with security in mind. Securing them without impacting their control functionality requires advanced technology.
An example is the Deep Packet Inspection capability provided by our Tofino Security product line. On the one hand, Intrusion Detection Systems (IDS) monitor only for broad categories of basic attacks. On the other hand, most firewalls use Access Control Lists or stateful firewalls to either allow or block all messages of an industrial protocol like Modbus TCP.
Deep Packet Inspection (DPI), however, digs deeper to understand what the protocol is being used for and provide protection, not just detection. DPI does this, for instance, by determining if a Modbus message is read or write and dropping all write messages, or only allowing writes of particular registers. This allows the protection to be exactly tailored to the application, allowing essential control messages to communicate as required while blocking potentially dangerous or inappropriate messages.
One of the most widely used manufacturing automation protocols in EtherNet/IP. The Tofino EtherNet/IP Enforcer provides fine-grained protection of all protocol actions, thus providing application-level security to field assets. Other Tofino Enforcers provide DPI for the OPC Classic and Modbus TCP protocols, with Enforcers for more protocols in development.
When you think about it, Ethernet networking devices such as industrial routers, switches and firewalls are at every connection point of the ICS network. This makes them ideal security sentinels to identify and control traffic entering and leaving at all points of the communications infrastructure.
Furthermore, studies show that most industrial cyber incidents are unintentional, occurring due to human error, a software or device flaw, or an inadvertent introduction of malware infection. This means that ICS security needs to protect from “friends and neighbors” as well as “enemies.”
For these reasons, Belden is making a focused effort to evolve all of its Ethernet devices to play an active role in their own security. Our product portfolio includes:
- The market leading layer 2 Tofino Firewalls with Stateful Packet Inspection (SPI) enhanced by Layer 2-7 industrial protocol Deep Packet Inspection (DPI)
- A wide range of dual and multi-port Layer 2 and Layer 3 SPI Hirschmann firewalls
- A wide range of industrially hardened Hirschmann and GarrettCom routers, switches and wireless LAN equipment. The operating software for these devices is incorporating more and more built-in and easy-to-use security features. Examples include Firewall Learning Mode, LDAP integration and Wireless Intrusion Detection System (WIDS).
- Network management software for correct configuration of multiple devices, notification of configuration changes plus visual monitoring of device security
- Upcoming integration with Tripwire products for continuous network monitoring
Most industrial cybersecurity incidents are unintentional, meaning the practice of Defense in Depth is important for all manufacturers and process control operators.
ICS Security Trend 3 – Further Adoption of Defense in Depth Best Practices
We have been a long-time proponent of Defense in Depth, as per ISA IEC 62443 (formerly ISA 99), and our product portfolio is designed to support it. We offer:
- Perimeter firewalls that protect network boundaries
- Zone/end-point firewalls that protect subsystems and field devices
- Routing, switching and wireless LAN infrastructure products with many built-in security capabilities
The principles of Defense in Depth have been well understood and readily adopted into many perceived “high risk” applications. However, in both the installed base of control systems as well as new deployments, many industrial networks still do not follow these principles.
Perhaps this is because many industrial engineers and operators have viewed cybersecurity as being relevant only for protection from intentional attacks from hackers. You may view your systems as being of low interest and therefore at low risk of targeted attacks. But, as mentioned above, studies show that most industrial cyber incidents are unintentional. Human error and device flaws can happen to anyone; they don’t only target high profile systems.
Defense in Depth is as much about enhancing system reliability and resiliency as it is security. As this realization spreads, the adoption of Defense in Depth practices will increase.
Good cybersecurity is an ongoing process. We urge you to continuously monitor your communication systems for unusual activity or configurations changes and investigate alterations and anomalies. Get started on better cybersecurity today and make it a focus area for continuous improvement.
Where do you see ICS security going? I look forward to hearing from you.
This article was created with expertise from Jeff Lund who is responsible for Belden’s product initiatives related to the Industrial Internet of Things.
ICS Security Resources
- Tofinosecurity.com Webpage: Summing Up Stuxnet in 4 Easy Sections (Plus Handy Presentation)
- Blog: Defense in Depth Part 2: Layering Multiple Defenses
- Blog: SCADA Security and Deep Packet Inspection - Part 1
- Blog: ICS Security: Essential Firewall Concepts
Belden Products for ICS Security
- Webpage: Tofino Xenon Security Appliance
- PDF: Tofino Modbus TCP Enforcer Datasheet
- PDF: Tofino OPC Classic Enforcer Datasheet
- PDF: Tofino EtherNet/IP Enforcer Datasheet
- Webpage: Industrial Ethernet Routers
- Webpage: Security Capabilities
- Webpage: Managed Switches
- Webpage: Industrial HiVision Network Management Software